Restricting (some of) Thruk's Features
382 views
Skip to first unread message
Rossi46Ido
Feb 3, 2014, 10:31:07 AM2/3/14
to th...@googlegroups.com
Hi guys,
First of all, let me say that I LOVE Thruk! It's been very handy in the last year for us.
There's something I was able to achieve in Nagios, but couldn't achieve it Thruk:
Redirecting the "Disable notifications for this host" action to a simple web page that alerts the user he's done wrong.
I'll explain:
Since Nagios/Thruk can't restrict only certain UI actions from specific users, I have to perform a workaround that issue.
My goal is to take the ability of disabling notifications and active checks from the users, while still letting them acknowledge alerts and perform other actions.
I did that on the Nagios UI by editing the 'nagios.conf' file in Apache's configuration to redirect every request that contains the string
First of all, let me say that I LOVE Thruk! It's been very handy in the last year for us.
There's something I was able to achieve in Nagios, but couldn't achieve it Thruk:
Redirecting the "Disable notifications for this host" action to a simple web page that alerts the user he's done wrong.
I'll explain:
Since Nagios/Thruk can't restrict only certain UI actions from specific users, I have to perform a workaround that issue.
My goal is to take the ability of disabling notifications and active checks from the users, while still letting them acknowledge alerts and perform other actions.
I did that on the Nagios UI by editing the 'nagios.conf' file in Apache's configuration to redirect every request that contains the string
'cmd_typ=29' to a .txt page that told the user to acknowledge and not use that function of disabling notifications.
I did that in the following way on the 'nagios.conf' file under /etc/httpd/conf.d/ directoryRewriteEngine On
#stop jerks using disable active service checks
RewriteCond %{QUERY_STRING} (.*)cmd_typ=29&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]
Now, I'd like to do the same for Thruk, but for some reason it doesn't work!
Can you please help me out here?
Here's my current 'thruk.conf' file on the Thruk server under /etc/httpd/conf.d/
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Redirect permanent / https://colo-thruk-lp1/thruk
</VirtualHost>
Listen 443
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
<IfModule mod_fcgid.c>
AddHandler fcgid-script .sh
IPCCommTimeout 120
<Directory /usr/share/thruk>
Options FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
<Directory /etc/thruk/themes>
Options FollowSymLinks
allow from all
</Directory>
<Directory /etc/thruk/plugins>
Options FollowSymLinks
allow from all
</Directory>
# redirect to a startup page when there is no pidfile yet
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_URI} !^/thruk/startup.html
RewriteCond %{REQUEST_URI} !^/thruk/side.html
RewriteCond %{REQUEST_URI} !^/thruk/.*\.(css|png|js)
RewriteCond %{REQUEST_URI} ^/thruk
RewriteCond /var/cache/thruk/thruk.pid !-f
RewriteRule ^(.*)$ /thruk/startup.html?$1 [R=302,L,NE,QSA]
Alias /thruk/documentation.html /usr/share/thruk/root/thruk/documentation.html
Alias /thruk/startup.html /usr/share/thruk/root/thruk/startup.html
AliasMatch ^/thruk/(.*\.cgi|.*\.html) /usr/share/thruk/fcgid_env.sh/thruk/$1
AliasMatch ^/thruk/plugins/(.*?)/(.*)$ /etc/thruk/plugins/plugins-enabled/$1/root/$2
Alias /thruk/themes/ /etc/thruk/themes/themes-enabled/
Alias /thruk /usr/share/thruk/root/thruk
<Location /thruk>
Options ExecCGI FollowSymLinks
# AuthName "Enter Domain Credentials"
# AllowOverride None
# AuthType basic
# AuthBasicProvider ldap
# AuthLDAPURL ldap://colo-ad-wp2/ou=Imperva,dc=imperva,dc=local?sAMAccountName
# AuthLDAPBindDN cn=bindadmin,ou=SpecialUsers,ou=Imperva,dc=imperva,dc=local
# AuthLDAPBindPassword 5etFM6eneu3USMJfrVsS
# AuthLDAPRemoteUserIsDN Off
# AuthzLDAPAuthoritative Off
# AuthLDAPGroupAttributeIsDN On
# Require ldap-group CN="IT Infra",OU=Groups,OU=Imperva,DC=imperva,DC=local
# RewriteCond %{QUERY_STRING} (.*)cmd_typ=29&(.*)
# RewriteRule ^(.*)$ /baduser.txt [L]
# AuthUserFile /etc/thruk/htpasswd
</Location>
<Location /thruk/cgi-bin/remote.cgi>
Options ExecCGI FollowSymLinks
# AuthName "Enter Domain Credentials"
# AllowOverride None
# AuthType basic
# AuthBasicProvider ldap
# AuthLDAPURL ldap://colo-ad-wp2/ou=Imperva,dc=imperva,dc=local?sAMAccountName
# AuthLDAPBindDN cn=bindadmin,ou=SpecialUsers,ou=Imperva,dc=imperva,dc=local
# AuthLDAPBindPassword 5etFM6eneu3USMJfrVsS
# AuthLDAPRemoteUserIsDN Off
# AuthzLDAPAuthoritative Off
# AuthLDAPGroupAttributeIsDN On
# Require ldap-group CN="IT Infra",OU=Groups,OU=Imperva,DC=imperva,DC=local
</Location>
</IfModule>
Sven Nierlein
Feb 3, 2014, 10:34:44 AM2/3/14
to th...@googlegroups.com
On 03.02.2014 16:31, Rossi46Ido wrote:
>
> Since Nagios/Thruk can't restrict only certain UI actions from specific users, I have to perform a workaround that issue.
Who said this? Its pretty simple with Thruk:
>
> Since Nagios/Thruk can't restrict only certain UI actions from specific users, I have to perform a workaround that issue.
http://thruk.org/documentation.html#_user_amp_group_specific_overrides
So no, you can disallow specific commands in thruk and you can restrict that
to specific groups and users.
Sven
Rossi46Ido
Feb 4, 2014, 2:47:21 AM2/4/14
to th...@googlegroups.com
Oh, that's fantastic!!
Thanks for the enlightenment!
Ido
Thanks for the enlightenment!
Ido
Reply all
Reply to author
Forward
0 new messages