Nagios - Attribute based authorization
Vágó Tibor
oreggin at niif.hu
Fri May 21 17:06:56 CEST 2010
Dear Andreas,
Thansk for the quick answer.
We will start the development for this feature and send patch(es) to
the ND list.
Kind regards,
Tibor
2010-05-19 12:15 keltezéssel, Andreas Ericsson írta:
> On 05/19/2010 11:03 AM, Vágó Tibor wrote:
>> Dear Nagios devel-list,
>>
>> We would like to use attribute based authority checking in Nagios.
>> We use authentication but not SSL-based.
>>
>> Our conception is (based nagios-version-3.2.1) the following:
>>
>> *Step1*
>> cgi/status.c:
>> -------------------------------------------------
>> //line136:
>> authdata current_authdata;
>>
>> //line244:
>> get_authentication_information(¤t_authdata);
>>
>> Add some char variables to authdata structure.
>>
>> include/cgiauth.h
>> -------------------------------------------------
>> typedef struct authdata_struct{
>> char *username;
>> int authorized_for_all_hosts;
>> int authorized_for_all_host_commands;
>> int authorized_for_all_services;
>> int authorized_for_all_service_commands;
>> int authorized_for_system_information;
>> int authorized_for_system_commands;
>> int authorized_for_configuration_information;
>> int authorized_for_read_only;
>> int authenticated;
>> //TODO
>> char **host_allow_to_see;
>> char **service_allow_to_see;
>> ...
>> }authdata;
>>
>>
>>
>>
>> *Step2*
>> cgi/cgiauth.c
>> -------------------------------------------------
>> line86 /* read in authorization override vars from config file... */
>> line87 if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
>> ...
>> line95 if((input=mmap_fgets_multiline(thefile))==NULL)
>> line96 break;
>>
>> authinfo->username=""
>> authinfo->authenticated=FALSE
>> authinfo->authorized_for_all_hosts=FALSE;
>> authinfo->authorized_for_all_host_commands=FALSE;
>> authinfo->authorized_for_all_services=FALSE;
>> authinfo->authorized_for_all_service_commands=FALSE;
>> authinfo->authorized_for_system_information=FALSE;
>> authinfo->authorized_for_system_commands=FALSE;
>> authinfo->authorized_for_configuration_information=FALSE;
>> authinfo->authorized_for_read_only=FALSE;
>> // TODO:
>> // newlocal variable:
>> attribute_server_variable="entitlement";
>>
>>
>>
>> *Step3*
>> Check the CGI config file is it contains "attribute_server_variable".
>> If it not doesn't contain then we can return just like now.
>> If it contains then read its value otherwise the default value is
>> "entitlement".
>> Then split value about ";" and put that pieces into an array.
>>
>> Now we can compare the attribute pieces of array from server variable
>> and attributes from CGI configs.
>> Theese compares will be placed in the following functions:
>>
>> int is_authorized_for_host(){...}
>> int is_authorized_for_service(){...}
>> ...
>> etc.
>>
>> Can anyone inform me if this feature is currently under development or
>> already usable.
>
> It's not under development and it's definitely not already usable.
>
>> If not, we would like to add this feature to the
>> Nagios source code cooperate with the developer team. How can I send
>> patches or modification?
>>
>
> You can send patches in unified diff format to this list, where I, Ton
> or Ethan will pick them up and put them "somewhere" and evaluate them
> for a future release. Note that details about the patch may well be
> altered during the review process. If the patch is crap, we'll tell you
> so and give you details about what needs to be changed in order for it
> to be accepted.
>
> Since it's a change to the cgi's, no new major release has to be done.
>
------------------------------------------------------------------------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list