zabbix user and group permissions
All users in zabbix access the zabbix application through the Web front end. Each user is assigned a unique login name and password.
- All user passwords are encrypted and stored in the zabbix database.
- Users cannot use their user name and password to log in directly to the UNIX server unless they are also established in UNIX.
- SSL can be used to protect communication between Web servers and user browsers.
Using a flexible user permission architecture, you can restrict and distinguish access to the following contents:
- Manage the functions of zabbix front end;
- Hosts monitored in the host group.
After the initial zabbix installation, there are two predefined users Admin and guest.
The guest user is an unauthenticated user.
Before you log in with Admin, you are a guest user.
mysql> use zabbix Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select * from users\G; *************************** 1. row *************************** userid: 1 username: Admin name: Zabbix surname: Administrator passwd: $2y$10$92nDno4n0Zm7Ej7Jfsz8WukBfgSS/U0QkIuu8WkJPihXBb2A1UrEK url: autologin: 1 autologout: 0 lang: default refresh: 30s theme: default attempt_failed: 0 attempt_ip: 192.168.47.128 attempt_clock: 1633691335 rows_per_page: 50 timezone: default roleid: 3 *************************** 2. row *************************** userid: 2 username: guest name: surname: passwd: $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 url: autologin: 0 autologout: 15m lang: default refresh: 30s theme: default attempt_failed: 0 attempt_ip: attempt_clock: 0 rows_per_page: 50 timezone: default roleid: 4 2 rows in set (0.00 sec) ERROR: No query specified
Follow these steps to configure a user
On the front page of Zabbix, jump to management → user;
Click create user on the current page (or edit an existing user in the user name)
Edit user properties in the window.
|alias||Unique user name, used as login name.|
|name||User's name (optional). If this item is not empty, it will be visible in the confirmation information and notification recipient information.|
|surname||Last name of the user (optional). If this item is not empty, it will be visible in the confirmation information and notification recipient information.|
|password||Enter two fields for the user password. With an existing password, contains a Password button, clicking on which opens the password fields.|
|User group||User belongs to User group List of. The user group to which the user belongs determines that the user can visit Host groups and hosts. Click Add to add a user group.|
|language||Zabbix front-end prophecy. The PHP extension gettext is required for translation.|
|host||Defines the style of the front end: system default - use the default system setting blue - standard blue theme dark - another dark theme|
|automatic logon||Enable this option if you want Zabbix to remember the login information and automatically log in for 30 days. This option requires the browser's cookies.|
|Auto logout (minimum 90 seconds)||Check this option to set the user to automatically log out after inactivity (at least 90 seconds).|
|Refresh (seconds)||Set the refresh rate of graphics, aggregate graphics, text data, etc. It can be set to 0 to prohibit refresh.|
|Lines per page||Sets the number of rows displayed per page|
|URL (after login)||By setting a URL, you can jump to this URL when you log in to Zabbix. For example, set the status page as a trigger.|
|Zabbix users||The user can access the "monitoring" menu page. By default, users do not have access to any resources. Any authority to the main unit must be clearly assigned.|
|Zabbix administrator||The user can access the "monitoring and configuration" menu page. By default, users do not have access to any host group. Any permissions to the host group must be explicitly given.|
|Zabbix super administrator||Users can access all content: monitoring, configuration, and administration menu pages. The user has read and write access to all host groups. Permissions cannot be revoked by denying access to a specific host group.|
- User groups can organize purposes and assign permissions to data. Monitoring data permissions for host groups can only be assigned to user groups, not individual users.
- It usually makes more sense to separate the information available to one group of users from another. Because this can be achieved by grouping users and assigning different permissions to host groups.
- A user can belong to any number of groups.
Use the following steps to configure user groups:
- At the front end of Zabbix, jump to management → user group
- Click create user group (or edit an existing user group on the user group name)
- Edit user group properties in the form.
|Group name||Unique group name.|
|user||The... Box in the group contains a list of users in the current group. To add other users to this group, please select the corresponding users under the other group box and click the « button to add.|
|Front end access||How to authenticate users in a group. System default - use the default authentication method Internal - use Zabbix authentication. If set HTTP authentication , this item is ignored. Disabled - access to the Zabbix GUI is prohibited. a|
|Enabled||Status of user groups and group members. Checked - user groups and users are enabled. Unchecked - user groups and users are disabled.|
|Debug mode||Checking this box will activate the user's debugging mode.|
- Group permissions
|Reading and writing||Have read and write access to the host group|
|read-only||Read only permissions on host groups|
|refuse||Deny access to host group|
|default||No permissions are set|
What if you forget the Admin password in zabbix
1. Generate a new password of MD5 type. The new password is admin
[root@Server ~]# echo -n admin | openssl md5 (stdin)= 21232f297a57a5a743894a0e4a801fc3
2. Log in to the database and enter the zabbix database
[root@Server ~]# mysql -uroot -p1 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2406 Server version: 5.7.34 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use zabbix Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql>
3. Then update the passwd value of the user with userid=1 in the users table in the zabbix library, and reload the permission table
mysql> select userid,passwd from users; +--------+--------------------------------------------------------------+ | userid | passwd | +--------+--------------------------------------------------------------+ | 1 | $2y$10$92nDno4n0Zm7Ej7Jfsz8WukBfgSS/U0QkIuu8WkJPihXBb2A1UrEK | | 2 | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 | | 3 | $2y$10$Rg0yWe9tjRAC8LQrBZWvBORHYqevECCP5RrgQcrTLeEaROMzALx0i | +--------+--------------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> update users set passwd='21232f297a57a5a743894a0e4a801fc3' where userid = '1'; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
In this way, the password of zabbix admin user is changed to admin