<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
-------- Original Message --------<br>
Subject: Re: [Nagios-devel] Nagios - Attribute based authorization<br>
From: Vágó Tibor <a class="moz-txt-link-rfc2396E" href="mailto:oreggin@niif.hu"><oreggin@niif.hu></a><br>
To: Nagios Developers List
<a class="moz-txt-link-rfc2396E" href="mailto:nagios-devel@lists.sourceforge.net"><nagios-devel@lists.sourceforge.net></a><br>
Date: 2010-10-18 11:05<br>
<blockquote cite="mid:4CBC0DE0.2050706@niif.hu" type="cite">Dear
List,
<br>
<br>
the development of this feature has been finished and it had been
tested in 99% of possible cases. The patch is attached to this
e-mail. As you can see we work with nagios version 3.2.1.
<br>
</blockquote>
<br>
I've now taken your patch against current Icinga GIT Head, but I am
a bit confused how to test this. As far as I can see this is a patch
against Apache using Basic Auth an Shibboleth (having that over
here).<br>
<br>
But what's the thing with getting "entitlement" as env var and how
to define the authorization lines in the authorization.cfg then? Can
you explain that too me a bit, so that I can create tests out of
that and also some documentation on how to use it.<br>
<br>
Thanks in advance,<br>
Michael<br>
<br>
<blockquote cite="mid:4CBC0DE0.2050706@niif.hu" type="cite">
<br>
Kind Regards,
<br>
Tibor Vago
<br>
<br>
<br>
2010-05-21 17:06, Vago Tibor wrote:
<br>
<blockquote type="cite">Dear Andreas,
<br>
<br>
Thansk for the quick answer.
<br>
We will start the development for this feature and send
patch(es) to
<br>
the ND list.
<br>
<br>
Kind regards,
<br>
Tibor
<br>
<br>
<br>
2010-05-19 12:15 keltezéssel, Andreas Ericsson írta:
<br>
<blockquote type="cite">On 05/19/2010 11:03 AM, Vágó Tibor
wrote:
<br>
<blockquote type="cite">Dear Nagios devel-list,
<br>
<br>
We would like to use attribute based authority checking in
Nagios.
<br>
We use authentication but not SSL-based.
<br>
<br>
Our conception is (based nagios-version-3.2.1) the
following:
<br>
<br>
*Step1*
<br>
cgi/status.c:
<br>
-------------------------------------------------
<br>
//line136:
<br>
authdata current_authdata;
<br>
<br>
//line244:
<br>
get_authentication_information(¤t_authdata);
<br>
<br>
Add some char variables to authdata structure.
<br>
<br>
include/cgiauth.h
<br>
-------------------------------------------------
<br>
typedef struct authdata_struct{
<br>
char *username;
<br>
int authorized_for_all_hosts;
<br>
int authorized_for_all_host_commands;
<br>
int authorized_for_all_services;
<br>
int authorized_for_all_service_commands;
<br>
int authorized_for_system_information;
<br>
int authorized_for_system_commands;
<br>
int authorized_for_configuration_information;
<br>
int authorized_for_read_only;
<br>
int authenticated;
<br>
//TODO
<br>
char **host_allow_to_see;
<br>
char **service_allow_to_see;
<br>
...
<br>
}authdata;
<br>
<br>
<br>
<br>
<br>
*Step2*
<br>
cgi/cgiauth.c
<br>
-------------------------------------------------
<br>
line86 /* read in authorization override vars from config
file... */
<br>
line87
if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
<br>
...
<br>
line95 if((input=mmap_fgets_multiline(thefile))==NULL)
<br>
line96 break;
<br>
<br>
authinfo->username=""
<br>
authinfo->authenticated=FALSE
<br>
authinfo->authorized_for_all_hosts=FALSE;
<br>
authinfo->authorized_for_all_host_commands=FALSE;
<br>
authinfo->authorized_for_all_services=FALSE;
<br>
authinfo->authorized_for_all_service_commands=FALSE;
<br>
authinfo->authorized_for_system_information=FALSE;
<br>
authinfo->authorized_for_system_commands=FALSE;
<br>
authinfo->authorized_for_configuration_information=FALSE;
<br>
authinfo->authorized_for_read_only=FALSE;
<br>
// TODO:
<br>
// newlocal variable:
<br>
attribute_server_variable="entitlement";
<br>
<br>
<br>
<br>
*Step3*
<br>
Check the CGI config file is it contains
"attribute_server_variable".
<br>
If it not doesn't contain then we can return just like now.
<br>
If it contains then read its value otherwise the default
value is
<br>
"entitlement".
<br>
Then split value about ";" and put that pieces into an
array.
<br>
<br>
Now we can compare the attribute pieces of array from server
variable
<br>
and attributes from CGI configs.
<br>
Theese compares will be placed in the following functions:
<br>
<br>
int is_authorized_for_host(){...}
<br>
int is_authorized_for_service(){...}
<br>
...
<br>
etc.
<br>
<br>
Can anyone inform me if this feature is currently under
development or
<br>
already usable.
<br>
</blockquote>
<br>
It's not under development and it's definitely not already
usable.
<br>
<br>
<blockquote type="cite">If not, we would like to add this
feature to the
<br>
Nagios source code cooperate with the developer team. How
can I send
<br>
patches or modification?
<br>
<br>
</blockquote>
<br>
You can send patches in unified diff format to this list,
where I, Ton
<br>
or Ethan will pick them up and put them "somewhere" and
evaluate them
<br>
for a future release. Note that details about the patch may
well be
<br>
altered during the review process. If the patch is crap, we'll
tell you
<br>
so and give you details about what needs to be changed in
order for it
<br>
to be accepted.
<br>
<br>
Since it's a change to the cgi's, no new major release has to
be done.
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/adobe-dev2dev">http://p.sf.net/sfu/adobe-dev2dev</a></pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Nagios-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Nagios-devel@lists.sourceforge.net">Nagios-devel@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-devel">https://lists.sourceforge.net/lists/listinfo/nagios-devel</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
DI (FH) Michael Friedrich
Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria
email: <a class="moz-txt-link-abbreviated" href="mailto:michael.friedrich@univie.ac.at">michael.friedrich@univie.ac.at</a>
phone: +43 1 4277 14359
fax: +43 1 4277 14279
web: <a class="moz-txt-link-freetext" href="http://www.univie.ac.at/zid">http://www.univie.ac.at/zid</a>
Icinga Core & IDOUtils Developer
<a class="moz-txt-link-freetext" href="http://www.icinga.org">http://www.icinga.org</a>
</pre>
</body>
</html>