Nagios - Attribute based authorization

[Andreas Ericsson]

On 12/14/2010 10:47 AM, Vágó Tibor wrote:
> 2010-12-13 13:46 keltezéssel, Andreas Ericsson írta:
>> On 12/13/2010 01:15 PM, Vágó Tibor wrote:
>>> Hi Andreas,
>>>
>>> can U have a look at the new diff?
>>>
>>
>> I've had a look. With this patch, what happens when someone tries to
>> connect and the environment variable "entitlement" isn't set? It
>> seems to me as if the code would then bomb out, forcing users to set
>> up a bunch of variables they've never needed to before. That's not
>> acceptable.
> 
> The following old configuration settings are overwriting the new attribute based authorization. If U wouldn't like to use attribute based authoriztaion then the following must be set:
> 
> authorized_for_system_information=guest
> authorized_for_configuration_information=guest
> authorized_for_system_commands=guest
> authorized_for_all_services=guest
> authorized_for_all_hosts=guest
> authorized_for_all_service_commands=guest
> authorized_for_all_host_commands=guest
> 

Err... Wait now. If I don't want to use attribute-based settings, only
guest can log in? I won't take a patch that breaks the old way of setting
auth parameters. I will take one that augments it, but not one that
irrevocably replaces it with something incompatible.

> The attribute based authorization can be disabled if U comment out the following line in cgi.cfg:
> 'authorization_config_file=/etc/niif/netm/cgiauth.cfg'
> 
> If U would like to use attribute based authorization then
> - the settings must empty in cgi.cfg (listed above)
> - 'entitlement' variable must be set
> - 'authorization_config_file=/etc/niif/netm/cgiauth.cfg' must be uncommented.
> 
> Feature plan:
> - We'll change the attribute based variable from fix 'entitlement' to adjustable in either config file. We'll designing it and send U a new patch with the documentation.
> 

Don't use an adjustable environment variable name. That's just confusing.
But why use an environment variable at all?

>> Also, the documentation part of the patch seems to be missing. The
>> example config file contains some basic examples, but what they do
>> isn't explained anywhere.
> 
> We'll make a more detailed documentation in 2011 Q1.
> 

Thanks. Looking forward to it.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d