Skip to content

Users and roles

User authentication

Before performing any operation on the monitor using the CLI or the REST API, it is necessary to authenticate as a user of the system. The monitor uses a role base access control (RBAC) approach with the administrator role providing full access to all facilities. When the monitor is first installed and configured an administrator user is created as part of the initial setup. Once the administrator has been configured additional users can then be created, assigning specific roles as required.

Available roles

There are three roles that can be assigned to users:

Role ID Description
View only 0 Basic access only. Check status of resources and alerts only.
Operator 1 Same access as view only but also the ability to enable/disable alerts.
Administrator 2 No restrictions.

Logging into the monitor

To authenticate to the monitor use the following command:

# hamonitor login

You will be prompted to enter a valid URL to connect to (defaulting to localhost if run inside the docker image or on the docker host), followed by user name and password. Upon successful login, the monitor issues the following response:

# hamonitor login
Enter URL [https://localhost:13514 if empty]:
Enter Username: admin
Enter Password:
Welcome admin

Creating new users

Only users with the administrator role can create new users (who can in turn be assigned the administrator role). The monitor will enforce at least one user having administrator role and will prevent any attempt to delete an administrative user if there are no other users with that role.

To create a new user enter the following command:

# hamonitor user create
Here is an example of the creation of a user with operation role:
Enter username: oper
Enter password: [hidden]
Verify password: [hidden]
Enter real name [None]: Operator
Enter email address [None]: operations@some.domain.com
Available roles: 0 (view only), 1 (operator), 2 (admin)
Enter role [0]: 1
User oper successfully created

Security considerations

Internally, security for the monitor is provided in two ways:

  1. In the monitor itself using the role-based system for its user management. All user details are stored in the monitors secure encrypted database, located in the persistent volume used for customer data (along with the monitors configuration, logs etc). Modifications to user data is restricted to users who have the administrative role. In this way security in the monitor is explicit and does not depend on any specific configuration to be enabled.

  2. Any resource being monitored will have its own security settings on the remote server which can be tailored to suit the level of security required.

    For example, when monitoring an NFS share the monitor may be treated as an ordinary application client and inherit whatever security considerations have been put in place for clients of that share; or, for the purpose of monitoring, a share could be created specifically for the monitor with restrictions such as the nosuid and/or ro options – furthermore access to that share could be restricted to just the monitor host itself (using the exports file on the NFS server).