user permissions with icingaweb2 (with SSO authentication)

Question

We're curently setting up Icinga2 and Icingaweb2 as our global monitoring. To authenticate the users, we use an Apache module (Single Sign On) which let only allowed users to access the web ui. Icingaweb2 is configured with /etc/icingaweb2/authentication.ini :

[icingaweb2]
strip_username_regexp = ""
backend             = "external"

Only one user is declared as global admin in /etc/icingaweb2/roles.ini :

[admins]
users               = "bancal"
permissions         = "*"

For each server monitored with Icinga is defined a UserGroup which defines who will receive email alerts. These persons are client-users.

What we'd like to set is :

Every global-admin has admin view on all hosts (this is already the case)
Every client-users has an admin view on the hosts he is member of and no view on other hosts monitored.

Is there a way to achive this?

score 0 · Accepted Answer · answered Feb 23 '16 at 07:38

We've finally done it with a quite simple config. Since hosts are grouped in Hostgroups, users are granted access to these Hostgroups with the following config in /etc/icingaweb2/roles.ini :

[group1]
users              = "user1,user2"
permissions         = "monitoring/command/*,module/*"
monitoring/filter/objects = "(hostgroup_name=hosts-group1-test|hostgroup_name=hosts-group1-prod)"

One user can be added to several of these config blocks.

user permissions with icingaweb2 (with SSO authentication)

1 Answers1