Skip navigation
1 2 3 Previous Next 20096 Views 41 Replies Latest reply: Jan 13, 2014 7:42 AM by marcelpeter RSS
jcurry ZenossMaster 1,021 posts since
Apr 15, 2008
Currently Being Moderated

Aug 8, 2011 2:21 PM

Enhancing users and roles in Zenoss Core

Zenoss Core doesn't provide any easy way to create new roles and permissions.  Zenoss Enterprise has the Device Access Control Lists ZenPack (documented in the Extended Monitoring Guide) but I don't believe this delivers anything very sophisticated.

 

I have created a ZenPack that works with the concept of Administered Objects to:

  • Create a new role, ZenOperator, that has the normal ZenUser permissions plus "Manage Events" which lets a user Ack / Close events
  • Create a new role, ZenCommon, with very minimal permissions
  • For those devices / device organizers that are allocated as Administered Objects to a user,  devices can be viewed, their events can be Ack'ed / Closed, performance graphs are available and Locations will appear on the Dashboard GoogleMaps portlet.
  • Conversely, users ONLY see what are allocated to them as Administerd Objects
  • I have included a utility I found on the wiki (I think from cluther???) - copyDashboardState.py - that copies a model dashboard to other users - it's in the lib directory.
  • Fixes various bugs to do with Administered Objects so that Locations, Groups Systems and Device Classes can be allocated / removed successfully as Administered Objects

 

This is currently development code and would much appreciate other testers.  The code is attached here and should be installed in a backed-up, test environment.  The ZenPack was developed in a 3.1 environment and has at least been installed on a 2.5.2 system.

  • Download the tarball
  • Untar it - I put such things into $ZENHOME/local.  Change to this directory.
  • Install in development mode, as the zenoss user, with:
    • zenpack --link --install ZenPacks.skills1st.UserRoles
    • zenhub restart
    • zopectl restart
    • Point your browser at <your zenoss>:8080/zport/manage_access and check that ZenOperator and ZenCommon roles exist
  • Read the README and the comments at the start of __init__.py
  • To test the ZenPack:
    • Create a test group
    • Allocate an Administered Object to this group - ideally a smallish Location, Group or System
    • Change the role for this Group's Administered Objects to be ZenOperator (do this starting from the Location / Group / System -> DETAILS -> Administration menu, not from ADVANCED -> Settings -> Users)
    • Create a user and give it the ZenCommon basic role.  Assign it to the test user group.
    • Logoff and log on as the new user.  Check that you see only the devices and organizers allocated as Administered Objects
    • Take care with testing - web browsers are likely to cache who you are logged on as, even if you logoff one tab

 

For more discussions around the development process have a look at http://community.zenoss.org/message/59387#59387 .

 

This is just a starting point.  Users authorised to see various Administered Objects don't see any reports (but they do get a blank REPORTS top-level menu).

 

This ZenPack creates 2 new roles; it does not look at creating any new permissions; nor does it address how to apply new roles and permissions to existing Zenoss Core code.

 

Organisation will want a more generic way of specifying roles and permissions.

 

I am actively looking for other sponsors of this work.  I am hoping that it is of interest to several organisations who would be prepared to contribute development funds and/or coding efforts - obviously they also get to help specify the requirements.

 

The Zenoss Community Alliance hopes that this will be the first example of a joint community development.

 

Please append to this discussion with feedback / ideas / offers of help.

 

We hope to have a more formal method of offering financial help in the next week or two.

 

Cheers,

Jane

Attachments:
  • dragonf Rank: White Belt 13 posts since
    May 6, 2009
    Currently Being Moderated
    1. Aug 9, 2011 1:30 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hello Jane,

     

    I've tried on 2.5.2 without success (I cannot migrate to 3x now).

     

    The zenpack loads correctly, but the ZenCommon role doesn't appear in manage_access.

     

    Also, in 2.5.2 there is no option to change the role for a Group's Administered Objects through Group -> DETAILS -> Administration menu.

     

    In 2.5.2, the only option is from from Settings -> Users -> Administered Objects

     

    Thank you!

  • guyhlupi Rank: White Belt 10 posts since
    Apr 20, 2011
    Currently Being Moderated
    2. Aug 9, 2011 1:38 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We can't offer any development assistance but we would be happy to contribute financially to this effort. Please let us know once that process has been formalized.

  • Mage Mojo Rank: White Belt 6 posts since
    Aug 10, 2011
    Currently Being Moderated
    4. Aug 21, 2011 1:18 AM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

     

    Our organization is willing to contribute development funds.  Please let me know what the process you come up with is and we can go from there.

     

    - Eric

  • kittytowerz Rank: White Belt 13 posts since
    Aug 10, 2010
    Currently Being Moderated
    5. Aug 21, 2011 12:06 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hello Jane,

     

    First I would like to applaud your efforts. This is quite handy.

     

    During testing, I noticed that legacy devices (prior to install of the ZenPack) do not appear for the user, even if the location has been set as per your instructions.

     

    I found that any newly created locations/groups/systems and any newly discovered devices display as expected.

     

    I am experimenting now with deletion/recreation of legacy devices to see if they will then display properly.

     

    My system was built from zenoss 3.1 .rpm (/opt/zenoss dir, but symlinked to /usr/local/zenoss/zenoss as well) on CentOS 5.6.

     

    I am more then happy to assist with further trouble-shooting ...

     

    Matt

  • Mage Mojo Rank: White Belt 6 posts since
    Aug 10, 2011
    Currently Being Moderated
    6. Aug 21, 2011 2:34 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We followed your installation and other intstructions above and for the most part this works pretty good.  We have a system group and went that route to assign the perms to the user/group.

     

    Here's some things we found that don't seem right:

     

    • In infrastructure -> systems -> [group name] it shows (0) for systems and the group name but when you click on the group name the system(s) appear on the right side.

    • In infrastructure under (nothing selected) the red/orange/yellow boxes show all events and not just events for the adminstered objects.  Clicking on any of them displays the error screen.  Clicking on system or the system group shows no alerts even if there is a system with an alert.

    • If you add a device to the system group later it will not be displayed under systems -> [group name] but if it has an issue it will appear on the dashboard device issue portlet.

    • If under the users -> group -> administered objects you add a system group that has systems in it then you will see the system group and systems.  However if you a system group to administered objects with no systems but add a system later that system will not appear in administered objects but will be administerable when logged in as the user.  If you remove the adminstered object and readd the system group all the systems appear.  I believe this fixes the issue above.

    • In the device -> events if you click the even console button the error screen appears.
  • kittytowerz Rank: White Belt 13 posts since
    Aug 10, 2010
    Currently Being Moderated
    7. Aug 21, 2011 5:07 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

     

    Update on what I have discovered.

     

    #1) if your zenpack is installed onto a brand new deployment of 3.1 before any devices are added, I don't think any of this will matter. Seems to work fine for all new devices created 'after' the install of the zenpack.

     

    I did find a resolution that worked for me, albiet there may be a better way to address this.

     

    I have about 45 devices that I monitor. Half of that is my personal network, others are individual clients that I would like to have limited and selective access to the GUI.

     

    What I found is that any new device added after the zenpack install fell subject to your zenpack and worked. Any devices on my system added prior to the install did not. You could see the organizer, but nothing in it.

     

    I only had a few items that mattered, so I ended up copying the performance files from /opt/zenoss/perf/DEVICE and deleting the original device completely from the gui. Added the IP back and cleared the existing ../perf/DEVICE directory. After new IP re-discovered, I copied the original files back to that directory.

     

    This allows for your zenpack to display these devices, and preserved the graphing history.

     

    Again, I did find that this worked for me.

     

    Matt

  • Mage Mojo Rank: White Belt 6 posts since
    Aug 10, 2011
    Currently Being Moderated
    8. Aug 21, 2011 11:47 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core
    • When logged in as user, clicking username in top right, and going to Alerting Rules.  The current alerting rules are not shown.  A new alerting rule can be added but when clicked on the error screen comes up.
      CORRECTION: Alerting rules do appear when logged in a the user.  But clicking them loads the error screen.  This feature is very important to us

    • Same path but this time Event Views.  No event views are shown, no options to add.
  • Magnum Rank: White Belt 23 posts since
    Dec 1, 2010
    Currently Being Moderated
    9. Aug 22, 2011 9:53 AM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Hi Jane,

    we are looking for this kind of feature and would consider contributing development funds.

    How do you envisage the structure of this project in regards to requirments and funding?

     

     

    Marcus

  • Mage Mojo Rank: White Belt 6 posts since
    Aug 10, 2011
    Currently Being Moderated
    10. Aug 28, 2011 3:54 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    We're all ready to provide dev funds and are waiting on your response Jane.  Could you please give an update?

  • Mage Mojo Rank: White Belt 6 posts since
    Aug 10, 2011
    Currently Being Moderated
    12. Sep 4, 2011 6:28 PM (in response to jcurry)
    Re: Enhancing users and roles in Zenoss Core

    Looking forward to it Jane.  The only feature missing for us (not previously noted above) would be the ability to create a local copy of a monitoring template and allow the logged in user to modify it for their device.  Specifically we'd like to extend zenoss to our customers and allow them to monitor their own devices and also monitor the time it takes for a page on their website to load.  They'd need local copies of the httpmonitor and be able to set their own urls and times.

     

    But if the issues noted above were resolved this would be very usable as is for us.

1 2 3 Previous Next

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points