Apr 25, 2011 8:29 PM
How to create custom view in Zope
-
Like (0)
Hi everyone,
I would like to create a custom role/group where the users that belong to this role/group are only able to view a certain device or reports. Is this even possible?
Thanks
I expect it could be done with enough programming. This is a main Zenoss Enterprise feature that distinguishes it from Core. Search the forums and FAQ, this is discussed a lot, but the general feeling is it would take too much work.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
Thanks, James.
My main objective is to allow certain logged in user to only be able to view the report on devices that they own. Would it make sense to try and create the viewGraphReportClean of the report on demand and feed it to another html page? Even if this make sense, I still don't know how to do that
You are supposed to be able to do a bit of this with "Administered Objects" with Zenoss Core - see chapter 11 of the Zenoss 3 Admin Guide. However.......
I have just tried removing ALL roles from a Zenoss user and then giving ZenUser access to the device class of /Server/Windows. Imagine my surprise when I log off and log on as this user and, under Infrastructure, the only device class I see is.....
/Device /Network and its subclasses ?????????????????????????????????
This is Zenoss 3.1.
Anyone know what is going on??
OK - update to this. On checking more closely, I had put my user into a group and assigned the /Device/Network administrative object to that group - that explains why I was seeing the /Device/Network. Updated the individual user to have the Administrative Object /Device/Server (and removed /Device/Server/Windows). Logged out and logged in as op1. Now have a very weird INFRASTRUCTURE display as shown. /Network expands fine and shows all the correct subclasses and devices; /Server has a count of 1, no subclasses, but the main panel shows all 9 devices!
Anyone know what is going on??
A further update...
Adding Administrative Objects to a user doesn't work properly. You see the relevant devices in the right-hand part of the INFRASTRUCTURE window and a Device Issues portlet on a Dashboard filters correctly; however the left-hand part of the INFRASTRUCTURE doesn't show objects assigned to this user at all - whatever I do.
Adding Administrative Objects to a group has the same effect on the main window ie correct). After logoff / logon then you see the correct elements in the left-hand window but the counts are awry. If you recatlog with:
zencatalog run --createcatalog --forceindex
zenoss stop
zenoss start
then everything looks OK. I don't need to use zendmd to run reindex() and commit()
Still don't know what is going on with users though....
Cheers,
Jane
That's great. Thanks, Jane
More updates on this subject and I have opened another 3 tickets. I think we have several interacting issues here.
One issue, as stated above, is that sometimes the device counts against the left-hand menu items are incorrect. A side effect of this seems to be that the Event Console for on organizer (like a Location, for example) is sometimes empty. This is the Event Console that you reach by using the left-hand menu to select, say, a specific Location, use the DETAILS link at the top of the LH menu and select Events. I have opened ticket http://dev.zenoss.com/trac/ticket/7849 for this. This is independent of anything to do with Administered Objects.
In the earlier append, I hadn't tested whether events could be Acknowledged or Closed. I want to ensure this is possible for devices that are specified for a user (or the group of that user) in Administered Objects.
After further experimentation, I have abandoned the strategy of giving a user NO global role. It does hide from the user anything that is not explicitly included in an Administerd Object (AO) BUT:
1) You can't see a detailed event view for any events. If you go to the event console for a device that is specified in an AO and the AO has the Manager role (and it MUST be the Device Event Console - not a group / system / location / global event console) - then you can see the line-by-line events for that device but double-clicking on an event to get to the detail, results in a Zenoss login screen - not sufficient permission. You don't seem to inherit this permission from the Adminstered Object configuration - you have to have at least the View permission globally to see event details.
2) Similarly, without a global View permission, you don't see anything useful in the left-hand graphs menu for a device - you see the graph headers but no data
3) Similarly, without a global View permission, you don't see any Reports at all
4) There doesn't appear to be enough granularity in the Zenoss permissions to separate different "View"s. If there was a View Events, View Graphs, View Reports, then that would be easy . Look at the permissions from http://<your zenoss>:8080/zport/manage_access .
So, abandon no global role. You can use the global role of ZenUser or create your own.
So assume you have a user, c1, in a group c1Group with ZenUser global role. Create an Administered Object for the c1Group based on an existing Location - /Locations/VM-land is my example - which contains some real Linux systems and some emulated Network devices, some of which have outstanding events. Give the AO the Manager role. Logoff c1 and log back on. Navigate to the main page for a device in your Location and go to the Events page. Try to Ack or Close an event - you can't do it.
Create another AO, this time based either on specific device or device class, and give it Manager role. Logoff / logon. Navigate to the main page for a device in this AO - Ack and Close works. Note that it MUST be the Device Event Console - not a group / system / location / global event console - you won't be able to Ack or Close anywhere other than the Event LH menu for a device. So we have a bug where Event access based on Locations (and its also true for Groups and Systems) doesn't work. I have raised ticket http://dev.zenoss.com/trac/ticket/7848 for this.
Another thing I want to do is add to the Log of an event. This used to be possible with Zenoss 2.5 if you had the "Manage Events" permission (which the Manager role has by default). You can see the Log of any event that you are allowed to see by double-clicking the event, but even if you have an AO that allows you to Ack / Close an event, it still won't let you add to the Log. You need a global Manage Events permission - again the permission from the Administered Object is not being applied to the action of adding to the Log of an event (there is a separate permission "Log to the Event Log" but this doesn't seem to help. It's not allocated by default to any role and allocating it doesn't help). I have raised this as http://dev.zenoss.com/trac/ticket/7850 .
Other glitches that I haven't yet raised as bugs - they are more "essential enhancement requests" - are associated with the Event Console reached from the Events menu of a device's details page:
1) There is no UnAcknowledge icon on a device's event console - only on a global event console
2) There is no ReOpen icon on a device's history event console - only on a global history event console
3) There are no filters available when viewing a devices Event Console or History Event Console, as there are with the global consoles
If we can get the above bugs fixed, then a user will probably end up working with a device Event Console so these user limitations will become significant.
I would REALLY appreciate someone else verifying these bugs, especially 7848 about Administered Object permissions not applying if based on Locations / Groups / Systems. If this doesn't work then it makes a nonsense of the whole concept. There are "Steps to reproduce" in the ticket but please ask if you want more detail. I am working with a Zenoss 3.1 32-bit SuSe stack build on Open SuSE 11.4 so anyone with a different platform would be really good.
I really don't see why we should buy Zenoss Enterprise to get the ACL ZenPack (which I believe achieves this granular user role stuff), when the functionality in Core is so broken!
Cheers,
Jane
Thanks for your work and research on this subject, Jane.
I have successfully reproduce tickets #7848 and #7850 that you opened. If would be great if they can be fixed.
As we discussed here, what we are trying to achieve is to see if we are able to give our customers read-only access to their specific hardware but the Administered Objects feature just doesn't work.
OK. I now have a test ZenPack that works around most of the bugs documented in this thread.
It creates a new role, ZenOperator, that has the normal ZenUser permissions plus "Manage Events" which lets a user Ack / Close events.
If you create an Administered Object that is an Organizer (device class, location, system or group) then the role of that Administered Object is propagated to all devices in the Organizer.
If you combine this ZenPack with a user that has No role, you can achieve a user that ONLY sees Organizers and devices configured for them through Administered Objects. They can Ack / Close events. They can see the usual stuff for devices. By default, they CANNOT see any graphs. This needs an extra hack of $ZENHOME/ZenRRD/RenderServer.py to comment out all 5 security.declareProtected statements and recycle zenhub and zopectl. I don't think this is a huge security relaxation for most folk as a completely unauthenticated user would get this level of access.
I have included a utility I found on the wiki (I think from cluther???) - copyDashboardState.py - that copies a model dashboard to other users - it's in the lib directory.
I have fixed the bug (ticket 7837) whereby if you delete a user Group that has Administered Objects configured, it didn't clean up the relationship to those Administered Objects and left your database in a corrupted state.
I have done some testing but I would appreciate other testers - development environments please!
Read the various READMEs in the pack and the comments oin __init__.py.
Please provide feedback!
Cheers,
Jane
I have started a thread in the ZCA community forum to discuss this and further development efforts. Please have a look at thread/16617 .
Cheers,
Jane
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||