Nagios - Attribute based authorization

Vágó Tibor oreggin at niif.hu
Wed May 19 11:03:36 CEST 2010

Previous message: Global snapshot for nagios
Next message: Nagios - Attribute based authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Nagios devel-list,

We would like to use attribute based authority checking in Nagios.
We use authentication but not SSL-based.

Our conception is (based nagios-version-3.2.1) the following:

*Step1*
cgi/status.c:
-------------------------------------------------
//line136:
authdata current_authdata;

//line244:
get_authentication_information(&current_authdata);

Add some char variables to authdata structure.

include/cgiauth.h
-------------------------------------------------
typedef struct authdata_struct{
     char *username;
     int authorized_for_all_hosts;
     int authorized_for_all_host_commands;
     int authorized_for_all_services;
     int authorized_for_all_service_commands;
     int authorized_for_system_information;
     int authorized_for_system_commands;
     int authorized_for_configuration_information;
     int authorized_for_read_only;
     int authenticated;
     //TODO
     char **host_allow_to_see;
     char **service_allow_to_see;
     ...
}authdata;




*Step2*
cgi/cgiauth.c
-------------------------------------------------
line86  /* read in authorization override vars from config file... */
line87  if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
...
line95  if((input=mmap_fgets_multiline(thefile))==NULL)
line96  break;

authinfo->username=""
authinfo->authenticated=FALSE
authinfo->authorized_for_all_hosts=FALSE;
authinfo->authorized_for_all_host_commands=FALSE;
authinfo->authorized_for_all_services=FALSE;
authinfo->authorized_for_all_service_commands=FALSE;
authinfo->authorized_for_system_information=FALSE;
authinfo->authorized_for_system_commands=FALSE;
authinfo->authorized_for_configuration_information=FALSE;
authinfo->authorized_for_read_only=FALSE;
// TODO:
// newlocal variable:
attribute_server_variable="entitlement";



*Step3*
Check the CGI config file is it contains "attribute_server_variable".
If it not doesn't contain then we can return just like now.
If it contains then read its value otherwise the default value is
"entitlement".
Then split value about ";" and put that pieces into an array.

Now we can compare the attribute pieces of array from server variable
and attributes from CGI configs.
Theese compares will be placed in the following functions:

int is_authorized_for_host(){...}
int is_authorized_for_service(){...}
...
etc.

Can anyone inform me if this feature is currently under development or
already usable. If not, we would like to add this feature to the
Nagios source code cooperate with the developer team. How can I send
patches or modification?

Cheers,
Tibor Vago

------------------------------------------------------------------------------

Previous message: Global snapshot for nagios
Next message: Nagios - Attribute based authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list