Re: [Nagios-devel] Nagios - Attribute based authorization
Posted: Tue Dec 14, 2010 9:54 am
On 12/14/2010 10:47 AM, Vágó Tibor wrote:
> 2010-12-13 13:46 keltezéssel, Andreas Ericsson írta:
>> On 12/13/2010 01:15 PM, Vágó Tibor wrote:
>>> Hi Andreas,
>>>
>>> can U have a look at the new diff?
>>>
>>
>> I've had a look. With this patch, what happens when someone tries to
>> connect and the environment variable "entitlement" isn't set? It
>> seems to me as if the code would then bomb out, forcing users to set
>> up a bunch of variables they've never needed to before. That's not
>> acceptable.
>
> The following old configuration settings are overwriting the new attribute based authorization. If U wouldn't like to use attribute based authoriztaion then the following must be set:
>
> authorized_for_system_information=guest
> authorized_for_configuration_information=guest
> authorized_for_system_commands=guest
> authorized_for_all_services=guest
> authorized_for_all_hosts=guest
> authorized_for_all_service_commands=guest
> authorized_for_all_host_commands=guest
>
Err... Wait now. If I don't want to use attribute-based settings, only
guest can log in? I won't take a patch that breaks the old way of setting
auth parameters. I will take one that augments it, but not one that
irrevocably replaces it with something incompatible.
> The attribute based authorization can be disabled if U comment out the following line in cgi.cfg:
> 'authorization_config_file=/etc/niif/netm/cgiauth.cfg'
>
> If U would like to use attribute based authorization then
> - the settings must empty in cgi.cfg (listed above)
> - 'entitlement' variable must be set
> - 'authorization_config_file=/etc/niif/netm/cgiauth.cfg' must be uncommented.
>
> Feature plan:
> - We'll change the attribute based variable from fix 'entitlement' to adjustable in either config file. We'll designing it and send U a new patch with the documentation.
>
Don't use an adjustable environment variable name. That's just confusing.
But why use an environment variable at all?
>> Also, the documentation part of the patch seems to be missing. The
>> example config file contains some basic examples, but what they do
>> isn't explained anywhere.
>
> We'll make a more detailed documentation in 2011 Q1.
>
Thanks. Looking forward to it.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> 2010-12-13 13:46 keltezéssel, Andreas Ericsson írta:
>> On 12/13/2010 01:15 PM, Vágó Tibor wrote:
>>> Hi Andreas,
>>>
>>> can U have a look at the new diff?
>>>
>>
>> I've had a look. With this patch, what happens when someone tries to
>> connect and the environment variable "entitlement" isn't set? It
>> seems to me as if the code would then bomb out, forcing users to set
>> up a bunch of variables they've never needed to before. That's not
>> acceptable.
>
> The following old configuration settings are overwriting the new attribute based authorization. If U wouldn't like to use attribute based authoriztaion then the following must be set:
>
> authorized_for_system_information=guest
> authorized_for_configuration_information=guest
> authorized_for_system_commands=guest
> authorized_for_all_services=guest
> authorized_for_all_hosts=guest
> authorized_for_all_service_commands=guest
> authorized_for_all_host_commands=guest
>
Err... Wait now. If I don't want to use attribute-based settings, only
guest can log in? I won't take a patch that breaks the old way of setting
auth parameters. I will take one that augments it, but not one that
irrevocably replaces it with something incompatible.
> The attribute based authorization can be disabled if U comment out the following line in cgi.cfg:
> 'authorization_config_file=/etc/niif/netm/cgiauth.cfg'
>
> If U would like to use attribute based authorization then
> - the settings must empty in cgi.cfg (listed above)
> - 'entitlement' variable must be set
> - 'authorization_config_file=/etc/niif/netm/cgiauth.cfg' must be uncommented.
>
> Feature plan:
> - We'll change the attribute based variable from fix 'entitlement' to adjustable in either config file. We'll designing it and send U a new patch with the documentation.
>
Don't use an adjustable environment variable name. That's just confusing.
But why use an environment variable at all?
>> Also, the documentation part of the patch seems to be missing. The
>> example config file contains some basic examples, but what they do
>> isn't explained anywhere.
>
> We'll make a more detailed documentation in 2011 Q1.
>
Thanks. Looking forward to it.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]