Notes

Throughout these instructions I will be assuming that you are running the Apache web server on your machine. If you are running some other web server, you will have to make some adjustments.

Definitions

Throughout these instructions I will be using the following terms, so you should understand what they mean...

• An authenticated user is an someone who has authenticated to the web server with a username and password and has been granted access to the CGIs by the web server
• An authenticated contact is an authenticated user whose username matches the short name of a contact definition in your object configuration file(s).

Index

Configuring web server authentication
Setting up authenticated users
Enabling authentication/authorization functionality in the CGIs
Default permissions to CGI information
Granting additional permissions to CGI information
Authentication on secure web servers

Configuring Web Server Authentication

The first step to configuring your web server for authentication is to make sure the web server configuration file (i.e. httpd.conf) file contains an 'AllowOverride AuthConfig' statement in it for the Nagios CGI-BIN directory. If it doesn't, you'll have to add something similiar to the following to your web server configuration file. Note that you will have to restart the web server in order for this change to take effect.

<Directory /usr/local/nagios/sbin>
AllowOverride AuthConfig
order allow,deny
allow from all
Options ExecCGI
</Directory>

If you also want to require authentication for access the HTML pages for Nagios, add something similiar to the following in the web server configuration file as well.

<Directory /usr/local/nagios/share>
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>

The second step is to create a file named .htaccess in the root your CGI directory (and optionally also you HTML directory) for Nagios (usually /usr/local/nagios/sbin and /usr/local/nagios/share, respectively). The file(s) should have contents similiar to the following...

AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
require valid-user

Setting Up Authenticated Users

Now that you've configured the web server to require authentication for access to the CGIs, you'll need to configure users who can access the CGIs. This is done by using the htpasswd command supplied with Apache.

Running the following command will create a new file called htpasswd.users in the /usr/local/nagios/etc directory. It will also create an username/password entry for nagiosadmin. You will be asked to provide a password that will be used when nagiosadmin authenticates to the web server.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Continue adding more users until you've created an account for everyone you want to access the CGIs. Use the following command to add additional users, replacing <username> with the actual username you want to add. Note that the -c option is not used, since you already created the initial file.

htpasswd /usr/local/nagios/etc/htpasswd.users <username>

Okay, so you're done with the first part of what needs to be done. If you point your web browser to your Nagios CGIs you should be asked for a username and password. If you have problems getting user authentication to work at this point, read your webserver documentation for more info.

Enabling Authentication/Authorization Functionality In The CGIs

The next thing you need to do is make sure that the CGIs are configured to use the authentication and authorization functionality in determining what information and/or commands users have access to. This is done be setting the use_authentication variable in the CGI configuration file to a non-zero value. Example:

use_authentication=1

Okay, you're now done with setting up basic authentication/authorization functionality in the CGIs.

Default Permissions To CGI Information

So what default permissions do users have in the CGIs by default when the authentication/authorization functionality is enabled?

CGI Data	Authenticated Contacts*	Other Authenticated Users*
Host Status Information	Yes	No
Host Configuration Information	Yes	No
Host History	Yes	No
Host Notifications	Yes	No
Host Commands	Yes	No
Service Status Information	Yes	No
Service Configuration Information	Yes	No
Service History	Yes	No
Service Notifications	Yes	No
Service Commands	Yes	No
All Configuration Information	No	No
System/Process Information	No	No
System/Process Commands	No	No

Authenticated contacts^* are granted the following permissions for each service for which they are contacts (but not for services for which they are not contacts)...

• Authorization to view service status information
• Authorization to view service configuration information
• Authorization to view history and notifications for the service
• Authorization to issue service commands

Authenticated contacts^* are granted the following permissions for each host for which they are contacts (but not for hosts for which they are not contacts)...

• Authorization to view host status information
• Authorization to view host configuration information
• Authorization to view history and notifications for the host
• Authorization to issue host commands
• Authorization to view status information for all services on the host
• Authorization to view configuration information for all services on the host
• Authorization to view history and notification information for all services on the host
• Authorization to issue commands for all services on the host

It is important to note that by default no one is authorized for the following...

• Viewing the raw log file via the showlog CGI
• Viewing Nagios process information via the extended information CGI
• Issuing Nagios process commands via the command CGI
• Viewing host group, contact, contact group, time period, and command definitions via the configuration CGI

You will undoubtably want to access this information, so you'll have to assign additional rights for yourself (and possibly other users) as described below...

Granting Additional Permissions To CGI Information

You can grant authenticated contacts or other authenticated users permission to additional information in the CGIs by adding them to various authorization variables in the CGI configuration file. I realize that the available options don't allow for getting really specific about particular permissions, but its better than nothing..

Additional authorization can be given to users by adding them to the following variables in the CGI configuration file...

• authorized_for_system_information
• authorized_for_system_commands
• authorized_for_configuration_information
• authorized_for_all_hosts
• authorized_for_all_host_commands
• authorized_for_all_services
• authorized_for_all_service_commands

CGI Authorization Requirements

If you are confused about the authorization needed to access various information in the CGIs, read the Authorization Requirements section for each CGI as described here.

Authentication On Secured Web Servers

If your web server is located in a secure domain (i.e., behind a firewall) or if you are using SSL, you can define a default username that can be used to access the CGIs. This is done by defining the default_user_name option in the CGI configuration file. By defining a default username that can access the CGIs, you can allow users to access the CGIs without necessarily having to authenticate to the web server.. You may want to use this to avoid having to use basic web authentication, as basic authentication transmits passwords in clear text over the Internet.

Important: Do not define a default username unless you are running a secure web server and are sure that everyone who has access to the CGIs has been authenticated in some manner! If you define this variable, anyone who has not authenticated to the web server will inherit all rights you assign to this user!