Nagios - Attribute based authorization

Michael Friedrich michael.friedrich at univie.ac.at
Fri Nov 5 17:24:24 CET 2010
Previous message: Nagios - Attribute based authorization
Next message: Tinderbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-------- Original Message  --------
Subject: Re: [Nagios-devel] Nagios - Attribute based authorization
From: Vágó Tibor <oreggin at niif.hu>
To: Nagios Developers List <nagios-devel at lists.sourceforge.net>
Date: 2010-10-18 11:05
> Dear List,
>
> the development of this feature has been finished and it had been 
> tested in 99% of possible cases. The patch is attached to this e-mail. 
> As you can see we work with nagios version 3.2.1.

I've now taken your patch against current Icinga GIT Head, but I am a 
bit confused how to test this. As far as I can see this is a patch 
against Apache using Basic Auth an Shibboleth (having that over here).

But what's the thing with getting "entitlement" as env var and how to 
define the authorization lines in the authorization.cfg then? Can you 
explain that too me a bit, so that I can create tests out of that and 
also some documentation on how to use it.

Thanks in advance,
Michael

>
> Kind Regards,
> Tibor Vago
>
>
> 2010-05-21 17:06, Vago Tibor wrote:
>> Dear Andreas,
>>
>> Thansk for the quick answer.
>> We will start the development for this feature and send patch(es) to
>> the ND list.
>>
>> Kind regards,
>> Tibor
>>
>>
>> 2010-05-19 12:15 keltezéssel, Andreas Ericsson írta:
>>> On 05/19/2010 11:03 AM, Vágó Tibor wrote:
>>>> Dear Nagios devel-list,
>>>>
>>>> We would like to use attribute based authority checking in Nagios.
>>>> We use authentication but not SSL-based.
>>>>
>>>> Our conception is (based nagios-version-3.2.1) the following:
>>>>
>>>> *Step1*
>>>> cgi/status.c:
>>>> -------------------------------------------------
>>>> //line136:
>>>> authdata current_authdata;
>>>>
>>>> //line244:
>>>> get_authentication_information(&current_authdata);
>>>>
>>>> Add some char variables to authdata structure.
>>>>
>>>> include/cgiauth.h
>>>> -------------------------------------------------
>>>> typedef struct authdata_struct{
>>>> char *username;
>>>> int authorized_for_all_hosts;
>>>> int authorized_for_all_host_commands;
>>>> int authorized_for_all_services;
>>>> int authorized_for_all_service_commands;
>>>> int authorized_for_system_information;
>>>> int authorized_for_system_commands;
>>>> int authorized_for_configuration_information;
>>>> int authorized_for_read_only;
>>>> int authenticated;
>>>> //TODO
>>>> char **host_allow_to_see;
>>>> char **service_allow_to_see;
>>>> ...
>>>> }authdata;
>>>>
>>>>
>>>>
>>>>
>>>> *Step2*
>>>> cgi/cgiauth.c
>>>> -------------------------------------------------
>>>> line86 /* read in authorization override vars from config file... */
>>>> line87 if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
>>>> ...
>>>> line95 if((input=mmap_fgets_multiline(thefile))==NULL)
>>>> line96 break;
>>>>
>>>> authinfo->username=""
>>>> authinfo->authenticated=FALSE
>>>> authinfo->authorized_for_all_hosts=FALSE;
>>>> authinfo->authorized_for_all_host_commands=FALSE;
>>>> authinfo->authorized_for_all_services=FALSE;
>>>> authinfo->authorized_for_all_service_commands=FALSE;
>>>> authinfo->authorized_for_system_information=FALSE;
>>>> authinfo->authorized_for_system_commands=FALSE;
>>>> authinfo->authorized_for_configuration_information=FALSE;
>>>> authinfo->authorized_for_read_only=FALSE;
>>>> // TODO:
>>>> // newlocal variable:
>>>> attribute_server_variable="entitlement";
>>>>
>>>>
>>>>
>>>> *Step3*
>>>> Check the CGI config file is it contains "attribute_server_variable".
>>>> If it not doesn't contain then we can return just like now.
>>>> If it contains then read its value otherwise the default value is
>>>> "entitlement".
>>>> Then split value about ";" and put that pieces into an array.
>>>>
>>>> Now we can compare the attribute pieces of array from server variable
>>>> and attributes from CGI configs.
>>>> Theese compares will be placed in the following functions:
>>>>
>>>> int is_authorized_for_host(){...}
>>>> int is_authorized_for_service(){...}
>>>> ...
>>>> etc.
>>>>
>>>> Can anyone inform me if this feature is currently under development or
>>>> already usable.
>>>
>>> It's not under development and it's definitely not already usable.
>>>
>>>> If not, we would like to add this feature to the
>>>> Nagios source code cooperate with the developer team. How can I send
>>>> patches or modification?
>>>>
>>>
>>> You can send patches in unified diff format to this list, where I, Ton
>>> or Ethan will pick them up and put them "somewhere" and evaluate them
>>> for a future release. Note that details about the patch may well be
>>> altered during the review process. If the patch is crap, we'll tell you
>>> so and give you details about what needs to be changed in order for it
>>> to be accepted.
>>>
>>> Since it's a change to the cgi's, no new major release has to be done.
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
>
>
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel


-- 
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email: 	michael.friedrich at univie.ac.at
phone: 	+43 1 4277 14359
fax: 	+43 1 4277 14279
web:	http://www.univie.ac.at/zid

Icinga Core&  IDOUtils Developer
http://www.icinga.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20101105/1f8641e7/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
Previous message: Nagios - Attribute based authorization
Next message: Tinderbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Developers mailing list