This is a multi-part message in MIME format.
--------------080502070105050005080808
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
-------- Original Message --------
Subject: Re: [Nagios-devel] Nagios - Attribute based authorization
From: Vágó Tibor
To: Nagios Developers List
Date: 2010-10-18 11:05
> Dear List,
>
> the development of this feature has been finished and it had been
> tested in 99% of possible cases. The patch is attached to this e-mail.
> As you can see we work with nagios version 3.2.1.
I've now taken your patch against current Icinga GIT Head, but I am a
bit confused how to test this. As far as I can see this is a patch
against Apache using Basic Auth an Shibboleth (having that over here).
But what's the thing with getting "entitlement" as env var and how to
define the authorization lines in the authorization.cfg then? Can you
explain that too me a bit, so that I can create tests out of that and
also some documentation on how to use it.
Thanks in advance,
Michael
>
> Kind Regards,
> Tibor Vago
>
>
> 2010-05-21 17:06, Vago Tibor wrote:
>> Dear Andreas,
>>
>> Thansk for the quick answer.
>> We will start the development for this feature and send patch(es) to
>> the ND list.
>>
>> Kind regards,
>> Tibor
>>
>>
>> 2010-05-19 12:15 keltezéssel, Andreas Ericsson Ãrta:
>>> On 05/19/2010 11:03 AM, Vágó Tibor wrote:
>>>> Dear Nagios devel-list,
>>>>
>>>> We would like to use attribute based authority checking in Nagios.
>>>> We use authentication but not SSL-based.
>>>>
>>>> Our conception is (based nagios-version-3.2.1) the following:
>>>>
>>>> *Step1*
>>>> cgi/status.c:
>>>> -------------------------------------------------
>>>> //line136:
>>>> authdata current_authdata;
>>>>
>>>> //line244:
>>>> get_authentication_information(¤t_authdata);
>>>>
>>>> Add some char variables to authdata structure.
>>>>
>>>> include/cgiauth.h
>>>> -------------------------------------------------
>>>> typedef struct authdata_struct{
>>>> char *username;
>>>> int authorized_for_all_hosts;
>>>> int authorized_for_all_host_commands;
>>>> int authorized_for_all_services;
>>>> int authorized_for_all_service_commands;
>>>> int authorized_for_system_information;
>>>> int authorized_for_system_commands;
>>>> int authorized_for_configuration_information;
>>>> int authorized_for_read_only;
>>>> int authenticated;
>>>> //TODO
>>>> char **host_allow_to_see;
>>>> char **service_allow_to_see;
>>>> ...
>>>> }authdata;
>>>>
>>>>
>>>>
>>>>
>>>> *Step2*
>>>> cgi/cgiauth.c
>>>> -------------------------------------------------
>>>> line86 /* read in authorization override vars from config file... */
>>>> line87 if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
>>>> ...
>>>> line95 if((input=mmap_fgets_multiline(thefile))==NULL)
>>>> line96 break;
>>>>
>>>> authinfo->username=""
>>>> authinfo->authenticated=FALSE
>>>> authinfo->authorized_for_all_hosts=FALSE;
>>>> authinfo->authorized_for_all_host_commands=FALSE;
>>>> authinfo->authorized_for_all_services=FALSE;
>>>> authinfo->authorized_for_all_service_commands=FALSE;
>>>> authinfo->authorized_for_system_information=FALSE;
>>>> authinfo->authorized_for_system_commands=FALSE;
>>>> authinfo->authorized_for_configuration_information=FALSE;
>>>> authinfo->authorized_for_read_only=FALSE;
>>>> // TODO:
>>>> // newlocal variable:
>>>> attribute_server_variable="entitlement";
>>>>
>>>>
>>>>
>>>> *Step3*
>>>> Check the CGI config file is it contains "attribute_server_variable".
>>>> If it not doesn't contain then we can return just like now.
>>>> If it contains then read its value otherwise the default value is
>>>> "entitlement".
>>>> Then split value about ";" and put that pieces into an array.
>>>>
>>>> Now we can compare the attribute pieces of array from server variable
>>>> and attributes from CGI configs.
>>>> Theese compares will be placed in the following functions:
>>>>
>>>> int is_authorized_for_host(){...}
>>>> int is_authorized_for_service(){...}
>>>> ...
>>>> etc.
>>>>
>>>>
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]