LDAP, Users, Roles & API Token
This page allows user to add LDAP authentication, create users, create different roles and also to generate a new API token.
When logging into Monyog from the browser interface you may use authentication provided by LDAP server (including the Microsoft/Windows LDAP 'dialect' known as 'Active Directory'). In this case users will need not to know Monyog authentication details directly, but only how to authenticate to the LDAP server. To use LDAP authentication for Monyog, specify settings as below:
Click Settings > LDAP, Users, Roles & API Token. The LDAP Settings page opens.
- Host: Enter the hostname, IP address or URI (Uniform resource identifier) of your LDAP directory server.
- Encryption: Select the type of encryption required for communication with the LDAP directory server. Supported encryption methods are None and StartTLS.
- Port: Type in the port your LDAP directory server uses.
- LDAP server allows anonymous binds: Select this option if your LDAP directory server allows anonymous binds to the server.
- User DN: Enter the distinguished name of the entry to bind to the LDAP directory server.
- Password: Enter the password of the User DN specified for binding the user to LDAP directory server.
- Test Settings: Clicking on Test Settings will use the mentioned User DN and Password and binds with the LDAP directory server.
- Authentication mode: Select the type of authentication mode to use for authenticating the user with the LDAP directory server. Bind as User binds user to LDAP directory with the password provided at login in Monyog’s interface. Authentication via Comparison is done by comparing the user credentials provided at login with the LDAP directory.
- User search base: Type in the User search base filter for the object class you want to filter your users for authentication.
- User search attribute: Enter the attribute name that contains the user name.
- Search entire subtree: This option controls the search for objects specified in user search base . Selecting this option will search the entire subtree of User search base.
This feature is available only in Monyog Ultimate
Using this option User Management, you can create/edit/delete users.
How To Create User?
- Click Settings > LDAP, Users, Roles & API Token. The window opens where you can create/delete users.
- To create a new user, click on the link 'Add user' and you can add username and password in the appropriate fields.
- To add LDAP group, select 'LDAP Group' from the options and specify 'Username', 'LDAP group DN' and 'LDAP search filter'.
- Assign Role: Select this option to assign Monyog role.
- External Roles: Use this option to Map LDAP roles to Monyog roles.
- Add user to Admin group: You can refer Managing multiple users for further more information.
- Action management: Use this option to give different privileges like server edit, kill query etc.
- Tags management: You can give the list of allowed/disallowed tags to the user.
- Tab management: Use this option to restrict access to different tabs in Monyog.
Managing multiple users
You can manage access to your servers and settings based on your needs using 'User Management'. This feature is useful in creating users who will have limited access to the particular servers - which helps in preventing accidentally killing queries, executing FLUSH STATUS on your MySQL servers or changing your server settings without your knowledge.
The Monyog 'admin' user can now create other users having access to a subset of available servers only. Also note that only 'admin' is allowed to create/delete server and user registrations.
Following restrictions applies to non-admin users:
- Cannot register a new server.
- Cannot delete a registered server.
- Cannot change tags of a server.
- Can edit a server only if "Server Edit" permission is granted.
- Can kill a query from the 'Processlist' page only if 'Kill Query' permission is granted.
- Can execute 'FLUSH STATUS' from the Monitors page only if 'FLUSH STATUS' permission is granted.
- If no 'Allowed tags' are specified, normal users will have access to servers with no tags only.
- If the same tag is specified in 'Allowed tags' as well as 'Disallowed tags', then the user will not have access to servers with that tag.
- Cannot change user settings (except own password).
- Cannot change Preferences.
A user can be granted a combination of the following permissions:
- Server Edit: Allows the user to edit the settings of servers accessible to him/her.
- Kill Query: Allows the user to kill queries through the 'Processlist' page on servers accessible to him/her.
- FLUSH STATUS: Allows the user to execute the FLUSH STATUS command on servers accessible to him/her.
- View Literals in Queries: Allows the users to view literals in the Query Analyzer page.
- Open/Close alert: Allows the users to open/close alerts through the "Monitors" and "Events" pages.
This feature is available in Monyog Ultimate.
The Role Manager feature allows to create roles in Monyog, which can be then mapped to any users like external LDAP/AD users or the local users created in Monyog. The roles created can then be given different privileges like "Allow server edit", "Allow kill query" etc. along with the option to restrict access to selected tabs in Monyog.
Creating and Assigning Roles
In order to create a Role in Monyog, go to "Settings -> LDAP, Users, Roles & API Token and click on Add role" button.
Go to "Settings -> LDAP, Users, Roles & API Token" to create/edit a user and assign the created role(s). Select the "Assign Role" option in the Create/Edit user pop up page and select a role to assign from the drop down menu.
You can Map the LDAP group to the Monyog role created from the Create/Edit user pop up page and by selecting the option "Map External Roles". You can specify the comma separated LDAP group names and select the corresponding Monyog role from the drop down menu.
API Token Manager
This gives an option to generate token in Monyog and use it in API as an alternative to user and password. Note that this feature is available only for Admin users in Monyog. Admin can create multiple tokens for different purposes and revoke/delete it from inside Monyog whenever required. This also helps him to not share his password with anyone else as well as saves him from getting it logged in some logs. After clicking on the "GENERATE NEW TOKEN" button, the user should give a name which will be associated with the generated token. The generated token can be used in Monyog API in following way:
curl -H "X-MONYOG-TOKEN: 1234567890abcedfghijklmnopqrstuvwxyz" "http://192.168.1.1:5555/?_object=MONyogAPI&_action=DataCollection &_value=enable&_server=Production001"