This documentation describes how the Icinga Classic UI (formerly called "CGI") decides who has access to view monitoring and configuration information, and who can submit commands to the Icinga daemon through the Classic web interface.
Before continuing, it is important that you understand the meaning of and difference between authenticated users and authenticated contacts:
An authenticated user is someone who has authenticated to the web server with a username and password and has been granted access to the Icinga Classic web interface.
An authenticated contact is an authenticated user whose username matches the short name of a contact definition.
Assuming you configured your web server as described in the quickstart guide, it should require that you authenticate before accessing the Icinga Classic UI. You should also have one user account (icingaadmin) that can access the Classic UI.
As you define more contacts for receiving host and service notifications, you'll most likely want to let them access the Icinga web interface. You can use the following command to add additional users who can authenticate to the UI. Replace <username> with the actual username you want to add. In most cases, the username should match the short name of a contact that has been defined.
htpasswd /usr/local/icinga/etc/htpasswd.users <username>
The next thing you need to do is make sure that the Classic UI is configured to use the authentication and authorization functionality in determining what information and/or commands users have access to. This is done be setting the use_authentication variable in the Classic UI configuration file to a non-zero value. Example:
use_authentication=1
Okay, you're now done with setting up basic authentication/authorization functionality in the Classic UI.
So what default permissions do users have in the Classic UI by default when the authentication/authorization functionality is enabled?
Classic UI Data |
Authenticated Contacts * |
Other Authenticated Users * |
Host Status Information |
Yes |
No |
Host Configuration Information |
Yes |
No |
Host History |
Yes |
No |
Host Notifications |
Yes |
No |
Host Commands |
Yes |
No |
Service Status Information |
Yes |
No |
Service Configuration Information |
Yes |
No |
Service History |
Yes |
No |
Service Notifications |
Yes |
No |
Service Commands |
Yes |
No |
All Configuration Information |
No |
No |
System/Process Information |
No |
No |
System/Process Commands |
No |
No |
Authenticated contacts * are granted the following permissions for each service for which they are contacts (but not for services for which they are not contacts)...
Authorization to view service status information
Authorization to view service configuration information
Authorization to view history and notifications for the service
Authorization to issue service commands
Authenticated contacts * are granted the following permissions for each host for which they are contacts (but not for hosts for which they are not contacts)...
Authorization to view host status information
Authorization to view host configuration information
Authorization to view history and notifications for the host
Authorization to issue host commands
Authorization to view status information for all services on the host
Authorization to view configuration information for all services on the host
Authorization to view history and notification information for all services on the host
Authorization to issue commands for all services on the host
It is important to note that by default no one is authorized for the following...
Viewing the raw log file via the showlog module
Viewing Icinga process information via the extended information modules
Issuing Icinga process commands via the command module
Viewing host group, contact, contact group, time period, and command definitions via the configuration module
You will undoubtably want to access this information, so you'll have to assign additional rights for yourself (and possibly other users) as described below...
You can grant authenticated contacts or other authenticated users permission to additional information in the Classic UI by adding them to various authorization variables in the Classic UI configuration file. We realize that the available options don't allow for getting really specific about particular permissions, but its better than nothing..
Additional authorization can be given to users by adding them to the following variables in the Classic UI configuration file...
If you are confused about the authorization needed to access various information in the Classic UI, read the Authorization Requirements section for each form as described here.
If your web server is located in a secure domain (i.e., behind a firewall) or if you are using SSL, you can define a default username that can be used to access the Classic UI. This is done by defining the default_user_name option in the Classic UI configuration file. By defining a default username that can access the Classic UI, you can allow users to access the Classic UI without necessarily having to authenticate to the web server. You may want to use this to avoid having to use basic web authentication, as basic authentication transmits passwords in clear text over the Internet.
Important: Do not define a default username unless you are running a secure web server and are sure that everyone who has access to the Classic UI has been authenticated in some manner. If you define this variable, anyone who has not authenticated to the web server will inherit all rights you assign to this user!
© 1999-2009 Ethan Galstad, 2009-2017 Icinga Development Team, https://www.icinga.com