[dev.icinga.com #909] Attribute based authorization based on Shibboleth

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/909

Created by mfriedrich on 2010-10-18 14:05:40 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2010-12-17 17:38:30 +00:00)
Target Version: 1.3
Last Update: 2014-12-08 09:34:23 +00:00 (in Redmine)

---

-------- Original Message --------
Subject:    Re: [Nagios-devel] Nagios - Attribute based authorization
Date:   Mon, 18 Oct 2010 11:05:36 +0200
From:   Vágó Tibor 
Reply-To:   Nagios Developers List 
To:     Nagios Developers List 
CC:     crm@niif.hu, Gabor ROCZEI 


Dear List,

the development of this feature has been finished and it had been 
tested in 99% of possible cases. The patch is attached to this e-mail. 
As you can see we work with nagios version 3.2.1.

Kind Regards,
Tibor Vago


2010-05-21 17:06, Vago Tibor wrote:
> Dear Andreas,
>
> Thansk for the quick answer.
> We will start the development for this feature and send patch(es) to
> the ND list.
>
> Kind regards,
> Tibor
>
>
> 2010-05-19 12:15 keltezéssel, Andreas Ericsson írta:
>> On 05/19/2010 11:03 AM, Vágó Tibor wrote:
>>> Dear Nagios devel-list,
>>>
>>> We would like to use attribute based authority checking in Nagios.
>>> We use authentication but not SSL-based.
>>>
>>> Our conception is (based nagios-version-3.2.1) the following:
>>>
>>> *Step1*
>>> cgi/status.c:
>>> -------------------------------------------------
>>> //line136:
>>> authdata current_authdata;
>>>
>>> //line244:
>>> get_authentication_information(&current_authdata);
>>>
>>> Add some char variables to authdata structure.
>>>
>>> include/cgiauth.h
>>> -------------------------------------------------
>>> typedef struct authdata_struct{
>>> char *username;
>>> int authorized_for_all_hosts;
>>> int authorized_for_all_host_commands;
>>> int authorized_for_all_services;
>>> int authorized_for_all_service_commands;
>>> int authorized_for_system_information;
>>> int authorized_for_system_commands;
>>> int authorized_for_configuration_information;
>>> int authorized_for_read_only;
>>> int authenticated;
>>> //TODO
>>> char **host_allow_to_see;
>>> char **service_allow_to_see;
>>> ...
>>> }authdata;
>>>
>>>
>>>
>>>
>>> *Step2*
>>> cgi/cgiauth.c
>>> -------------------------------------------------
>>> line86 /* read in authorization override vars from config file... */
>>> line87 if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
>>> ...
>>> line95 if((input=mmap_fgets_multiline(thefile))==NULL)
>>> line96 break;
>>>
>>> authinfo->username=""
>>> authinfo->authenticated=FALSE
>>> authinfo->authorized_for_all_hosts=FALSE;
>>> authinfo->authorized_for_all_host_commands=FALSE;
>>> authinfo->authorized_for_all_services=FALSE;
>>> authinfo->authorized_for_all_service_commands=FALSE;
>>> authinfo->authorized_for_system_information=FALSE;
>>> authinfo->authorized_for_system_commands=FALSE;
>>> authinfo->authorized_for_configuration_information=FALSE;
>>> authinfo->authorized_for_read_only=FALSE;
>>> // TODO:
>>> // newlocal variable:
>>> attribute_server_variable="entitlement";
>>>
>>>
>>>
>>> *Step3*
>>> Check the CGI config file is it contains "attribute_server_variable".
>>> If it not doesn't contain then we can return just like now.
>>> If it contains then read its value otherwise the default value is
>>> "entitlement".
>>> Then split value about ";" and put that pieces into an array.
>>>
>>> Now we can compare the attribute pieces of array from server variable
>>> and attributes from CGI configs.
>>> Theese compares will be placed in the following functions:
>>>
>>> int is_authorized_for_host(){...}
>>> int is_authorized_for_service(){...}
>>> ...
>>> etc.
>>>
>>> Can anyone inform me if this feature is currently under development or
>>> already usable.
>>
>> It's not under development and it's definitely not already usable.
>>
>>> If not, we would like to add this feature to the
>>> Nagios source code cooperate with the developer team. How can I send
>>> patches or modification?
>>>
>>
>> You can send patches in unified diff format to this list, where I, Ton
>> or Ethan will pick them up and put them "somewhere" and evaluate them
>> for a future release. Note that details about the patch may well be
>> altered during the review process. If the patch is crap, we'll tell you
>> so and give you details about what needs to be changed in order for it
>> to be accepted.
>>
>> Since it's a change to the cgi's, no new major release has to be done.
>>
>

Attachments

• nagios-authorization.diff mfriedrich - 2010-10-18 14:05:40 +00:00

Changesets

2010-11-05 16:36:40 +00:00 by mfriedrich 71e9bc8

classic ui: add attribute based authorization (Tibor Vago, NIIF) #909

needs further testing though, but kept all optional.
docs pending too.

refs #909

[icinga-migration]

Updated by mfriedrich on 2010-11-04 17:36:02 +00:00

• Status changed from New to Assigned
• Assigned to set to mfriedrich

[icinga-migration]

Updated by mfriedrich on 2010-11-09 16:14:33 +00:00

• Done % changed from 0 to 90

some testing needed.

[icinga-migration]

Updated by mfriedrich on 2010-12-17 17:38:30 +00:00

• Subject changed from Attribute based authorization to Attribute based authorization based on Shibboleth
• Status changed from Assigned to Resolved
• Done % changed from 90 to 100

[icinga-migration]

Updated by mfriedrich on 2014-12-08 09:34:23 +00:00

• Project changed from 19 to Core, Classic UI, IDOUtils
• Category set to Classic UI