With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question.

That's about all I can tell you =/

On 11/15/07, Phil Wild <philwild at gmail.com> wrote:

No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa.

I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions.

Any ideas?

Phil

On 16/11/2007, Josh Luthman <josh at imaginenetworksllc.com> wrote:

...

The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for?

On 11/14/07, Phil Wild <philwild at gmail.com> wrote:

...

Hello,

I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem.

I want to make sure one group don't have access to see or make changes to the other groups hosts.

The areas I see a problem with are:

hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh

I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file)

The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.)

All nongreen view is also an issue

and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem.

Any ideas how I can address this?

Thanks

Phil

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

-- Tel: 0400 466 952 Fax: 0433 123 226 email: philwild at gmail.com

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

This is correct and I expect this part to work. But all the tools bypass this security. For example, If you run an sla report, it builds a new directory structure and hence the user that ran the report can see everything from the top level down. Also, the enable/disable menu option lets you see all hosts, same with findhost or even if you muck around with the hostsvc URL.

I was wondering if there was some way of either wrapping this functionality with something that restricts the hosts (like as if bbhostgrep is used as the input to all these functions or something).

Has anyone achieved this or is it not possible without changing the source?

Phil

On 16/11/2007, Iain Conochie <iain at shihad.org> wrote:

Josh Luthman wrote:

...

With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question.

That's about all I can tell you =/

Not necessarily!

You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that.

Then for the top level you can also use apache auth for admins

Cheers

Iain

...

On 11/15/07, *Phil Wild* <philwild at gmail.com <mailto:philwild at gmail.com>> wrote:

No, not quite, I want to make a single hobbit install work for two
groups of users, and I don't want group A to have any access to
see or do anything to Group B hosts and vice versa.

I am tryingto find out if there is a way of restricting the
reports/tools/executables to only run against a subset of the
hosts defined in bbhosts say like using bbgrep to filter on a tag
or something for all functions.

Any ideas?

Phil


On 16/11/2007, *Josh Luthman* < josh at imaginenetworksllc.com
<mailto:josh at imaginenetworksllc.com>> wrote:

    The default Apache configuration that Hobbit makes for you
    will specify requiring HTTP logins for the cgisec directory.
    Is this what you're looking for?


    On 11/14/07, * Phil Wild* <philwild at gmail.com
    <mailto:philwild at gmail.com>> wrote:

        Hello,

        I am looking at setting up hobbit to manage two groups of
        hosts. I would prefer to just deploy one hobbit
        installation for both groups. For most of the hobbit web
        pages, Apache security solves a lot of the browsing issues
        but the cgi-bin executables and menus are the problem.

        I want to make sure one group don't have access to see or
        make changes to the other groups hosts.

        The areas I see a problem with are:

        hobbit-enadis.sh
        bb-findhost.sh
        hobbit-confreport.sh

        I would like to restrict the above to only work with a
        subset of hosts (perhaps a tag in the bbhosts file)

        The reports generate web pages on the fly and drop the
        user at the top level page which is not what I would
        prefer (each group have their own top level page etc.)

        All nongreen view is also an issue

        and lastly, manually modifying the URL based on
        bb-hostsvc.sh to get to a web page for a host in the other
        groups list is also a problem.

        Any ideas how I can address this?

        Thanks

        Phil




    --
    Josh Luthman
    Office: 937-552-2340
    Direct: 937-552-2343
    1100 Wayne St
    Suite 1337
    Troy, OH 45373

    Those who don't understand UNIX are condemned to reinvent it,
    poorly.
    --- Henry Spencer




--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com <mailto:philwild at gmail.com>

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

-- Tel: 0400 466 952 Fax: 0433 123 226 email: philwild at gmail.com

I've never used the PAGE statement, but I was under the impression it was just going to put the following hosts in www/newpage.html instead of www/bb.html - same directory. Is this not so?

On 11/15/07, Iain Conochie <iain at shihad.org> wrote:

Josh Luthman wrote:

...

With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question.

That's about all I can tell you =/

Not necessarily!

You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that.

Then for the top level you can also use apache auth for admins

Cheers

Iain

...

On 11/15/07, *Phil Wild* <philwild at gmail.com <mailto:philwild at gmail.com>> wrote:

No, not quite, I want to make a single hobbit install work for two
groups of users, and I don't want group A to have any access to
see or do anything to Group B hosts and vice versa.

I am tryingto find out if there is a way of restricting the
reports/tools/executables to only run against a subset of the
hosts defined in bbhosts say like using bbgrep to filter on a tag
or something for all functions.

Any ideas?

Phil


On 16/11/2007, *Josh Luthman* < josh at imaginenetworksllc.com
<mailto:josh at imaginenetworksllc.com>> wrote:

    The default Apache configuration that Hobbit makes for you
    will specify requiring HTTP logins for the cgisec directory.
    Is this what you're looking for?


    On 11/14/07, * Phil Wild* <philwild at gmail.com
    <mailto:philwild at gmail.com>> wrote:

        Hello,

        I am looking at setting up hobbit to manage two groups of
        hosts. I would prefer to just deploy one hobbit
        installation for both groups. For most of the hobbit web
        pages, Apache security solves a lot of the browsing issues
        but the cgi-bin executables and menus are the problem.

        I want to make sure one group don't have access to see or
        make changes to the other groups hosts.

        The areas I see a problem with are:

        hobbit-enadis.sh
        bb-findhost.sh
        hobbit-confreport.sh

        I would like to restrict the above to only work with a
        subset of hosts (perhaps a tag in the bbhosts file)

        The reports generate web pages on the fly and drop the
        user at the top level page which is not what I would
        prefer (each group have their own top level page etc.)

        All nongreen view is also an issue

        and lastly, manually modifying the URL based on
        bb-hostsvc.sh to get to a web page for a host in the other
        groups list is also a problem.

        Any ideas how I can address this?

        Thanks

        Phil




    --
    Josh Luthman
    Office: 937-552-2340
    Direct: 937-552-2343
    1100 Wayne St
    Suite 1337
    Troy, OH 45373

    Those who don't understand UNIX are condemned to reinvent it,
    poorly.
    --- Henry Spencer




--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com <mailto:philwild at gmail.com>

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently:

1. You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part).
2. You would need to modify all the CGI programs to work on the separate datas.

This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one.

Am I missing something in my estimations here?

Tod Hansmann Network Engineer

-----Original Message----- From: Iain Conochie [mailto:iain at shihad.org] Sent: Thursday, November 15, 2007 8:58 AM To: hobbit at hswn.dk Subject: Re: [hobbit] restricting access to hobbit

Josh Luthman wrote:

I've never used the PAGE statement, but I was under the impression it was just going to put the following hosts in www/newpage.html instead of www/bb.html - same directory. Is this not so?

Nope. Using "PAGE NewPage This is a new page!" statement creates a directory NewPage and there is an index.html file under that

Iain

On 11/15/07, *Iain Conochie* <iain at shihad.org <mailto:iain at shihad.org>> wrote:

Josh Luthman wrote:
> With two groups of hosts you still only have one directory
accessible
> by web.  This means Apache HTTP authentication is out of the
question.
>
> That's about all I can tell you =/

Not necessarily!

You can use the PAGE statement in bb-hosts and then you have a new
directory for each page and sub-page underneath. You can then use
apache
auth for that.

Then for the top level you can also use apache auth for admins

Cheers

Iain

>
> On 11/15/07, *Phil Wild* <philwild at gmail.com
<mailto:philwild at gmail.com>
> <mailto:philwild at gmail.com <mailto:philwild at gmail.com>>> wrote:
>
>     No, not quite, I want to make a single hobbit install work
for two
>     groups of users, and I don't want group A to have any access

to

>     see or do anything to Group B hosts and vice versa.
>
>     I am tryingto find out if there is a way of restricting the
>     reports/tools/executables to only run against a subset of

the

>     hosts defined in bbhosts say like using bbgrep to filter on
a tag
>     or something for all functions.
>
>     Any ideas?
>
>     Phil
>
>
>     On 16/11/2007, *Josh Luthman* < josh at imaginenetworksllc.com
<mailto:josh at imaginenetworksllc.com>
>     <mailto:josh at imaginenetworksllc.com
<mailto:josh at imaginenetworksllc.com>>> wrote:
>
>         The default Apache configuration that Hobbit makes for

you

>         will specify requiring HTTP logins for the cgisec
directory.
>         Is this what you're looking for?
>
>
>         On 11/14/07, * Phil Wild* <philwild at gmail.com
<mailto:philwild at gmail.com>
>         <mailto: philwild at gmail.com
<mailto:philwild at gmail.com>>> wrote:
>
>             Hello,
>
>             I am looking at setting up hobbit to manage two
groups of
>             hosts. I would prefer to just deploy one hobbit
>             installation for both groups. For most of the hobbit

web

>             pages, Apache security solves a lot of the browsing
issues
>             but the cgi-bin executables and menus are the

problem.

>
>             I want to make sure one group don't have access to
see or
>             make changes to the other groups hosts.
>
>             The areas I see a problem with are:
>
>             hobbit-enadis.sh
>             bb-findhost.sh
>             hobbit-confreport.sh
>
>             I would like to restrict the above to only work with

a

>             subset of hosts (perhaps a tag in the bbhosts file)
>
>             The reports generate web pages on the fly and drop

the

>             user at the top level page which is not what I would
>             prefer (each group have their own top level page

etc.)

>
>             All nongreen view is also an issue
>
>             and lastly, manually modifying the URL based on
>             bb-hostsvc.sh to get to a web page for a host in the
other
>             groups list is also a problem.
>
>             Any ideas how I can address this?
>
>             Thanks
>
>             Phil
>
>
>
>
>         --
>         Josh Luthman
>         Office: 937-552-2340
>         Direct: 937-552-2343
>         1100 Wayne St
>         Suite 1337
>         Troy, OH 45373
>
>         Those who don't understand UNIX are condemned to
reinvent it,
>         poorly.
>         --- Henry Spencer
>
>
>
>
>     --
>     Tel: 0400 466 952
>     Fax: 0433 123 226
>     email: philwild at gmail.com <mailto:philwild at gmail.com>
<mailto:philwild at gmail.com <mailto:philwild at gmail.com>>
>
>
>
>
> --
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> Those who don't understand UNIX are condemned to reinvent it,
poorly.
> --- Henry Spencer


To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Thank you all,

This is what I was kind of expecting. The path we are currently going to take is to use Xen to run two versions on the one box. The virtual host idea is interesting but I expect we would have problems with all the daemons.

I was kind of hopting that all these functions used a common utility like bbhostgrep or something to get the list of hosts from the bb-hosts tree and if so, it may have been simple to modify along the lines of putting a commented tag against hosts listed in bb-hosts.

For the functions/reports that built directory structures I was thinking that a wrapper could be used to put the authentication directives in the right places.

Cheers

Phil

On 16/11/2007, s_aiello at comcast.net <s_aiello at comcast.net> wrote:

On Thursday 15 November 2007, Tod Hansmann wrote:

...

So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently:

1. You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part).
2. You would need to modify all the CGI programs to work on the separate datas.

This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one.

Am I missing something in my estimations here?

Tod Hansmann Network Engineer

To get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate.

As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html

Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly.

~Steve

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

-- Tel: 0400 466 952 Fax: 0433 123 226 email: philwild at gmail.com

Jerry, get coding! =)

As that isn't a possibility right now, I guess the only solution is a whole new Hobbit install - correct?

On 11/20/07, Jerry Yu <jjj863 at gmail.com> wrote:

What Phil requested may be worthy of the status of a new feature: capability to segment hosts into groups, which in turn can be accessed and/or managed only by designated users/group. For some large installations with thousands of hosts, it seems to be a must-have instead of a nice-to-have.

On Nov 15, 2007 7:36 PM, Phil Wild <philwild at gmail.com> wrote:

...

Thank you all,

This is what I was kind of expecting. The path we are currently going to take is to use Xen to run two versions on the one box. The virtual host idea is interesting but I expect we would have problems with all the daemons.

I was kind of hopting that all these functions used a common utility like bbhostgrep or something to get the list of hosts from the bb-hosts tree and if so, it may have been simple to modify along the lines of putting a commented tag against hosts listed in bb-hosts.

For the functions/reports that built directory structures I was thinking that a wrapper could be used to put the authentication directives in the right places.

Cheers

Phil

On 16/11/2007, s_aiello at comcast.net <s_aiello at comcast.net > wrote:

...

On Thursday 15 November 2007, Tod Hansmann wrote:

...

So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently:

1. You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part).
2. You would need to modify all the CGI programs to work on the separate datas.

This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one.

Am I missing something in my estimations here?

Tod Hansmann Network Engineer

To get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate.

As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html

Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly.

~Steve

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

--

Tel: 0400 466 952 Fax: 0433 123 226 email: philwild at gmail.com

-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer