[icinga-checkins] icinga.org: icinga-core/mfriedrich/cgis: classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752

git at icinga.org git at icinga.org
Tue Jul 26 17:51:42 CEST 2011


Module: icinga-core
Branch: mfriedrich/cgis
Commit: a85e3e6b3694ea0d3374c4148109098d489fe48e
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=a85e3e6b3694ea0d3374c4148109098d489fe48e

Author: Michael Friedrich <michael.friedrich at univie.ac.at>
Date:   Tue Jul 26 17:51:22 2011 +0200

classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
        ** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
        ** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
        ** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only

refs #1752

---

 AUTHORS                  |    1 +
 Changelog                |    4 +++
 cgi/cgiauth.c            |   68 ++++++++++++++++++++++++++++++++++++++++++++++
 sample-config/cgi.cfg.in |   25 +++++++++++++---
 4 files changed, 93 insertions(+), 5 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index b88ff75..e524675 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -15,6 +15,7 @@ Mathieu Gagné
 Ethan Galstad
 Mark Gius
 DECOIT GmbH
+Stephen Gran
 Marius Hein
 Matthieu Kermagoret
 Petya Kohts
diff --git a/Changelog b/Changelog
index 8601947..4c57a4c 100644
--- a/Changelog
+++ b/Changelog
@@ -19,6 +19,10 @@ ENHANCEMENTS
 * classic ui: reduce the header part of status.cgi #1507
 	** &nostatusheader used in frameset menu, info table is smaller
 	** edit menu.html and remove &nostatusheader if old behavior wanted
+* classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
+	** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
+	** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
+	** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only
 
 * install: add --with-p1-file-dir allowing custom location (default is now $libdir instead of $bindir) #1569
 	** only when embedded perl is enabled
diff --git a/cgi/cgiauth.c b/cgi/cgiauth.c
index 1a6f96d..663dca5 100644
--- a/cgi/cgiauth.c
+++ b/cgi/cgiauth.c
@@ -44,6 +44,8 @@ int get_authentication_information(authdata *authinfo){
 	mmapfile *thefile;
 	char *input=NULL;
 	char *temp_ptr;
+	contact *temp_contact;
+	contactgroup *temp_contactgroup;
 
 	if(authinfo==NULL)
 		return ERROR;
@@ -182,6 +184,72 @@ int get_authentication_information(authdata *authinfo){
 				if(temp_ptr!=NULL)
 					parse_authorization_config_file(temp_ptr, authinfo);
 			}
+			else if ((temp_contact=find_contact(authinfo->username)) != NULL) {
+				if(strstr(input,"authorized_contactgroup_for_all_hosts=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_all_hosts=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_all_services=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_all_services=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_system_information=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_system_information=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_configuration_information=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_configuration_information=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_all_host_commands=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_all_host_commands=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_all_service_commands=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_all_service_commands=TRUE;
+				        }
+				}
+				else if(strstr(input,"authorized_contactgroup_for_system_commands=")==input){
+					temp_ptr=strtok(input,"=");
+					while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+							authinfo->authorized_for_system_commands=TRUE;
+				       	}
+				}
+				else if(strstr(input,"authorized_contactgroup_for_read_only=")==input){
+                                        temp_ptr=strtok(input,"=");
+                                        while((temp_ptr=strtok(NULL,","))){
+						temp_contactgroup=find_contactgroup(temp_ptr);
+						if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+                                                        authinfo->authorized_for_read_only=TRUE;
+                                	}
+                        	}
+			}
 		}
 
 		/* free memory and close the file */
diff --git a/sample-config/cgi.cfg.in b/sample-config/cgi.cfg.in
index d2994f4..36ee6e7 100644
--- a/sample-config/cgi.cfg.in
+++ b/sample-config/cgi.cfg.in
@@ -187,9 +187,11 @@ use_ssl_authentication=0
 # default, *no one* has access to this unless you choose to
 # not use authorization.  You may use an asterisk (*) to
 # authorize any user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 authorized_for_system_information=icingaadmin
-
+#authorized_contactgroup_for_system_information=
 
 
 # CONFIGURATION INFORMATION ACCESS
@@ -199,9 +201,11 @@ authorized_for_system_information=icingaadmin
 # for the hosts and services they are contacts for. You may use
 # an asterisk (*) to authorize any user who has authenticated
 # to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 authorized_for_configuration_information=icingaadmin
-
+#authorized_contactgroup_for_configuration_information=
 
 
 # SYSTEM/PROCESS COMMAND ACCESS
@@ -212,9 +216,11 @@ authorized_for_configuration_information=icingaadmin
 # has access to this unless you choose to not use authorization.
 # You may use an asterisk (*) to authorize any user who has
 # authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 authorized_for_system_commands=icingaadmin
-
+#authorized_contactgroup_for_system_commands=
 
 
 # GLOBAL HOST/SERVICE VIEW ACCESS
@@ -224,11 +230,14 @@ authorized_for_system_commands=icingaadmin
 # for hosts or services that they are contacts for (unless you
 # you choose to not use authorization). You may use an asterisk (*)
 # to authorize any user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 
 authorized_for_all_services=icingaadmin
 authorized_for_all_hosts=icingaadmin
-
+#authorized_contactgroup_for_all_services=
+#authorized_contactgroup_for_all_hosts=
 
 
 # GLOBAL HOST/SERVICE COMMAND ACCESS
@@ -239,10 +248,13 @@ authorized_for_all_hosts=icingaadmin
 # that they are contacts for (unless you you choose to not use
 # authorization).  You may use an asterisk (*) to authorize any
 # user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 authorized_for_all_service_commands=icingaadmin
 authorized_for_all_host_commands=icingaadmin
-
+#authorized_contactgroup_for_all_service_commands=
+#authorized_contactgroup_for_all_host_commands=
 
 
 # READ-ONLY USERS
@@ -250,8 +262,11 @@ authorized_for_all_host_commands=icingaadmin
 # the CGIs.  This will block any service or host commands normally shown
 # on the extinfo CGI pages.  It will also block comments from being shown
 # to read-only users.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
 
 #authorized_for_read_only=user1,user2
+#authorized_contactgroup_for_read_only=
 
 
 # SHOW ALL SERVICES THE HOST IS AUTHORIZED FOR





More information about the icinga-checkins mailing list