Authorization in Check_MK Multisite
March 28. 2015
Multisite provides a role based authorization mechanism. There are three roles a user can have: admin, user and guest. As a default, all users with a valid HTTP authentication have the role user. You can change the default role by setting default_user_role in multisite.mk:
default_user_role = "guest"
Setting the default role to None prohibits a login for users not explicitely listed in admin_users, guest_users or users.
With the configuration variable admin_users you can define a list of users which should have the admin role:
admin_users = [ "nagiosadmin", "secondadmin" ]
Guest users are declared in a similar way:
guest_users = [ "welcome" ]
If you have changed the default role, then you need to list all normal users in the variable users. Normal users only see and can act on objects they are a contact in Nagios for.
users = [ "meier", "mueller", "huber" ]
Which permissions result from being member of a role can be configured via the web GUI. Per default, only the admin role can configure permissions. The configuration function is located in the sidebar snapin Administration. In order to keep your system in a sane state, the admin role has hard coded permissions for using Multisite and configuring permissions - even if you happen to remove those from the admin role.
The permissions are stored in a text file with Python-syntax in /var/lib/check_mk/web/permissions.mk. It is completely legal to manually edit that file. Just keep in mind that the syntax of the file might change in a future versions of Multisite.
What can you permit?
There are lots of different permissions which can be set or removed from a role. Each sidebar snapin, builtin view and Nagios command can be allowed and disallowed separately. The three roles are predefined as follows:
Members of the user role can see only data they are a Nagios contact for. Please note, that experts disagree on some details of how Nagios should exactly handle that. Multisite uses MK Livestatus for that decision and MK Livestatus allows the administrator - you - to configure how contacts are handled.