Hi
Since a long time I’m looking for a problem with hostsbygroup. If I query hostsbygroup without a user I will receive this result.
lq “GET hostsbygroup\nColumns: hostgroup_name host_name contact_groups”
If I add a user, I’ll get an empty result but I expected the 3 hosts starting with KR:
lq “GET hostsbygroup\nColumns: hostgroup_name host_name contact_groups\nAuthUser: kruch”
If I query the hosts table, I receive the correct result:
lq “GET hosts\nColumns: host_name contact_groups\nAuthUser: kruch”
User kruch belongs to the right contact group.
lq “GET contactgroups”
alias;members;name
CG-Kruch;kruch;CGkruch
This happens only if the option “Only show hosts and services the user is a contact for” is set. If not set, the user sees all hosts from the hostsbygroup table.
This problems happens only in this 1 monitoring instance. I defined a 2nd instance on omd, this view works as expected (hosts are selected by contact group). I cloned this server and removed config settings and rules but the problem still exists. The output for that topic come from this clone. Debug and debug Livestatus gave no deeper details. I have no further idea where to investigate further. Hope someone can give me some hints for a possible reason or where to debug further. regards
Thanks for the answer.
First, I forgot to mention I run CRE 1.6.0p17.
There is no “Monitoring Core” in CRE. Again I went through the link you supplied.
I found this info but it didn’t solve my problem.
I compared (or tried to compare) the config files in ~/etc/check_mk/conf.d/wato with a “working site” -> found no point were to dig in deeper.
I also think this must be a global setting somewhere. As I remember, I always did any config through wato and never directly in a file.
Is there an equivalent part for “Monitoring Core” in the RAW edition?
In RAW Edition you can configure this at the Nagios configuration. This authorization settings is an option for the Livestatus module. Later I can look for the correct syntax
Hi Andreas
Do you mean parameter service_authorization=strict?
I added this to /omd/sites/inseo/etc/mk-livestatus/nagios.cfg but it had no effect.
Content of /omd/sites/inseo/etc/mk-livestatus/nagios.cfg:
# Load MK Livestatus module into Nagios
# This creates a UNIX socket where status and log
# data can be retrieved by Multisite, NagVis and
# other addons.
broker_module=/omd/sites/inseo/lib/mk-livestatus/livestatus.o num_client_threads=20 mk_logwatch_path=/omd/sites/inseo/var/check_mk/logwatch mk_inventory_path=/omd/sites/inseo/var/check_mk/inventory pnp_path=/omd/sites/inseo/var/pnp4nagios/perfdata service_authorization=strict /omd/sites/inseo/tmp/run/live
event_broker_options=-1
If you ment a different file, please name the file. Thanks
In your case it is not the option “service_authorization” but “group_authorization”.
Your config example is the right one.
Try the booth settings for group authorization to see the difference. The default “strict” for “group_authorization” means, the user must be contact for all hosts inside the hostgroup to see the hostgroup. At the moment i cannot remember completely remember the behavior for the “loose” setting.
Yeah, group_authorization=loose did the trick!
Now I see the host groups filtered by the contact group (CG) the user is a member for. With strict the problem keeps the same. I’m wondering because I would expect with strict to see only the hosts belonging to the same CG as the user and with loose I will see more.
Is there a similar “parent” setting for group_auth because I’m wondering to have this problem only in that instance. As I already wrote a new instance on that machine does not have this problem.
Finally, many thanks for the help. regards robi
group_authorization - strict - user must be contact of all members to see the group
group_authorization - loose - user must only be contact of one member
The same for service authorization if i remember it correctly
service_authorization - strict - user must be contact of all services to see the host
service_authorization - loose - user must only be contact of one service to see the host
In most of my systems i don’t touch these settings. I work more there with filtered views for the contactgroups. Nearly all the users have the right to see all objects. Then are dashboards defined for the contact groups where they get the pre-filtered view.
