Re: [Nagios-devel] Nagios - Attribute based authorization
Posted: Fri May 21, 2010 2:07 pm
Dear Andreas,
Thansk for the quick answer.
We will start the development for this feature and send patch(es) to=20
the ND list.
Kind regards,
Tibor
2010-05-19 12:15 keltez=C3=A9ssel, Andreas Ericsson =C3=ADrta:
> On 05/19/2010 11:03 AM, V=C3=A1g=C3=B3 Tibor wrote:
>> Dear Nagios devel-list,
>>
>> We would like to use attribute based authority checking in Nagios.
>> We use authentication but not SSL-based.
>>
>> Our conception is (based nagios-version-3.2.1) the following:
>>
>> *Step1*
>> cgi/status.c:
>> -------------------------------------------------
>> //line136:
>> authdata current_authdata;
>>
>> //line244:
>> get_authentication_information(¤t_authdata);
>>
>> Add some char variables to authdata structure.
>>
>> include/cgiauth.h
>> -------------------------------------------------
>> typedef struct authdata_struct{
>> char *username;
>> int authorized_for_all_hosts;
>> int authorized_for_all_host_commands;
>> int authorized_for_all_services;
>> int authorized_for_all_service_commands;
>> int authorized_for_system_information;
>> int authorized_for_system_commands;
>> int authorized_for_configuration_information;
>> int authorized_for_read_only;
>> int authenticated;
>> //TODO
>> char **host_allow_to_see;
>> char **service_allow_to_see;
>> ...
>> }authdata;
>>
>>
>>
>>
>> *Step2*
>> cgi/cgiauth.c
>> -------------------------------------------------
>> line86 /* read in authorization override vars from config file... */
>> line87 if((thefile=3Dmmap_fopen(get_cgi_config_location()))!=3DNULL){
>> ...
>> line95 if((input=3Dmmap_fgets_multiline(thefile))=3D=3DNULL)
>> line96 break;
>>
>> authinfo->username=3D""
>> authinfo->authenticated=3DFALSE
>> authinfo->authorized_for_all_hosts=3DFALSE;
>> authinfo->authorized_for_all_host_commands=3DFALSE;
>> authinfo->authorized_for_all_services=3DFALSE;
>> authinfo->authorized_for_all_service_commands=3DFALSE;
>> authinfo->authorized_for_system_information=3DFALSE;
>> authinfo->authorized_for_system_commands=3DFALSE;
>> authinfo->authorized_for_configuration_information=3DFALSE;
>> authinfo->authorized_for_read_only=3DFALSE;
>> // TODO:
>> // newlocal variable:
>> attribute_server_variable=3D"entitlement";
>>
>>
>>
>> *Step3*
>> Check the CGI config file is it contains "attribute_server_variable".
>> If it not doesn't contain then we can return just like now.
>> If it contains then read its value otherwise the default value is
>> "entitlement".
>> Then split value about ";" and put that pieces into an array.
>>
>> Now we can compare the attribute pieces of array from server variable
>> and attributes from CGI configs.
>> Theese compares will be placed in the following functions:
>>
>> int is_authorized_for_host(){...}
>> int is_authorized_for_service(){...}
>> ...
>> etc.
>>
>> Can anyone inform me if this feature is currently under development or
>> already usable.
>
> It's not under development and it's definitely not already usable.
>
>> If not, we would like to add this feature to the
>> Nagios source code cooperate with the developer team. How can I send
>> patches or modification?
>>
>
> You can send patches in unified diff format to this list, where I, Ton
> or Ethan will pick them up and put them "somewhere" and evaluate them
> for a future release. Note that details about the patch may well be
> altered during the review process. If the patch is crap, we'll tell you
> so and give you details about what needs to be changed in order for it
> to be accepted.
>
> Since it's a change to the cgi's, no new major release has to be done.
>
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Thansk for the quick answer.
We will start the development for this feature and send patch(es) to=20
the ND list.
Kind regards,
Tibor
2010-05-19 12:15 keltez=C3=A9ssel, Andreas Ericsson =C3=ADrta:
> On 05/19/2010 11:03 AM, V=C3=A1g=C3=B3 Tibor wrote:
>> Dear Nagios devel-list,
>>
>> We would like to use attribute based authority checking in Nagios.
>> We use authentication but not SSL-based.
>>
>> Our conception is (based nagios-version-3.2.1) the following:
>>
>> *Step1*
>> cgi/status.c:
>> -------------------------------------------------
>> //line136:
>> authdata current_authdata;
>>
>> //line244:
>> get_authentication_information(¤t_authdata);
>>
>> Add some char variables to authdata structure.
>>
>> include/cgiauth.h
>> -------------------------------------------------
>> typedef struct authdata_struct{
>> char *username;
>> int authorized_for_all_hosts;
>> int authorized_for_all_host_commands;
>> int authorized_for_all_services;
>> int authorized_for_all_service_commands;
>> int authorized_for_system_information;
>> int authorized_for_system_commands;
>> int authorized_for_configuration_information;
>> int authorized_for_read_only;
>> int authenticated;
>> //TODO
>> char **host_allow_to_see;
>> char **service_allow_to_see;
>> ...
>> }authdata;
>>
>>
>>
>>
>> *Step2*
>> cgi/cgiauth.c
>> -------------------------------------------------
>> line86 /* read in authorization override vars from config file... */
>> line87 if((thefile=3Dmmap_fopen(get_cgi_config_location()))!=3DNULL){
>> ...
>> line95 if((input=3Dmmap_fgets_multiline(thefile))=3D=3DNULL)
>> line96 break;
>>
>> authinfo->username=3D""
>> authinfo->authenticated=3DFALSE
>> authinfo->authorized_for_all_hosts=3DFALSE;
>> authinfo->authorized_for_all_host_commands=3DFALSE;
>> authinfo->authorized_for_all_services=3DFALSE;
>> authinfo->authorized_for_all_service_commands=3DFALSE;
>> authinfo->authorized_for_system_information=3DFALSE;
>> authinfo->authorized_for_system_commands=3DFALSE;
>> authinfo->authorized_for_configuration_information=3DFALSE;
>> authinfo->authorized_for_read_only=3DFALSE;
>> // TODO:
>> // newlocal variable:
>> attribute_server_variable=3D"entitlement";
>>
>>
>>
>> *Step3*
>> Check the CGI config file is it contains "attribute_server_variable".
>> If it not doesn't contain then we can return just like now.
>> If it contains then read its value otherwise the default value is
>> "entitlement".
>> Then split value about ";" and put that pieces into an array.
>>
>> Now we can compare the attribute pieces of array from server variable
>> and attributes from CGI configs.
>> Theese compares will be placed in the following functions:
>>
>> int is_authorized_for_host(){...}
>> int is_authorized_for_service(){...}
>> ...
>> etc.
>>
>> Can anyone inform me if this feature is currently under development or
>> already usable.
>
> It's not under development and it's definitely not already usable.
>
>> If not, we would like to add this feature to the
>> Nagios source code cooperate with the developer team. How can I send
>> patches or modification?
>>
>
> You can send patches in unified diff format to this list, where I, Ton
> or Ethan will pick them up and put them "somewhere" and evaluate them
> for a future release. Note that details about the patch may well be
> altered during the review process. If the patch is crap, we'll tell you
> so and give you details about what needs to be changed in order for it
> to be accepted.
>
> Since it's a change to the cgi's, no new major release has to be done.
>
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]