Phil Wild wrote:
This is correct and I expect this part to work. But all the tools bypass this security. For example, If you run an sla report, it builds a new directory structure and hence the user that ran the report can see everything from the top level down. Also, the enable/disable menu option lets you see all hosts, same with findhost or even if you muck around with the hostsvc URL.
Ah ha. I see you issue.
I guess you could run multiple instances of hobbit on the same machine, one for each customer, and have virtual hosts in apache. Very ugly solution though :(
What is the hobbit server currently running on? If you are using solaris you could use containers to seperate the hobbit processes. And I believe that the linux kernel will soon have container support too.
I think Henrik posted a workaround to this on the 7th Nov.
Cheers
Iain
I was wondering if there was some way of either wrapping this functionality with something that restricts the hosts (like as if bbhostgrep is used as the input to all these functions or something).
Has anyone achieved this or is it not possible without changing the source?
Phil
On 16/11/2007, *Iain Conochie* <iain at shihad.org <mailto:iain at shihad.org>> wrote:
Josh Luthman wrote: > With two groups of hosts you still only have one directory accessible > by web. This means Apache HTTP authentication is out of the question. > > That's about all I can tell you =/ Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers Iain > > On 11/15/07, *Phil Wild* <philwild at gmail.com <mailto:philwild at gmail.com> > <mailto:philwild at gmail.com <mailto:philwild at gmail.com>>> wrote: > > No, not quite, I want to make a single hobbit install work for two > groups of users, and I don't want group A to have any access to > see or do anything to Group B hosts and vice versa. > > I am tryingto find out if there is a way of restricting the > reports/tools/executables to only run against a subset of the > hosts defined in bbhosts say like using bbgrep to filter on a tag > or something for all functions. > > Any ideas? > > Phil > > > On 16/11/2007, *Josh Luthman* < josh at imaginenetworksllc.com <mailto:josh at imaginenetworksllc.com> > <mailto:josh at imaginenetworksllc.com <mailto:josh at imaginenetworksllc.com>>> wrote: > > The default Apache configuration that Hobbit makes for you > will specify requiring HTTP logins for the cgisec directory. > Is this what you're looking for? > > > On 11/14/07, * Phil Wild* <philwild at gmail.com <mailto:philwild at gmail.com> > <mailto: philwild at gmail.com <mailto:philwild at gmail.com>>> wrote: > > Hello, > > I am looking at setting up hobbit to manage two groups of > hosts. I would prefer to just deploy one hobbit > installation for both groups. For most of the hobbit web > pages, Apache security solves a lot of the browsing issues > but the cgi-bin executables and menus are the problem. > > I want to make sure one group don't have access to see or > make changes to the other groups hosts. > > The areas I see a problem with are: > > hobbit-enadis.sh > bb-findhost.sh > hobbit-confreport.sh > > I would like to restrict the above to only work with a > subset of hosts (perhaps a tag in the bbhosts file) > > The reports generate web pages on the fly and drop the > user at the top level page which is not what I would > prefer (each group have their own top level page etc.) > > All nongreen view is also an issue > > and lastly, manually modifying the URL based on > bb-hostsvc.sh to get to a web page for a host in the other > groups list is also a problem. > > Any ideas how I can address this? > > Thanks > > Phil > > > > > -- > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > Those who don't understand UNIX are condemned to reinvent it, > poorly. > --- Henry Spencer > > > > > -- > Tel: 0400 466 952 > Fax: 0433 123 226 > email: philwild at gmail.com <mailto:philwild at gmail.com> <mailto:philwild at gmail.com <mailto:philwild at gmail.com>> > > > > > -- > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > Those who don't understand UNIX are condemned to reinvent it, poorly. > --- Henry Spencer To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>-- Tel: 0400 466 952 Fax: 0433 123 226 email: philwild at gmail.com <mailto:philwild at gmail.com>