Multi-tenant security model for Zico
27 views
Skip to first unread message
Mister Bruum
May 15, 2015, 11:14:01 AM5/15/15
to zorka...@googlegroups.com
We host over 30 applications with unique owners that we'd like to instrument with Zorka. A key consideration is security to keep application A developers from gaining access to application B metrics in Zico. Would we be required to map each application to over 30 unique instances of Zico or is there a more efficient security model? We would like to have developers authenticate via LDAP or Active Directory roles.
Thank you!
Rafal Lewczuk
May 21, 2015, 12:29:43 AM5/21/15
to zorka...@googlegroups.com
Hello,
Zico collector already has multi-tenant security. In any configuration different than 'anonymous' you can create user accounts.
There are two kinds of user accounts: admin (sees everything), viewer (sees only selected hosts).
Also, with latest version (released yesterday) it is possible to configure LDAP authentication.
Regards,
rle
Zico collector already has multi-tenant security. In any configuration different than 'anonymous' you can create user accounts.
There are two kinds of user accounts: admin (sees everything), viewer (sees only selected hosts).
Also, with latest version (released yesterday) it is possible to configure LDAP authentication.
Regards,
rle
Mister Bruum
Jun 1, 2015, 11:55:57 AM6/1/15
to zorka...@googlegroups.com
I'm not sure I understand this implementation. According to the instructions when using LDAP local users would still need to be defined. Is there some sort of mapping that would take place in LDAP to the local users?
Thank you!
Rafal Lewczuk
Jun 25, 2015, 6:04:11 PM6/25/15
to zorka...@googlegroups.com
Hello,
(sorry for answering so late)
Collector will check password using LDAP but it will use local database for obtaining user attributes and privileges. Administrator needs to add users to internal collector database. Only those users will be authorized to log into collector.
Regards,
rle
(sorry for answering so late)
Collector will check password using LDAP but it will use local database for obtaining user attributes and privileges. Administrator needs to add users to internal collector database. Only those users will be authorized to log into collector.
Regards,
rle
Mister Bruum
Jun 26, 2015, 4:33:14 PM6/26/15
to zorka...@googlegroups.com
Thank you for your response.
Our groups are fairly static while users come and go.
Also, is it possible to do user/group management via an API?
Thanks again!
Rafal Lewczuk
Jul 20, 2015, 4:02:38 PM7/20/15
to zorka...@googlegroups.com
Sorry for not answering in timely fashion, I was overwhelmed by work last 4 weeks unfortunately.
While it is fairly easy to distinguish between VIEWER and ADMIN, you still need to set rights to view specific zabbix hosts (JVMs) for each viewer. This means that you cannot escape configuring user inside ZICO (aside of configuring user account in LDAP itself), so klicking 'ADMIN' checkbox for admins adds virtually zero overhead. Unless you can come up with some custom attribute for storing JVM names in LDAP (which will actually require more work as in ZICO you just click check boxes), having VIEWER/ADMIN groups in LDAP will bring you no advantages.
If you're still interested in having those information stored in LDAP, let me know, I'll try to think it through somewhat and implement necessary changes.
Regards,
rle
Reply all
Reply to author
Forward
0 new messages