Jun 20, 2011 9:21 AM
Permissions to view graphs for a device
-
Like (0)
I am trying to adjust permissions so that a Zenoss user ONLY sees devices he is authorised to see (based on Locations, Groups and Systems). I have things working so that he only sees events for the correct devices (and if authorised, he can Ack and Close events) but the problem is that the Graphs menu - both the main left-hand Graphs and the Graphs dropdown menu from a component Display - only show the header information for the graphs - there's no data.
I have customised this by removing ALL roles from a user's configuration and then applied access to categories of devices using the Administerd Objects technique - my test user has all the ZenUser roles plus Manage Events..
There is more related info at message/59100 .
If I give a user a role that ONLY has a global View permission then the graphs show OK.
I have dug through all sorts of files and code looking for permission settings that control the graphs. Basically, it is $ZENHOME/Products/ZenModel/skins/zenmodel/viewPerformanceDetail.pt that drives graphs and it seems to have a mysterious (to me) javascript var ZenGraphs that seems to be responsible for actually displaying the graphs, but I don't see anything controlling permissions.
The target is to have a ZenPack that can offer more by way of role control for Zenoss Core.
Is there anyone can offer help???
Cheers,
Jane
Success!!
Access to graphs is controlled by
$ZENHOME/Products/ZenRRD/RenderServer.py where the class
RenderServer(RRDToolItem) has various security.declareProtected
statements. Each of these statements specifies the View permission but
this is a permission on an RRDToolItem object - not on a device object.
Administered Objects only confers extra roles on devices and device
organizers. If you start with a user with NO role, they don't have View
permission on an RRDToolItem - hence the barf.
If you comment out all the security.declareProtected lines in
RenderServer.py and recycle zenhub and zopectl, your user sees graphs.
I don't see that this is a huge relaxation of security - does anyone else??
Cheers,
Jane
I now have a test ZenPack that lets a user ONLY see Administered Objects he is authorised for. He can Ack / Close events. With a quick kludge, he can even see graphs. Get details from here - message/59387 .
Cheers,
Jane
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||