Archived community.zenoss.org | full text search
Skip navigation
Up to Discussions in ZCA
1 2 3 Previous Next 20096 Views 41 Replies Latest reply: Jan 13, 2014 7:42 AM by marcelpeter RSS
jcurry ZenossMaster
jcurry
1,021 posts since
Apr 15, 2008
Currently Being Moderated

Aug 8, 2011 2:21 PM

Enhancing users and roles in Zenoss Core

Zenoss Core doesn't provide any easy way to create new roles and permissions.  Zenoss Enterprise has the Device Access Control Lists ZenPack (documented in the Extended Monitoring Guide) but I don't believe this delivers anything very sophisticated.

 

I have created a ZenPack that works with the concept of Administered Objects to:

  • Create a new role, ZenOperator, that has the normal ZenUser permissions plus "Manage Events" which lets a user Ack / Close events
  • Create a new role, ZenCommon, with very minimal permissions
  • For those devices / device organizers that are allocated as Administered Objects to a user,  devices can be viewed, their events can be Ack'ed / Closed, performance graphs are available and Locations will appear on the Dashboard GoogleMaps portlet.
  • Conversely, users ONLY see what are allocated to them as Administerd Objects
  • I have included a utility I found on the wiki (I think from cluther???) - copyDashboardState.py - that copies a model dashboard to other users - it's in the lib directory.
  • Fixes various bugs to do with Administered Objects so that Locations, Groups Systems and Device Classes can be allocated / removed successfully as Administered Objects

 

This is currently development code and would much appreciate other testers.  The code is attached here and should be installed in a backed-up, test environment.  The ZenPack was developed in a 3.1 environment and has at least been installed on a 2.5.2 system.

  • Download the tarball
  • Untar it - I put such things into $ZENHOME/local.  Change to this directory.
  • Install in development mode, as the zenoss user, with:
    • zenpack --link --install ZenPacks.skills1st.UserRoles
    • zenhub restart
    • zopectl restart
    • Point your browser at <your zenoss>:8080/zport/manage_access and check that ZenOperator and ZenCommon roles exist
  • Read the README and the comments at the start of __init__.py
  • To test the ZenPack:
    • Create a test group
    • Allocate an Administered Object to this group - ideally a smallish Location, Group or System
    • Change the role for this Group's Administered Objects to be ZenOperator (do this starting from the Location / Group / System -> DETAILS -> Administration menu, not from ADVANCED -> Settings -> Users)
    • Create a user and give it the ZenCommon basic role.  Assign it to the test user group.
    • Logoff and log on as the new user.  Check that you see only the devices and organizers allocated as Administered Objects
    • Take care with testing - web browsers are likely to cache who you are logged on as, even if you logoff one tab

 

For more discussions around the development process have a look at message/59387#59387 .

 

This is just a starting point.  Users authorised to see various Administered Objects don't see any reports (but they do get a blank REPORTS top-level menu).

 

This ZenPack creates 2 new roles; it does not look at creating any new permissions; nor does it address how to apply new roles and permissions to existing Zenoss Core code.

 

Organisation will want a more generic way of specifying roles and permissions.

 

I am actively looking for other sponsors of this work.  I am hoping that it is of interest to several organisations who would be prepared to contribute development funds and/or coding efforts - obviously they also get to help specify the requirements.

 

The Zenoss Community Alliance hopes that this will be the first example of a joint community development.

 

Please append to this discussion with feedback / ideas / offers of help.

 

We hope to have a more formal method of offering financial help in the next week or two.

 

Cheers,

Jane

Attachments:
Tags: zenpack, users, roles, permissions, zca, userroles
  • dragonf Rank: White Belt
    dragonf
    13 posts since
    May 6, 2009
    Currently Being Moderated
    1. Aug 9, 2011 1:30 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hello Jane,

     

    I've tried on 2.5.2 without success (I cannot migrate to 3x now).

     

    The zenpack loads correctly, but the ZenCommon role doesn't appear in manage_access.

     

    Also, in 2.5.2 there is no option to change the role for a Group's Administered Objects through Group -> DETAILS -> Administration menu.

     

    In 2.5.2, the only option is from from Settings -> Users -> Administered Objects

     

    Thank you!

  • guyhlupi Rank: White Belt
    guyhlupi
    10 posts since
    Apr 20, 2011
    Currently Being Moderated
    2. Aug 9, 2011 1:38 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We can't offer any development assistance but we would be happy to contribute financially to this effort. Please let us know once that process has been formalized.

  • jcurry ZenossMaster
    jcurry
    1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    3. Aug 9, 2011 2:50 PM (in response to dragonf)
    Re: Enhancing users and roles in Zenoss Core

    You are correct that in 2.5.2 there isn't a DETAILS link for Locations / Groups / Systems but if you navigate to the relevant organizer there is an Administration tab - that's what you should use.  The reason for doing it from here is that, if you do it from the Groups panel -> Administered Objects tab, you need to change all the included devices.  That panel saves exactly what you see - if you only change your Location (if that's what you have chosen) and you don't change all the individual devices, then the change works for the Location and then promptly changes backk all the individual devices.  Daft - but that's how the Core code works.

     

    Not seeing ZenCommio is very strange - I certainly see that.  Were there any error messages when you installed the ZenPack??   Do you see the ZenOperator role?

     

    Could you navigate to <your zenoss>:8080/zport/manage  (no dmd in this path!!), click on the acl_users directly under the dmd and select roleManager - do you see ZenCommon and/or ZenOperator there??

     

    I have done a little more testing on 2.5.2 and it looks the permissions on all the left-hand menus (like device list, devices, locations, ...) result in a logon prompt but if you configure your dashboard for the GoogleMaps portlet and the Device Issues portlet then you do see the correct, filtered devices / locations and you can Ack / Close events for those devices so I seem to be part way there.  I also see data in performance graphs - both device-level graphs and component graphs.

     

    Cheers,

    Jane

  • Mage Mojo Rank: White Belt
    Mage Mojo
    6 posts since
    Aug 10, 2011
    Currently Being Moderated
    4. Aug 21, 2011 1:18 AM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

     

    Our organization is willing to contribute development funds.  Please let me know what the process you come up with is and we can go from there.

     

    - Eric

  • kittytowerz Rank: White Belt
    kittytowerz
    13 posts since
    Aug 10, 2010
    Currently Being Moderated
    5. Aug 21, 2011 12:06 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hello Jane,

     

    First I would like to applaud your efforts. This is quite handy.

     

    During testing, I noticed that legacy devices (prior to install of the ZenPack) do not appear for the user, even if the location has been set as per your instructions.

     

    I found that any newly created locations/groups/systems and any newly discovered devices display as expected.

     

    I am experimenting now with deletion/recreation of legacy devices to see if they will then display properly.

     

    My system was built from zenoss 3.1 .rpm (/opt/zenoss dir, but symlinked to /usr/local/zenoss/zenoss as well) on CentOS 5.6.

     

    I am more then happy to assist with further trouble-shooting ...

     

    Matt

  • Mage Mojo Rank: White Belt
    Mage Mojo
    6 posts since
    Aug 10, 2011
    Currently Being Moderated
    6. Aug 21, 2011 2:34 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We followed your installation and other intstructions above and for the most part this works pretty good.  We have a system group and went that route to assign the perms to the user/group.

     

    Here's some things we found that don't seem right:

     

    • In infrastructure -> systems -> [group name] it shows (0) for systems and the group name but when you click on the group name the system(s) appear on the right side.

    • In infrastructure under (nothing selected) the red/orange/yellow boxes show all events and not just events for the adminstered objects.  Clicking on any of them displays the error screen.  Clicking on system or the system group shows no alerts even if there is a system with an alert.

    • If you add a device to the system group later it will not be displayed under systems -> [group name] but if it has an issue it will appear on the dashboard device issue portlet.

    • If under the users -> group -> administered objects you add a system group that has systems in it then you will see the system group and systems.  However if you a system group to administered objects with no systems but add a system later that system will not appear in administered objects but will be administerable when logged in as the user.  If you remove the adminstered object and readd the system group all the systems appear.  I believe this fixes the issue above.

    • In the device -> events if you click the even console button the error screen appears.
  • kittytowerz Rank: White Belt
    kittytowerz
    13 posts since
    Aug 10, 2010
    Currently Being Moderated
    7. Aug 21, 2011 5:07 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

     

    Update on what I have discovered.

     

    #1) if your zenpack is installed onto a brand new deployment of 3.1 before any devices are added, I don't think any of this will matter. Seems to work fine for all new devices created 'after' the install of the zenpack.

     

    I did find a resolution that worked for me, albiet there may be a better way to address this.

     

    I have about 45 devices that I monitor. Half of that is my personal network, others are individual clients that I would like to have limited and selective access to the GUI.

     

    What I found is that any new device added after the zenpack install fell subject to your zenpack and worked. Any devices on my system added prior to the install did not. You could see the organizer, but nothing in it.

     

    I only had a few items that mattered, so I ended up copying the performance files from /opt/zenoss/perf/DEVICE and deleting the original device completely from the gui. Added the IP back and cleared the existing ../perf/DEVICE directory. After new IP re-discovered, I copied the original files back to that directory.

     

    This allows for your zenpack to display these devices, and preserved the graphing history.

     

    Again, I did find that this worked for me.

     

    Matt

  • Mage Mojo Rank: White Belt
    Mage Mojo
    6 posts since
    Aug 10, 2011
    Currently Being Moderated
    8. Aug 21, 2011 11:47 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core
    • When logged in as user, clicking username in top right, and going to Alerting Rules.  The current alerting rules are not shown.  A new alerting rule can be added but when clicked on the error screen comes up.
      CORRECTION: Alerting rules do appear when logged in a the user.  But clicking them loads the error screen.  This feature is very important to us

    • Same path but this time Event Views.  No event views are shown, no options to add.
  • Magnum Rank: White Belt
    Magnum
    23 posts since
    Dec 1, 2010
    Currently Being Moderated
    9. Aug 22, 2011 9:53 AM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

    we are looking for this kind of feature and would consider contributing development funds.

    How do you envisage the structure of this project in regards to requirments and funding?

     

     

    Marcus

  • Mage Mojo Rank: White Belt
    Mage Mojo
    6 posts since
    Aug 10, 2011
    Currently Being Moderated
    10. Aug 28, 2011 3:54 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We're all ready to provide dev funds and are waiting on your response Jane.  Could you please give an update?

  • jcurry ZenossMaster
    jcurry
    1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    11. Aug 29, 2011 2:25 PM (in response to Mage Mojo)
    Re: Enhancing users and roles in Zenoss Core

    Thanks for the prod, Mage Mojo, and sorry to have been so quiet.  I am trying to pull together technical threads and the Zenoss Community Alliance (ZCA) is working to setup a Non Profit Organization to provide a joint funding mechanism - the latter is taking some time as it needs to jump through some governmental political hoops before we can get what we want - but we are getting there!  The guesstimate on the NPO is in the next 3 weeks.

     

    On the technical front, I am struggling to find a way to generate general  reports where the data is filtered by the Administrative Objects that a user has access to - ie you see data in reports just for the devices you manage.  I know some folk defintely want this.  At present, I can do all reports with all data or I can do no reports (and I can now remove REPORTS off the main top menu), but partial reports I still haven't got an answer to.  Does anyone else have any good ideas on this one?? 

     

    Not sure whether Zenoss Enterprise delivers this functionality?? I'm not talking about the Zenoss Insight add-on here - I know that is a completely separate subsystem.  At this stage, I don't want to get into re-writing the whole reports subsystem - though I know that is a high priority for the ZCA to work on and, ultimately, if the ZCA does generate a new reports subsystem then it should work in (even be designed with!!) the concept of user Roles.

     

    This week I am hoping to test out and update the comments that some of you have provided here.

     

    On the point that you often see the wrong numbers of devices in organizers and sometmes the number of events are wrong - this is a couple of known bugs that I reported several months back.  I don't think they are always associated with the userRole work.  Hopefully we will see Zenoss Core 3.2 "real soon now" and they will have fixed these.

     

    I certainly need to checkout your comments about alerting rules - hopefully that will happen this week.  I believe that Event Views are disappearing with Zenoss 3.2.  Do you use this feature lots????

     

    If people would like to contribute requirements here, I am very happy to start the debate about what else we should try to deliver and a debate would help us prioritise ideas.

     

    Cheers,

    Jane

  • Mage Mojo Rank: White Belt
    Mage Mojo
    6 posts since
    Aug 10, 2011
    Currently Being Moderated
    12. Sep 4, 2011 6:28 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Looking forward to it Jane.  The only feature missing for us (not previously noted above) would be the ability to create a local copy of a monitoring template and allow the logged in user to modify it for their device.  Specifically we'd like to extend zenoss to our customers and allow them to monitor their own devices and also monitor the time it takes for a page on their website to load.  They'd need local copies of the httpmonitor and be able to set their own urls and times.

     

    But if the issues noted above were resolved this would be very usable as is for us.

  • jcurry ZenossMaster
    jcurry
    1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    13. Sep 19, 2011 11:04 AM (in response to kittytowerz)
    Re: Enhancing users and roles in Zenoss Core

    Hi Matt,

    Thanks for your tests on this and sorry for the long delay in reply!

     

    The mods I have made to the standard code mean that when you add a group/location/system/deviceClass to the Administerd Objects for a user/group, then all contained devices AT THAT TIME also get added. 

     

    I have found the best way to keep containers consistent when devices have been added / deleted from them, is to navigate to the container (say the Location) and use the DETAILS -> Administration link to remove the container from your users/ groups.  Then re-add it back and it will add all the devices that are CURRENTLY contained in that container.

     

    I know this is not ideal, but I think we could add a background script that would do this automatically periodically.  At least it's better than deleting and recreating devices and certainly doesn't compromise your performance data.

     

    When you have time, perhaps you could check that this does actually work for you.

     

    Cheers,

    Jane

  • jcurry ZenossMaster
    jcurry
    1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    14. Sep 22, 2011 6:03 AM (in response to Mage Mojo)
    Re: Enhancing users and roles in Zenoss Core

    Hi!  Very sorry for such a long delay in reply - I haven't forgotten this - honest!  I finally have some time to get back to this project and the ZCA is grinding through try to establish a mechanism for funding joint projects.

     

    To comment on your specific comments:

     

    The number of devices in an organizer not matching with the (real) number of devices you see, is not just particular to this ZenPack and is still open tickets 7838 and 7849 with Zenoss http://dev.zenoss.com/trac/ticket/7849 .  The comment added by Mike Lunt is "A future re-architecture of the event system is required to fix this.".

     

    Re the event boxes at the top of the screen, I agree that without anything selected in the left-hand menu then you see event counts for all events and clicking on any of them gets an error message - not nice.  However, I find that if you select an organiser in the left-hand menu and refresh the screen, then all the coloured boxes are greyed-out and have zero counts - one step better methinks.  However, you can still click the greyed out boxes and get theusual error.  This is also part of the tickets referenced above.

     

    Adding devices to organizers, subsequent to setting up Administered Objects, is something I know about and I think is covered in my response to kittytowerz.  Would a periodic script, perhaps run at zenmodeler intervals??, to add in any devices that have been added to an organizer, into the Administerd Objects for that Organizer, work for you?

     

    I have been doing some testing with Zenoss 3.2 and this brings us some good news.  The big difference is that event consoles now behave the same way in pre-filtered event consoles, as in the main one, ie. device consoles, group event consoles, event class consoles.....

     

    Re your later comments on problems with alerting rules and event views, I don't see an issue with event views??  Could you just confirm that one?  The alereting rules is an issue and I have finally tracked down the cause.  I have a very quick fix by hacking the Core code and I am looking for a good way to do this as part of a ZenPack.  If you want the quick-and-dirty fix, please let me know.

     

    Hopefully more to report in a day or two.

     

    Cheers,

    Jane

1 2 3 Previous Next

More Like This

  • Retrieving data ...

Incoming Links

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points