Zenoss Core doesn't provide any easy way to create new roles and permissions. Zenoss Enterprise has the Device Access Control Lists ZenPack (documented in the Extended Monitoring Guide) but I don't believe this delivers anything very sophisticated.
I have created a ZenPack that works with the concept of Administered Objects to:
This is currently development code and would much appreciate other testers. The code is attached here and should be installed in a backed-up, test environment. The ZenPack was developed in a 3.1 environment and has at least been installed on a 2.5.2 system.
For more discussions around the development process have a look at http://community.zenoss.org/message/59387#59387 .
This is just a starting point. Users authorised to see various Administered Objects don't see any reports (but they do get a blank REPORTS top-level menu).
This ZenPack creates 2 new roles; it does not look at creating any new permissions; nor does it address how to apply new roles and permissions to existing Zenoss Core code.
Organisation will want a more generic way of specifying roles and permissions.
I am actively looking for other sponsors of this work. I am hoping that it is of interest to several organisations who would be prepared to contribute development funds and/or coding efforts - obviously they also get to help specify the requirements.
The Zenoss Community Alliance hopes that this will be the first example of a joint community development.
Please append to this discussion with feedback / ideas / offers of help.
We hope to have a more formal method of offering financial help in the next week or two.
I've tried on 2.5.2 without success (I cannot migrate to 3x now).
The zenpack loads correctly, but the ZenCommon role doesn't appear in manage_access.
Also, in 2.5.2 there is no option to change the role for a Group's Administered Objects through Group -> DETAILS -> Administration menu.
In 2.5.2, the only option is from from Settings -> Users -> Administered Objects
We can't offer any development assistance but we would be happy to contribute financially to this effort. Please let us know once that process has been formalized.
You are correct that in 2.5.2 there isn't a DETAILS link for Locations / Groups / Systems but if you navigate to the relevant organizer there is an Administration tab - that's what you should use. The reason for doing it from here is that, if you do it from the Groups panel -> Administered Objects tab, you need to change all the included devices. That panel saves exactly what you see - if you only change your Location (if that's what you have chosen) and you don't change all the individual devices, then the change works for the Location and then promptly changes backk all the individual devices. Daft - but that's how the Core code works.
Not seeing ZenCommio is very strange - I certainly see that. Were there any error messages when you installed the ZenPack?? Do you see the ZenOperator role?
Could you navigate to <your zenoss>:8080/zport/manage (no dmd in this path!!), click on the acl_users directly under the dmd and select roleManager - do you see ZenCommon and/or ZenOperator there??
I have done a little more testing on 2.5.2 and it looks the permissions on all the left-hand menus (like device list, devices, locations, ...) result in a logon prompt but if you configure your dashboard for the GoogleMaps portlet and the Device Issues portlet then you do see the correct, filtered devices / locations and you can Ack / Close events for those devices so I seem to be part way there. I also see data in performance graphs - both device-level graphs and component graphs.
First I would like to applaud your efforts. This is quite handy.
During testing, I noticed that legacy devices (prior to install of the ZenPack) do not appear for the user, even if the location has been set as per your instructions.
I found that any newly created locations/groups/systems and any newly discovered devices display as expected.
I am experimenting now with deletion/recreation of legacy devices to see if they will then display properly.
My system was built from zenoss 3.1 .rpm (/opt/zenoss dir, but symlinked to /usr/local/zenoss/zenoss as well) on CentOS 5.6.
I am more then happy to assist with further trouble-shooting ...
We followed your installation and other intstructions above and for the most part this works pretty good. We have a system group and went that route to assign the perms to the user/group.
Here's some things we found that don't seem right:
Update on what I have discovered.
#1) if your zenpack is installed onto a brand new deployment of 3.1 before any devices are added, I don't think any of this will matter. Seems to work fine for all new devices created 'after' the install of the zenpack.
I did find a resolution that worked for me, albiet there may be a better way to address this.
I have about 45 devices that I monitor. Half of that is my personal network, others are individual clients that I would like to have limited and selective access to the GUI.
What I found is that any new device added after the zenpack install fell subject to your zenpack and worked. Any devices on my system added prior to the install did not. You could see the organizer, but nothing in it.
I only had a few items that mattered, so I ended up copying the performance files from /opt/zenoss/perf/DEVICE and deleting the original device completely from the gui. Added the IP back and cleared the existing ../perf/DEVICE directory. After new IP re-discovered, I copied the original files back to that directory.
This allows for your zenpack to display these devices, and preserved the graphing history.
Again, I did find that this worked for me.
we are looking for this kind of feature and would consider contributing development funds.
How do you envisage the structure of this project in regards to requirments and funding?
Thanks for the prod, Mage Mojo, and sorry to have been so quiet. I am trying to pull together technical threads and the Zenoss Community Alliance (ZCA) is working to setup a Non Profit Organization to provide a joint funding mechanism - the latter is taking some time as it needs to jump through some governmental political hoops before we can get what we want - but we are getting there! The guesstimate on the NPO is in the next 3 weeks.
On the technical front, I am struggling to find a way to generate general reports where the data is filtered by the Administrative Objects that a user has access to - ie you see data in reports just for the devices you manage. I know some folk defintely want this. At present, I can do all reports with all data or I can do no reports (and I can now remove REPORTS off the main top menu), but partial reports I still haven't got an answer to. Does anyone else have any good ideas on this one??
Not sure whether Zenoss Enterprise delivers this functionality?? I'm not talking about the Zenoss Insight add-on here - I know that is a completely separate subsystem. At this stage, I don't want to get into re-writing the whole reports subsystem - though I know that is a high priority for the ZCA to work on and, ultimately, if the ZCA does generate a new reports subsystem then it should work in (even be designed with!!) the concept of user Roles.
This week I am hoping to test out and update the comments that some of you have provided here.
On the point that you often see the wrong numbers of devices in organizers and sometmes the number of events are wrong - this is a couple of known bugs that I reported several months back. I don't think they are always associated with the userRole work. Hopefully we will see Zenoss Core 3.2 "real soon now" and they will have fixed these.
I certainly need to checkout your comments about alerting rules - hopefully that will happen this week. I believe that Event Views are disappearing with Zenoss 3.2. Do you use this feature lots????
If people would like to contribute requirements here, I am very happy to start the debate about what else we should try to deliver and a debate would help us prioritise ideas.
Looking forward to it Jane. The only feature missing for us (not previously noted above) would be the ability to create a local copy of a monitoring template and allow the logged in user to modify it for their device. Specifically we'd like to extend zenoss to our customers and allow them to monitor their own devices and also monitor the time it takes for a page on their website to load. They'd need local copies of the httpmonitor and be able to set their own urls and times.
But if the issues noted above were resolved this would be very usable as is for us.
Thanks for your tests on this and sorry for the long delay in reply!
The mods I have made to the standard code mean that when you add a group/location/system/deviceClass to the Administerd Objects for a user/group, then all contained devices AT THAT TIME also get added.
I have found the best way to keep containers consistent when devices have been added / deleted from them, is to navigate to the container (say the Location) and use the DETAILS -> Administration link to remove the container from your users/ groups. Then re-add it back and it will add all the devices that are CURRENTLY contained in that container.
I know this is not ideal, but I think we could add a background script that would do this automatically periodically. At least it's better than deleting and recreating devices and certainly doesn't compromise your performance data.
When you have time, perhaps you could check that this does actually work for you.
Hi! Very sorry for such a long delay in reply - I haven't forgotten this - honest! I finally have some time to get back to this project and the ZCA is grinding through try to establish a mechanism for funding joint projects.
To comment on your specific comments:
The number of devices in an organizer not matching with the (real) number of devices you see, is not just particular to this ZenPack and is still open tickets 7838 and 7849 with Zenoss http://dev.zenoss.com/trac/ticket/7849 . The comment added by Mike Lunt is "A future re-architecture of the event system is required to fix this.".
Re the event boxes at the top of the screen, I agree that without anything selected in the left-hand menu then you see event counts for all events and clicking on any of them gets an error message - not nice. However, I find that if you select an organiser in the left-hand menu and refresh the screen, then all the coloured boxes are greyed-out and have zero counts - one step better methinks. However, you can still click the greyed out boxes and get theusual error. This is also part of the tickets referenced above.
Adding devices to organizers, subsequent to setting up Administered Objects, is something I know about and I think is covered in my response to kittytowerz. Would a periodic script, perhaps run at zenmodeler intervals??, to add in any devices that have been added to an organizer, into the Administerd Objects for that Organizer, work for you?
I have been doing some testing with Zenoss 3.2 and this brings us some good news. The big difference is that event consoles now behave the same way in pre-filtered event consoles, as in the main one, ie. device consoles, group event consoles, event class consoles.....
Re your later comments on problems with alerting rules and event views, I don't see an issue with event views?? Could you just confirm that one? The alereting rules is an issue and I have finally tracked down the cause. I have a very quick fix by hacking the Core code and I am looking for a good way to do this as part of a ZenPack. If you want the quick-and-dirty fix, please let me know.
Hopefully more to report in a day or two.
Follow Us On Twitter »
||Latest from the Zenoss Blog »||Community||Products||Services||Customers||About Us|
Copyright © 2005-2011 Zenoss, Inc.