Nagios - Attribute based authorization

[Andreas Ericsson]

On 05/19/2010 11:03 AM, Vágó Tibor wrote:
> Dear Nagios devel-list,
> 
> We would like to use attribute based authority checking in Nagios.
> We use authentication but not SSL-based.
> 
> Our conception is (based nagios-version-3.2.1) the following:
> 
> *Step1*
> cgi/status.c:
> -------------------------------------------------
> //line136:
> authdata current_authdata;
> 
> //line244:
> get_authentication_information(&current_authdata);
> 
> Add some char variables to authdata structure.
> 
> include/cgiauth.h
> -------------------------------------------------
> typedef struct authdata_struct{
>       char *username;
>       int authorized_for_all_hosts;
>       int authorized_for_all_host_commands;
>       int authorized_for_all_services;
>       int authorized_for_all_service_commands;
>       int authorized_for_system_information;
>       int authorized_for_system_commands;
>       int authorized_for_configuration_information;
>       int authorized_for_read_only;
>       int authenticated;
>       //TODO
>       char **host_allow_to_see;
>       char **service_allow_to_see;
>       ...
> }authdata;
> 
> 
> 
> 
> *Step2*
> cgi/cgiauth.c
> -------------------------------------------------
> line86  /* read in authorization override vars from config file... */
> line87  if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
> ...
> line95  if((input=mmap_fgets_multiline(thefile))==NULL)
> line96  break;
> 
> authinfo->username=""
> authinfo->authenticated=FALSE
> authinfo->authorized_for_all_hosts=FALSE;
> authinfo->authorized_for_all_host_commands=FALSE;
> authinfo->authorized_for_all_services=FALSE;
> authinfo->authorized_for_all_service_commands=FALSE;
> authinfo->authorized_for_system_information=FALSE;
> authinfo->authorized_for_system_commands=FALSE;
> authinfo->authorized_for_configuration_information=FALSE;
> authinfo->authorized_for_read_only=FALSE;
> // TODO:
> // newlocal variable:
> attribute_server_variable="entitlement";
> 
> 
> 
> *Step3*
> Check the CGI config file is it contains "attribute_server_variable".
> If it not doesn't contain then we can return just like now.
> If it contains then read its value otherwise the default value is
> "entitlement".
> Then split value about ";" and put that pieces into an array.
> 
> Now we can compare the attribute pieces of array from server variable
> and attributes from CGI configs.
> Theese compares will be placed in the following functions:
> 
> int is_authorized_for_host(){...}
> int is_authorized_for_service(){...}
> ...
> etc.
> 
> Can anyone inform me if this feature is currently under development or
> already usable.

It's not under development and it's definitely not already usable.

> If not, we would like to add this feature to the
> Nagios source code cooperate with the developer team. How can I send
> patches or modification?
> 

You can send patches in unified diff format to this list, where I, Ton
or Ethan will pick them up and put them "somewhere" and evaluate them
for a future release. Note that details about the patch may well be
altered during the review process. If the patch is crap, we'll tell you
so and give you details about what needs to be changed in order for it
to be accepted.

Since it's a change to the cgi's, no new major release has to be done.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------