[omd-users] Can't determine the Authoraztion Error in Icinga

john s. fireskyer at emailn.de
Tue Oct 9 14:11:13 CEST 2012


Her are some Config files from my system:

cgi.cfg:
# ---------------------------------------------------------
# Settings for OMD. Do not change!
main_config_file=/omd/sites/omd056/tmp/icinga/icinga.cfg
physical_html_path=/omd/sites/omd056/share/icinga/htdocs
url_html_path=/omd056/icinga
url_stylesheets_path=/omd056/icinga/stylesheets
cgi_base_url=/omd056/icinga/cgi-bin
# ---------------------------------------------------------

# ATTRIBUTE BASED AUTHORIZATION FILE
# This option will include a file defining authroization based on
# attributes.

#authorization_config_file=/omd/sites/omd056/etc/icinga/cgiauth.cfg


# HTTP CHARSET
# This defines charset that is sent with HTTP headers.

http_charset=utf-8



# CONTEXT-SENSITIVE HELP
# This option determines whether or not a context-sensitive
# help icon will be displayed for most of the CGIs.
# Values: 0 = disables context-sensitive help
#         1 = enables context-sensitive help

show_context_help=0



# HIGHLIGHT TABLE ROWS
# This option allows you to define if table rows in status.cgi
# will be highlighted or not.
# Values: 0 = disables row highlighting
#	  1 = enables row highlighting

highlight_table_rows=1



# PENDING STATES OPTION
# This option determines what states should be displayed in the web
# interface for hosts/services that have not yet been checked.
# Values: 0 = leave hosts/services that have not been check yet in their  
original state
#         1 = mark hosts/services that have not been checked yet as PENDING

use_pending_states=1


# Logging

# USE LOGGING
# If you want to log information from cgi's (e.g. all submitted commands)
# then set this option to 1, default is 0 (off).
# WARNING:
# This log is highly experimental and changes may occure without notice.  
Use at your own risk!!

use_logging=0


# CGI LOG FILE
# This is the cgi log file for information about what users are doing.
# At the moment only submitted commands from cmd.cgi will be logged.

cgi_log_file=/omd/sites/omd056/var/icinga/icinga-cgi.log


# CGI LOG ROTATION METHOD
# This is the log rotation method that should be used to rotate
# the cgi log file. Values are as follows..
#	n	= None - don't rotate the log
#	h	= Hourly rotation (top of the hour)
#	d	= Daily rotation (midnight every day)
#	w	= Weekly rotation (midnight on Saturday evening)
#	m	= Monthly rotation (midnight last day of month)

cgi_log_rotation_method=d


# CGI LOG ARCHIVE PATH
# This is the directory where archived (rotated) cgi log files should be
# placed (assuming you've chosen to do log rotation).

cgi_log_archive_path=/omd/sites/omd056/var/icinga/archive


# FORCE COMMENT
# This option forces the users of to comment every action they perform.
# The comments get logged into cgi log file. This option only has effect
# if logging is switched on. See option "use_logging"
# Default  is 0 (off), to activate it set it to 1 (on).

enforce_comments_on_actions=0


# FIRST DAY OF WEEK
# Here you can set if your week starts on sunday or monday.
# Default is 0 (Sunday), set it to 1 if your week start monday.

first_day_of_week=0


# AUTHENTICATION USAGE
# This option controls whether or not the CGIs will use any
# authentication when displaying host and service information, as
# well as committing commands to Icinga for processing.
#
# Read the HTML documentation to learn how the authorization works!
#
# NOTE: It is a really *bad* idea to disable authorization, unless
# you plan on removing the command CGI (cmd.cgi)!  Failure to do
# so will leave you wide open to kiddies messing with Icinga and
# possibly hitting you with a denial of service attack by filling up
# your drive by continuously writing to your command file!
#
# Setting this value to 0 will cause the CGIs to *not* use
# authentication (bad idea), while any other value will make them
# use the authentication functions (the default).

use_authentication=0




# x509 CERT AUTHENTICATION
# When enabled, this option allows you to use x509 cert (SSL)
# authentication in the CGIs.  This is an advanced option and should
# not be enabled unless you know what you're doing.

use_ssl_authentication=0




# DEFAULT USER
# Setting this variable will define a default user name that can
# access pages without authentication.  This allows people within a
# secure domain (i.e., behind a firewall) to see the current status
# without authenticating.  You may want to use this to avoid basic
# authentication if you are not using a secure server since basic
# authentication transmits passwords in the clear.
#
# Important:  Do not define a default username unless you are
# running a secure web server and are sure that everyone who has
# access to the CGIs has been authenticated in some manner!  If you
# define this variable, anyone who has not authenticated to the web
# server will inherit all rights you assign to this user!

#default_user_name=guest



# SYSTEM/PROCESS INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# have access to viewing the Icinga process information as
# provided by the Extended Information CGI (extinfo.cgi).  By
# default, *no one* has access to this unless you choose to
# not use authorization.  You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_system_information=omdadmin
#authorized_contactgroup_for_system_information=


# CONFIGURATION INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# can view ALL configuration information (hosts, commands, etc).
# By default, users can only view configuration information
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_configuration_information=omdadmin
#authorized_contactgroup_for_configuration_information=


# RAW COMMANDLINE CONFIGURATION INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# can view a command in config command expander as icinga would
# execute it. To resolve all MACROS it is necessary to allow
# read access to the web server for resource.cfg .
# CAUTION: $USERXX$ vars and custom vars can contain sensitive
# data.
# Alternatively you can specify contactgroups too.

authorized_for_full_command_resolution=omdadmin
#authorized_contactgroup_for_full_command_resolution=


# SYSTEM/PROCESS COMMAND ACCESS
# This option is a comma-delimited list of all usernames that
# can issue shutdown and restart commands to Icinga via the
# command CGI (cmd.cgi).  Users in this list can also change
# the program mode to active or standby. By default, *no one*
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_system_commands=omdadmin
#authorized_contactgroup_for_system_commands=


# GLOBAL HOST/SERVICE VIEW ACCESS
# These two options are comma-delimited lists of all usernames that
# can view information for all hosts and services that are being
# monitored.  By default, users can only view information
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0


authorized_for_all_services=*
authorized_for_all_hosts=*
#authorized_contactgroup_for_all_services=
#authorized_contactgroup_for_all_hosts=


# GLOBAL HOST/SERVICE COMMAND ACCESS
# These two options are comma-delimited lists of all usernames that
# can issue host or service related commands via the command
# CGI (cmd.cgi) for all hosts and services that are being monitored.
# By default, users can only issue commands for hosts or services
# that they are contacts for (unless you you choose to not use
# authorization).  You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_all_service_commands=omdadmin
authorized_for_all_host_commands=omdadmin
#authorized_contactgroup_for_all_service_commands=
#authorized_contactgroup_for_all_host_commands=


# READ-ONLY USERS
# A comma-delimited list of usernames that have read-only rights in
# the CGIs.  This will block any service or host commands normally shown
# on the extinfo CGI pages.  It will also block comments from being shown
# to read-only users.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

#authorized_for_read_only=user1,user2
#authorized_contactgroup_for_read_only=


# SHOW ALL SERVICES THE HOST IS AUTHORIZED FOR
# By default, a user can see all services on a host, if the user is
# authorized as contact for the host only. By disabling this option,
# the user must be an authorized contact for the service too in order
# to view it.
# Values: 0 - disabled, user must be authorized for services too
#         1 - enabled, user can view all services on authorized host

show_all_services_host_is_authorized_for=1


# SHOW PARTIAL HOSTGROUPS
# By default, a user only sees a hostgroup and the hosts within it if
# they are an authorized contact for all of the hosts of the group. By
# enabling this option hostgroups will show a partial listing of hosts
# the user is an authorized contact for in the hostgroups.
# Values: 0 - disabled, user only sees full hostgroups (default)
#         1 - enabled, user sees partial hostgroups

show_partial_hostgroups=1


# STATUSMAP BACKGROUND IMAGE
# This option allows you to specify an image to be used as a
# background in the statusmap CGI.  It is assumed that the image
# resides in the HTML images path (i.e. /usr/local/icinga/share/images).
# This path is automatically determined by appending "/images"
# to the path specified by the 'physical_html_path' directive.
# Note:  The image file may be in GIF, PNG, JPEG, or GD2 format.
# However, I recommend that you convert your image to GD2 format
# (uncompressed), as this will cause less CPU load when the CGI
# generates the image.

#statusmap_background_image=smbackground.gd2




# STATUSMAP TRANSPARENCY INDEX COLOR
# These options set the r,g,b values of the background color used the  
statusmap CGI,
# so normal browsers that can't show real png transparency set the desired  
color as
# a background color instead (to make it look pretty).
# Defaults to white: (R,G,B) = (255,255,255).

#color_transparency_index_r=255
#color_transparency_index_g=255
#color_transparency_index_b=255




# DEFAULT STATUSMAP LAYOUT METHOD
# This option allows you to specify the default layout method
# the statusmap CGI should use for drawing hosts.  If you do
# not use this option, the default is to use user-defined
# coordinates.  Valid options are as follows:
#	0 = User-defined coordinates
#	1 = Depth layers
#       2 = Collapsed tree
#       3 = Balanced tree
#       4 = Circular
#       5 = Circular (Marked Up)

default_statusmap_layout=5



# DEFAULT STATUSWRL LAYOUT METHOD
# This option allows you to specify the default layout method
# the statuswrl (VRML) CGI should use for drawing hosts.  If you
# do not use this option, the default is to use user-defined
# coordinates.  Valid options are as follows:
#	0 = User-defined coordinates
#       2 = Collapsed tree
#       3 = Balanced tree
#       4 = Circular

default_statuswrl_layout=4



# STATUSWRL INCLUDE
# This option allows you to include your own objects in the
# generated VRML world.  It is assumed that the file
# resides in the HTML path (i.e. /usr/local/icinga/share).

#statuswrl_include=myworld.wrl



# PING SYNTAX
# This option determines what syntax should be used when
# attempting to ping a host from the WAP interface (using
# the statuswml CGI.  You must include the full path to
# the ping binary, along with all required options.  The
# $HOSTADDRESS$ macro is substituted with the address of
# the host before the command is executed.
# Please note that the syntax for the ping binary is
# notorious for being different on virtually ever *NIX
# OS and distribution, so you may have to tweak this to
# work on your system.

ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$



# REFRESH RATE
# This option allows you to specify the refresh rate in seconds
# of various CGIs (extinfo, outages, status, statusmap and tac).

refresh_rate=90


# REFRESH TYPE
# This option determines what type of refresh should be used.
# You can choose between http header and javascript. By
# default javascript (1) is activated. If you have trouble
# using javascript then try refresh via http header (0).

refresh_type=1


# ESCAPE HTML TAGS
# This option determines whether HTML tags in host and service
# status output is escaped in the web interface.  If enabled,
# your plugin output will not be able to contain clickable links.

escape_html_tags=0



# PERSISTENT ACKNOWLEDGEMENT COMMENTS
# This options determines whether the initial state of the
# checkbox "Persistent Comment:" for service and host problem
# acknowledgements is checked or unchecked

persistent_ack_comments=0


# SOUND OPTIONS
# These options allow you to specify an optional audio file
# that should be played in your browser window when there are
# problems on the network.  The audio files are used only in
# the status CGI.  Only the sound for the most critical problem
# will be played.  Order of importance (higher to lower) is as
# follows: unreachable hosts, down hosts, critical services,
# warning services, and unknown services. If there are no
# visible problems, the sound file optionally specified by
# 'normal_sound' variable will be played.
#
#
# <varname>=<sound_file>
#
# Note: All audio files must be placed in the /media subdirectory
# under the HTML path (i.e. /usr/local/icinga/share/media/).

#host_unreachable_sound=hostdown.wav
#host_down_sound=hostdown.wav
#service_critical_sound=critical.wav
#service_warning_sound=warning.wav
#service_unknown_sound=warning.wav
#normal_sound=noproblem.wav



# URL TARGET FRAMES
# These options determine the target frames in which notes and
# action URLs will open. Default is main frame.

action_url_target=main
notes_url_target=main
#action_url_target=_blank
#notes_url_target=_blank




# LOCK AUTHOR NAMES OPTION
# This option determines whether users can change the author name
# when submitting comments, scheduling downtime.  If disabled, the
# author names will be locked into their contact name, as defined in  
Icinga.
# Values: 0 = allow editing author names
#         1 = lock author names (disallow editing)

lock_author_names=1



# DEFAULT DOWNTIME DURATION
# This option defines the default duration (in seconds) of fixed and
# flexible downtimes. Default is 7200 seconds (2 hours).

default_downtime_duration=7200



# DEFAULT EXPIRING ACKNOWLEDGEMENT DURATION
# This option defines the default duration (in seconds) of a expiring
# acknowledgement. Default is 86400 seconds (1 day).

default_expiring_acknowledgement_duration=86400



# SHOW LONG PLUGIN OUTPUT IN STATUS OPTION
# This option allows you to specify the length of status information
# in output of status.cgi. If you set the value to 1 it shows the
# full plugin output instead of the first line only.
# Default value is 0.

status_show_long_plugin_output=0



# DISPLAY STATUS TOTAL
# This option allows you to specify if the
# Host Status Totals and Service Status Totals
# should be displayed.
# Default value is 0.

display_status_totals=0



# SHOW ONLY HARD STATES IN TAC OPTION
# This options allows you to specify if the tactical overview
# should only show hard states on hosts and services.
# By default disabled, all states will be shown.

tac_show_only_hard_state=0



# SHOW CHILD HOSTS IN EXTINFO OPTION
# This Option allows you to specify if the extended host information
# cgi will show child hosts for the selected host.
#	0 = disabled
#	1 = only show immediate child hosts
#	2 = show immediate and all child hosts
# NOTE: Option 2 could be a real performance killer in
# large installations, so use with care.
# By default disabled, as this could be a performance killer.

extinfo_show_child_hosts=0



# SUPPRESS MAINTENANCE DOWNTIME
# This options suppresses the state coloring of hosts and services
# that are in a scheduled downtime. It sets their coloring to gray,
# so they no longer draw extra attention to themselves, making it
# so only actual problems are the ones that stand out.
# By default it is disabled.

suppress_maintenance_downtime=0


# SHOW TAC INFORMATION IN TOP FRAME
# This options places tactical overview information in
# the top frame similar to the view that's in icinga-web.
# By default it is enabled.

show_tac_header=1


# SHOW PENDING IN TAC HEADER
# This options enables the display of pending counts in
# the tac header. If your display is less than 1024x768
# and this is enabled, the tactical information may not
# fit well in the top frame.
# By default it is enabled.

show_tac_header_pending=1



# SHOW INITIAL STATES IN SHOWLOG OPTION
# This options allows you to specify if initial states
# of hosts and services should be shown in showlog.cgi
# Note: This Option only works if the option
# "log_initial_states" in icinga.cfg is set to 1.
# By default it's enabled. Default is 0.

#showlog_initial_states=0



# SHOW CURRENT STATES IN SHOWLOG OPTION
# This options allows you to specify if current states
# of hosts and services should be shown in showlog.cgi
# Note: This Option only works if the option
# "log_current_states" in icinga.cfg is set to 1.
# By default it's enabled. Default is 0.

#showlog_current_states=0



# DEFAULT NUM DISPLAYED LOG ENTRIES OPTION
# This options specifies the number of log entries
# displayed by default in showlog.cgi. To display
# all log entries by default set this value to 0.
# Default is 10000.

#default_num_displayed_log_entries=10000



# CSV DELIMITER
# This option determines the character which should act as
# delimiter. Default is ";".

#csv_delimiter=;



# CSV DATA ENCLOSURE
# This option determines the character which should act as
# data enclosure to wrap in the data. Default is "'".

#csv_data_enclosure='



# TAB-FRIENDLY <TITLE>S
# Activating this option changes the <title> of status.cgi
# and extinfo.cgi when they refer to a single host, service,
# or group. They will then read:
#	[Host]
#	{HostGroup}
#	ServiceDesc @ Host
#	(ServiceGroup)
# These are easier to read and find if you use (many) tabs
# in your browser.
# Default is enabled. 0=disabled, 1=enabled

tab_friendly_titles=1


# SERVICE STATES TO ANNOTATE WITH CURRENT NOTIFICATION NO.
# Set this to an OR of the service state identifiers for
# which status.cgi should not only report "Attempts" (e.g.,
# "3/3" for a HARD non-OK state with max_check_attempts=3)
# but also the current notification number ("(#0)" if no
# problem notification has been sent yet, etc.). This is
# helpful to identify services which switched between
# different non-OK states a lot, or services which have a
# first_notification_delay set and are "not yet officially"
# considered in trouble.
# Relevant values from include/statusdata.h (look them up
# *there* if you want to be *really* sure):
#	#define	SERVICE_PENDING		1
#	#define	SERVICE_OK		2
#	#define	SERVICE_WARNING		4
#	#define	SERVICE_UNKNOWN		8
#	#define	SERVICE_CRITICAL	16
# You'll likely want to use add_notif_num_hard=0 (default)
# or add_notif_num_hard=28 (warn+crit+unknown). There's an
# add_notif_num_soft affecting services in a SOFT state
# for sake of completeness, too.

#add_notif_num_hard=28
#add_notif_num_soft=0



# SPLUNK INTEGRATION OPTIONS
# These options allow you to enable integration with Splunk
# in the web interface.  If enabled, you'll be presented with
# "Splunk It" links in various places in the CGIs (log file,
# alert history, host/service detail, etc).  Useful if you're
# trying to research why a particular problem occurred.
# For more information on Splunk, visit http://www.splunk.com/

# This option determines whether the Splunk integration is enabled
# Values: 0 = disable Splunk integration
#         1 = enable Splunk integration

#enable_splunk_integration=1


# This option should be the URL used to access your instance of Splunk

#splunk_url=http://127.0.0.1:8000/


and the cgi.auth llooks like this:

cgi.auth:


#urn:your:name:testicinga:host1admin=switch1:PING:r
#urn:your:name:testicinga:host1admin=*:PING
#urn:your:name:testicinga:host1admin=localhost:PING
#urn:your:name:testicinga:host1admin=localhost:Swap Usage:r
#urn:your:name:testicinga:superadmin=*:*:w
#urn:your:name:testicinga:host1admin=@core-switches, at linux-servers:*:r
#urn:your:name:testicinga:host1admin=@core-routers, at core-switches:@LDAP:w
#urn:your:name:testicinga:host1admin=@core-routers, at core-switches, at linux-servers:@DNS:r


Am 04.10.2012, 15:09 Uhr, schrieb john s. <fireskyer at emailn.de>:


> After that i ve checked the cgi file und the authentification section
> ....  nothing is wrong all settings are set by  defaults from the omd
> instalation.
>
>
> futhermore i tried to disable the authentification progress ... but it
> doesn't work anymore the error still appears.
>
>
>
> so has anybody a clue  or an idea why i get this error?
>
>
> regards john s.


Hello again




More information about the omd-users mailing list