[omd-users] Can't determine the Authoraztion Error in Icinga

Michael Friedrich michael.friedrich at gmail.com
Tue Oct 9 14:22:44 CEST 2012


john s. wrote:
> Her are some Config files from my system:

looks good to me. which user is logged in and trying to view the 
host/services?
>
> cgi.cfg:
> # ---------------------------------------------------------
> # Settings for OMD. Do not change!
> main_config_file=/omd/sites/omd056/tmp/icinga/icinga.cfg
> physical_html_path=/omd/sites/omd056/share/icinga/htdocs
> url_html_path=/omd056/icinga
> url_stylesheets_path=/omd056/icinga/stylesheets
> cgi_base_url=/omd056/icinga/cgi-bin
> # ---------------------------------------------------------
>
> # ATTRIBUTE BASED AUTHORIZATION FILE
> # This option will include a file defining authroization based on
> # attributes.
>
> #authorization_config_file=/omd/sites/omd056/etc/icinga/cgiauth.cfg
>
>
> # HTTP CHARSET
> # This defines charset that is sent with HTTP headers.
>
> http_charset=utf-8
>
>
>
> # CONTEXT-SENSITIVE HELP
> # This option determines whether or not a context-sensitive
> # help icon will be displayed for most of the CGIs.
> # Values: 0 = disables context-sensitive help
> #         1 = enables context-sensitive help
>
> show_context_help=0
>
>
>
> # HIGHLIGHT TABLE ROWS
> # This option allows you to define if table rows in status.cgi
> # will be highlighted or not.
> # Values: 0 = disables row highlighting
> #      1 = enables row highlighting
>
> highlight_table_rows=1
>
>
>
> # PENDING STATES OPTION
> # This option determines what states should be displayed in the web
> # interface for hosts/services that have not yet been checked.
> # Values: 0 = leave hosts/services that have not been check yet in 
> their original state
> #         1 = mark hosts/services that have not been checked yet as 
> PENDING
>
> use_pending_states=1
>
>
> # Logging
>
> # USE LOGGING
> # If you want to log information from cgi's (e.g. all submitted commands)
> # then set this option to 1, default is 0 (off).
> # WARNING:
> # This log is highly experimental and changes may occure without 
> notice. Use at your own risk!!
>
> use_logging=0
>
>
> # CGI LOG FILE
> # This is the cgi log file for information about what users are doing.
> # At the moment only submitted commands from cmd.cgi will be logged.
>
> cgi_log_file=/omd/sites/omd056/var/icinga/icinga-cgi.log
>
>
> # CGI LOG ROTATION METHOD
> # This is the log rotation method that should be used to rotate
> # the cgi log file. Values are as follows..
> #    n    = None - don't rotate the log
> #    h    = Hourly rotation (top of the hour)
> #    d    = Daily rotation (midnight every day)
> #    w    = Weekly rotation (midnight on Saturday evening)
> #    m    = Monthly rotation (midnight last day of month)
>
> cgi_log_rotation_method=d
>
>
> # CGI LOG ARCHIVE PATH
> # This is the directory where archived (rotated) cgi log files should be
> # placed (assuming you've chosen to do log rotation).
>
> cgi_log_archive_path=/omd/sites/omd056/var/icinga/archive
>
>
> # FORCE COMMENT
> # This option forces the users of to comment every action they perform.
> # The comments get logged into cgi log file. This option only has effect
> # if logging is switched on. See option "use_logging"
> # Default  is 0 (off), to activate it set it to 1 (on).
>
> enforce_comments_on_actions=0
>
>
> # FIRST DAY OF WEEK
> # Here you can set if your week starts on sunday or monday.
> # Default is 0 (Sunday), set it to 1 if your week start monday.
>
> first_day_of_week=0
>
>
> # AUTHENTICATION USAGE
> # This option controls whether or not the CGIs will use any
> # authentication when displaying host and service information, as
> # well as committing commands to Icinga for processing.
> #
> # Read the HTML documentation to learn how the authorization works!
> #
> # NOTE: It is a really *bad* idea to disable authorization, unless
> # you plan on removing the command CGI (cmd.cgi)!  Failure to do
> # so will leave you wide open to kiddies messing with Icinga and
> # possibly hitting you with a denial of service attack by filling up
> # your drive by continuously writing to your command file!
> #
> # Setting this value to 0 will cause the CGIs to *not* use
> # authentication (bad idea), while any other value will make them
> # use the authentication functions (the default).
>
> use_authentication=0
>
>
>
>
> # x509 CERT AUTHENTICATION
> # When enabled, this option allows you to use x509 cert (SSL)
> # authentication in the CGIs.  This is an advanced option and should
> # not be enabled unless you know what you're doing.
>
> use_ssl_authentication=0
>
>
>
>
> # DEFAULT USER
> # Setting this variable will define a default user name that can
> # access pages without authentication.  This allows people within a
> # secure domain (i.e., behind a firewall) to see the current status
> # without authenticating.  You may want to use this to avoid basic
> # authentication if you are not using a secure server since basic
> # authentication transmits passwords in the clear.
> #
> # Important:  Do not define a default username unless you are
> # running a secure web server and are sure that everyone who has
> # access to the CGIs has been authenticated in some manner!  If you
> # define this variable, anyone who has not authenticated to the web
> # server will inherit all rights you assign to this user!
>
> #default_user_name=guest
>
>
>
> # SYSTEM/PROCESS INFORMATION ACCESS
> # This option is a comma-delimited list of all usernames that
> # have access to viewing the Icinga process information as
> # provided by the Extended Information CGI (extinfo.cgi).  By
> # default, *no one* has access to this unless you choose to
> # not use authorization.  You may use an asterisk (*) to
> # authorize any user who has authenticated to the web server.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
> authorized_for_system_information=omdadmin
> #authorized_contactgroup_for_system_information=
>
>
> # CONFIGURATION INFORMATION ACCESS
> # This option is a comma-delimited list of all usernames that
> # can view ALL configuration information (hosts, commands, etc).
> # By default, users can only view configuration information
> # for the hosts and services they are contacts for. You may use
> # an asterisk (*) to authorize any user who has authenticated
> # to the web server.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
> authorized_for_configuration_information=omdadmin
> #authorized_contactgroup_for_configuration_information=
>
>
> # RAW COMMANDLINE CONFIGURATION INFORMATION ACCESS
> # This option is a comma-delimited list of all usernames that
> # can view a command in config command expander as icinga would
> # execute it. To resolve all MACROS it is necessary to allow
> # read access to the web server for resource.cfg .
> # CAUTION: $USERXX$ vars and custom vars can contain sensitive
> # data.
> # Alternatively you can specify contactgroups too.
>
> authorized_for_full_command_resolution=omdadmin
> #authorized_contactgroup_for_full_command_resolution=
>
>
> # SYSTEM/PROCESS COMMAND ACCESS
> # This option is a comma-delimited list of all usernames that
> # can issue shutdown and restart commands to Icinga via the
> # command CGI (cmd.cgi).  Users in this list can also change
> # the program mode to active or standby. By default, *no one*
> # has access to this unless you choose to not use authorization.
> # You may use an asterisk (*) to authorize any user who has
> # authenticated to the web server.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
> authorized_for_system_commands=omdadmin
> #authorized_contactgroup_for_system_commands=
>
>
> # GLOBAL HOST/SERVICE VIEW ACCESS
> # These two options are comma-delimited lists of all usernames that
> # can view information for all hosts and services that are being
> # monitored.  By default, users can only view information
> # for hosts or services that they are contacts for (unless you
> # you choose to not use authorization). You may use an asterisk (*)
> # to authorize any user who has authenticated to the web server.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
>
> authorized_for_all_services=*
> authorized_for_all_hosts=*
> #authorized_contactgroup_for_all_services=
> #authorized_contactgroup_for_all_hosts=
>
>
> # GLOBAL HOST/SERVICE COMMAND ACCESS
> # These two options are comma-delimited lists of all usernames that
> # can issue host or service related commands via the command
> # CGI (cmd.cgi) for all hosts and services that are being monitored.
> # By default, users can only issue commands for hosts or services
> # that they are contacts for (unless you you choose to not use
> # authorization).  You may use an asterisk (*) to authorize any
> # user who has authenticated to the web server.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
> authorized_for_all_service_commands=omdadmin
> authorized_for_all_host_commands=omdadmin
> #authorized_contactgroup_for_all_service_commands=
> #authorized_contactgroup_for_all_host_commands=
>
>
> # READ-ONLY USERS
> # A comma-delimited list of usernames that have read-only rights in
> # the CGIs.  This will block any service or host commands normally shown
> # on the extinfo CGI pages.  It will also block comments from being shown
> # to read-only users.
> # Alternatively you can specify contactgroups too, starting
> # with Icinga 1.5.0
>
> #authorized_for_read_only=user1,user2
> #authorized_contactgroup_for_read_only=
>
>
> # SHOW ALL SERVICES THE HOST IS AUTHORIZED FOR
> # By default, a user can see all services on a host, if the user is
> # authorized as contact for the host only. By disabling this option,
> # the user must be an authorized contact for the service too in order
> # to view it.
> # Values: 0 - disabled, user must be authorized for services too
> #         1 - enabled, user can view all services on authorized host
>
> show_all_services_host_is_authorized_for=1
>
>
> # SHOW PARTIAL HOSTGROUPS
> # By default, a user only sees a hostgroup and the hosts within it if
> # they are an authorized contact for all of the hosts of the group. By
> # enabling this option hostgroups will show a partial listing of hosts
> # the user is an authorized contact for in the hostgroups.
> # Values: 0 - disabled, user only sees full hostgroups (default)
> #         1 - enabled, user sees partial hostgroups
>
> show_partial_hostgroups=1
>
>
> # STATUSMAP BACKGROUND IMAGE
> # This option allows you to specify an image to be used as a
> # background in the statusmap CGI.  It is assumed that the image
> # resides in the HTML images path (i.e. /usr/local/icinga/share/images).
> # This path is automatically determined by appending "/images"
> # to the path specified by the 'physical_html_path' directive.
> # Note:  The image file may be in GIF, PNG, JPEG, or GD2 format.
> # However, I recommend that you convert your image to GD2 format
> # (uncompressed), as this will cause less CPU load when the CGI
> # generates the image.
>
> #statusmap_background_image=smbackground.gd2
>
>
>
>
> # STATUSMAP TRANSPARENCY INDEX COLOR
> # These options set the r,g,b values of the background color used the 
> statusmap CGI,
> # so normal browsers that can't show real png transparency set the 
> desired color as
> # a background color instead (to make it look pretty).
> # Defaults to white: (R,G,B) = (255,255,255).
>
> #color_transparency_index_r=255
> #color_transparency_index_g=255
> #color_transparency_index_b=255
>
>
>
>
> # DEFAULT STATUSMAP LAYOUT METHOD
> # This option allows you to specify the default layout method
> # the statusmap CGI should use for drawing hosts.  If you do
> # not use this option, the default is to use user-defined
> # coordinates.  Valid options are as follows:
> #    0 = User-defined coordinates
> #    1 = Depth layers
> #       2 = Collapsed tree
> #       3 = Balanced tree
> #       4 = Circular
> #       5 = Circular (Marked Up)
>
> default_statusmap_layout=5
>
>
>
> # DEFAULT STATUSWRL LAYOUT METHOD
> # This option allows you to specify the default layout method
> # the statuswrl (VRML) CGI should use for drawing hosts.  If you
> # do not use this option, the default is to use user-defined
> # coordinates.  Valid options are as follows:
> #    0 = User-defined coordinates
> #       2 = Collapsed tree
> #       3 = Balanced tree
> #       4 = Circular
>
> default_statuswrl_layout=4
>
>
>
> # STATUSWRL INCLUDE
> # This option allows you to include your own objects in the
> # generated VRML world.  It is assumed that the file
> # resides in the HTML path (i.e. /usr/local/icinga/share).
>
> #statuswrl_include=myworld.wrl
>
>
>
> # PING SYNTAX
> # This option determines what syntax should be used when
> # attempting to ping a host from the WAP interface (using
> # the statuswml CGI.  You must include the full path to
> # the ping binary, along with all required options.  The
> # $HOSTADDRESS$ macro is substituted with the address of
> # the host before the command is executed.
> # Please note that the syntax for the ping binary is
> # notorious for being different on virtually ever *NIX
> # OS and distribution, so you may have to tweak this to
> # work on your system.
>
> ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
>
>
>
> # REFRESH RATE
> # This option allows you to specify the refresh rate in seconds
> # of various CGIs (extinfo, outages, status, statusmap and tac).
>
> refresh_rate=90
>
>
> # REFRESH TYPE
> # This option determines what type of refresh should be used.
> # You can choose between http header and javascript. By
> # default javascript (1) is activated. If you have trouble
> # using javascript then try refresh via http header (0).
>
> refresh_type=1
>
>
> # ESCAPE HTML TAGS
> # This option determines whether HTML tags in host and service
> # status output is escaped in the web interface.  If enabled,
> # your plugin output will not be able to contain clickable links.
>
> escape_html_tags=0
>
>
>
> # PERSISTENT ACKNOWLEDGEMENT COMMENTS
> # This options determines whether the initial state of the
> # checkbox "Persistent Comment:" for service and host problem
> # acknowledgements is checked or unchecked
>
> persistent_ack_comments=0
>
>
> # SOUND OPTIONS
> # These options allow you to specify an optional audio file
> # that should be played in your browser window when there are
> # problems on the network.  The audio files are used only in
> # the status CGI.  Only the sound for the most critical problem
> # will be played.  Order of importance (higher to lower) is as
> # follows: unreachable hosts, down hosts, critical services,
> # warning services, and unknown services. If there are no
> # visible problems, the sound file optionally specified by
> # 'normal_sound' variable will be played.
> #
> #
> # <varname>=<sound_file>
> #
> # Note: All audio files must be placed in the /media subdirectory
> # under the HTML path (i.e. /usr/local/icinga/share/media/).
>
> #host_unreachable_sound=hostdown.wav
> #host_down_sound=hostdown.wav
> #service_critical_sound=critical.wav
> #service_warning_sound=warning.wav
> #service_unknown_sound=warning.wav
> #normal_sound=noproblem.wav
>
>
>
> # URL TARGET FRAMES
> # These options determine the target frames in which notes and
> # action URLs will open. Default is main frame.
>
> action_url_target=main
> notes_url_target=main
> #action_url_target=_blank
> #notes_url_target=_blank
>
>
>
>
> # LOCK AUTHOR NAMES OPTION
> # This option determines whether users can change the author name
> # when submitting comments, scheduling downtime.  If disabled, the
> # author names will be locked into their contact name, as defined in 
> Icinga.
> # Values: 0 = allow editing author names
> #         1 = lock author names (disallow editing)
>
> lock_author_names=1
>
>
>
> # DEFAULT DOWNTIME DURATION
> # This option defines the default duration (in seconds) of fixed and
> # flexible downtimes. Default is 7200 seconds (2 hours).
>
> default_downtime_duration=7200
>
>
>
> # DEFAULT EXPIRING ACKNOWLEDGEMENT DURATION
> # This option defines the default duration (in seconds) of a expiring
> # acknowledgement. Default is 86400 seconds (1 day).
>
> default_expiring_acknowledgement_duration=86400
>
>
>
> # SHOW LONG PLUGIN OUTPUT IN STATUS OPTION
> # This option allows you to specify the length of status information
> # in output of status.cgi. If you set the value to 1 it shows the
> # full plugin output instead of the first line only.
> # Default value is 0.
>
> status_show_long_plugin_output=0
>
>
>
> # DISPLAY STATUS TOTAL
> # This option allows you to specify if the
> # Host Status Totals and Service Status Totals
> # should be displayed.
> # Default value is 0.
>
> display_status_totals=0
>
>
>
> # SHOW ONLY HARD STATES IN TAC OPTION
> # This options allows you to specify if the tactical overview
> # should only show hard states on hosts and services.
> # By default disabled, all states will be shown.
>
> tac_show_only_hard_state=0
>
>
>
> # SHOW CHILD HOSTS IN EXTINFO OPTION
> # This Option allows you to specify if the extended host information
> # cgi will show child hosts for the selected host.
> #    0 = disabled
> #    1 = only show immediate child hosts
> #    2 = show immediate and all child hosts
> # NOTE: Option 2 could be a real performance killer in
> # large installations, so use with care.
> # By default disabled, as this could be a performance killer.
>
> extinfo_show_child_hosts=0
>
>
>
> # SUPPRESS MAINTENANCE DOWNTIME
> # This options suppresses the state coloring of hosts and services
> # that are in a scheduled downtime. It sets their coloring to gray,
> # so they no longer draw extra attention to themselves, making it
> # so only actual problems are the ones that stand out.
> # By default it is disabled.
>
> suppress_maintenance_downtime=0
>
>
> # SHOW TAC INFORMATION IN TOP FRAME
> # This options places tactical overview information in
> # the top frame similar to the view that's in icinga-web.
> # By default it is enabled.
>
> show_tac_header=1
>
>
> # SHOW PENDING IN TAC HEADER
> # This options enables the display of pending counts in
> # the tac header. If your display is less than 1024x768
> # and this is enabled, the tactical information may not
> # fit well in the top frame.
> # By default it is enabled.
>
> show_tac_header_pending=1
>
>
>
> # SHOW INITIAL STATES IN SHOWLOG OPTION
> # This options allows you to specify if initial states
> # of hosts and services should be shown in showlog.cgi
> # Note: This Option only works if the option
> # "log_initial_states" in icinga.cfg is set to 1.
> # By default it's enabled. Default is 0.
>
> #showlog_initial_states=0
>
>
>
> # SHOW CURRENT STATES IN SHOWLOG OPTION
> # This options allows you to specify if current states
> # of hosts and services should be shown in showlog.cgi
> # Note: This Option only works if the option
> # "log_current_states" in icinga.cfg is set to 1.
> # By default it's enabled. Default is 0.
>
> #showlog_current_states=0
>
>
>
> # DEFAULT NUM DISPLAYED LOG ENTRIES OPTION
> # This options specifies the number of log entries
> # displayed by default in showlog.cgi. To display
> # all log entries by default set this value to 0.
> # Default is 10000.
>
> #default_num_displayed_log_entries=10000
>
>
>
> # CSV DELIMITER
> # This option determines the character which should act as
> # delimiter. Default is ";".
>
> #csv_delimiter=;
>
>
>
> # CSV DATA ENCLOSURE
> # This option determines the character which should act as
> # data enclosure to wrap in the data. Default is "'".
>
> #csv_data_enclosure='
>
>
>
> # TAB-FRIENDLY <TITLE>S
> # Activating this option changes the <title> of status.cgi
> # and extinfo.cgi when they refer to a single host, service,
> # or group. They will then read:
> #    [Host]
> #    {HostGroup}
> #    ServiceDesc @ Host
> #    (ServiceGroup)
> # These are easier to read and find if you use (many) tabs
> # in your browser.
> # Default is enabled. 0=disabled, 1=enabled
>
> tab_friendly_titles=1
>
>
> # SERVICE STATES TO ANNOTATE WITH CURRENT NOTIFICATION NO.
> # Set this to an OR of the service state identifiers for
> # which status.cgi should not only report "Attempts" (e.g.,
> # "3/3" for a HARD non-OK state with max_check_attempts=3)
> # but also the current notification number ("(#0)" if no
> # problem notification has been sent yet, etc.). This is
> # helpful to identify services which switched between
> # different non-OK states a lot, or services which have a
> # first_notification_delay set and are "not yet officially"
> # considered in trouble.
> # Relevant values from include/statusdata.h (look them up
> # *there* if you want to be *really* sure):
> #    #define    SERVICE_PENDING        1
> #    #define    SERVICE_OK        2
> #    #define    SERVICE_WARNING        4
> #    #define    SERVICE_UNKNOWN        8
> #    #define    SERVICE_CRITICAL    16
> # You'll likely want to use add_notif_num_hard=0 (default)
> # or add_notif_num_hard=28 (warn+crit+unknown). There's an
> # add_notif_num_soft affecting services in a SOFT state
> # for sake of completeness, too.
>
> #add_notif_num_hard=28
> #add_notif_num_soft=0
>
>
>
> # SPLUNK INTEGRATION OPTIONS
> # These options allow you to enable integration with Splunk
> # in the web interface.  If enabled, you'll be presented with
> # "Splunk It" links in various places in the CGIs (log file,
> # alert history, host/service detail, etc).  Useful if you're
> # trying to research why a particular problem occurred.
> # For more information on Splunk, visit http://www.splunk.com/
>
> # This option determines whether the Splunk integration is enabled
> # Values: 0 = disable Splunk integration
> #         1 = enable Splunk integration
>
> #enable_splunk_integration=1
>
>
> # This option should be the URL used to access your instance of Splunk
>
> #splunk_url=http://127.0.0.1:8000/
>
>
> and the cgi.auth llooks like this:
>
> cgi.auth:
>
>
> #urn:your:name:testicinga:host1admin=switch1:PING:r
> #urn:your:name:testicinga:host1admin=*:PING
> #urn:your:name:testicinga:host1admin=localhost:PING
> #urn:your:name:testicinga:host1admin=localhost:Swap Usage:r
> #urn:your:name:testicinga:superadmin=*:*:w
> #urn:your:name:testicinga:host1admin=@core-switches, at linux-servers:*:r
> #urn:your:name:testicinga:host1admin=@core-routers, at core-switches:@LDAP:w
> #urn:your:name:testicinga:host1admin=@core-routers, at core-switches, at linux-servers:@DNS:r 
>
>
>
> Am 04.10.2012, 15:09 Uhr, schrieb john s. <fireskyer at emailn.de>:
>
>
>> After that i ve checked the cgi file und the authentification section
>> ....  nothing is wrong all settings are set by  defaults from the omd
>> instalation.
>>
>>
>> futhermore i tried to disable the authentification progress ... but it
>> doesn't work anymore the error still appears.
>>
>>
>>
>> so has anybody a clue  or an idea why i get this error?
>>
>>
>> regards john s.
>
>
> Hello again
>
>
> _______________________________________________
> omd-users mailing list
> omd-users at lists.mathias-kettner.de
> http://lists.mathias-kettner.de/mailman/listinfo/omd-users



More information about the omd-users mailing list