NAME¶
xymon-webaccess - Web-based access controls in Xymon
DESCRIPTION¶
Xymon does not provide any built-in authentication (login) mechanism. Instead,
it relies on the access controls available in your web server, e.g. the Apache
mod_auth modules.
This provides a simple way of controlling access to the physical directories
that make up the pages and subpages with the hosts defined in your Xymon
hosts.cfg(5) setup - you can use the Apache "require" setting
to allow or deny access to information on any page, usually through the use of
a "Require group ..." setting. The group name then refers to one or
more groups in an Apache
AuthGroupFile file.
However, this does not work for the Xymon CGI programs since they are used to
fetch information about all hosts in Xymon, but there is only a single
directory holding all of the CGI's. So here you can only require that the user
is logged-in (the Apache "Require valid-user" directive). A user
with a login can - if he knows the hostname - manipulate the request sent to
the webserver and fetch information about any status by use of the Xymon CGI
programs, even though he cannot see the overview webpages.
To alleviate this situation, the following Xymon CGI's support a
"--access=FILENAME" option, where FILENAME is an Apache compatible
group-definitions file:
svcstatus.cgi(1)
acknowledge.cgi(1)
enadis.cgi(1)
appfeed.cgi(1)
When invoked with this option the CGI will read the Apache group-definitions
file, and assume that an Apache
group maps to a Xymon
page, and
then - based on the logged-in userid - determine which pages and hosts the
user is allowed access to. Only information about those hosts will be made
available by the CGI tool.
Members of the group
root has access to all hosts.
Access will also be granted, if the user is a member of a group with the same
name as the
host being requested, or as the
statuscolumn being
requested.
SEE ALSO¶
The Apache "Authentication, Authorization and Access Control"
documentation,
http://httpd.apache.org/docs/2.2/howto/auth.html