Hallo,
I would like to get better insight into access configuration to CGIs.
Scenario:
* icinga is authenticating users from LDAP (in fact it is FreeIPA, but it
doesn't matter at all)
* users have their loginnames in format firstname.surname (i.e. zdenek.pizl)
* each user is part of a team (group) which is maintain one or more
hostgroups (i.e webservers, ftpservers, storages, ...)
* relevant configuration from cgi.cfg:
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_full_command_resolution=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*
show_all_services_host_is_authorized_for=1
show_partial_hostgroups=0
Do I understand correctly that:
1) according to config above, all authorized users can do any operation on
any host/service?
2) how to narrow the set of hosts/services to achieve one? Because I can
hardly say how to do it. How to mix contacts, contact_groups a cgi.cfg to
allow one team to fully manage one or several hostgroups and parallelly to
it read-only access to other hostgroups?
3) have contacts to have its contact_name identical to login name of
authorized user to match the hostgroups and to allow an access?
4) does anybody use it in conjuction with LDAP?
Sorry for such long email, thanks for any helpful explanation, best regards
.zp.
--
Zdenek Pizl
zdenek.p...@gmail.com
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
