[icinga-checkins] icinga.org: icinga-core/mbrooks/cgis: classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
git at icinga.org
git at icinga.org
Fri Jul 29 00:39:58 CEST 2011
Module: icinga-core
Branch: mbrooks/cgis
Commit: a85e3e6b3694ea0d3374c4148109098d489fe48e
URL: https://git.icinga.org/?p=icinga-core.git;a=commit;h=a85e3e6b3694ea0d3374c4148109098d489fe48e
Author: Michael Friedrich <michael.friedrich at univie.ac.at>
Date: Tue Jul 26 17:51:22 2011 +0200
classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only
refs #1752
---
AUTHORS | 1 +
Changelog | 4 +++
cgi/cgiauth.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++
sample-config/cgi.cfg.in | 25 +++++++++++++---
4 files changed, 93 insertions(+), 5 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index b88ff75..e524675 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -15,6 +15,7 @@ Mathieu Gagné
Ethan Galstad
Mark Gius
DECOIT GmbH
+Stephen Gran
Marius Hein
Matthieu Kermagoret
Petya Kohts
diff --git a/Changelog b/Changelog
index 8601947..4c57a4c 100644
--- a/Changelog
+++ b/Changelog
@@ -19,6 +19,10 @@ ENHANCEMENTS
* classic ui: reduce the header part of status.cgi #1507
** &nostatusheader used in frameset menu, info table is smaller
** edit menu.html and remove &nostatusheader if old behavior wanted
+* classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
+ ** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
+ ** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
+ ** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only
* install: add --with-p1-file-dir allowing custom location (default is now $libdir instead of $bindir) #1569
** only when embedded perl is enabled
diff --git a/cgi/cgiauth.c b/cgi/cgiauth.c
index 1a6f96d..663dca5 100644
--- a/cgi/cgiauth.c
+++ b/cgi/cgiauth.c
@@ -44,6 +44,8 @@ int get_authentication_information(authdata *authinfo){
mmapfile *thefile;
char *input=NULL;
char *temp_ptr;
+ contact *temp_contact;
+ contactgroup *temp_contactgroup;
if(authinfo==NULL)
return ERROR;
@@ -182,6 +184,72 @@ int get_authentication_information(authdata *authinfo){
if(temp_ptr!=NULL)
parse_authorization_config_file(temp_ptr, authinfo);
}
+ else if ((temp_contact=find_contact(authinfo->username)) != NULL) {
+ if(strstr(input,"authorized_contactgroup_for_all_hosts=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_all_hosts=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_all_services=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_all_services=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_system_information=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_system_information=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_configuration_information=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_configuration_information=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_all_host_commands=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_all_host_commands=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_all_service_commands=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_all_service_commands=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_system_commands=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_system_commands=TRUE;
+ }
+ }
+ else if(strstr(input,"authorized_contactgroup_for_read_only=")==input){
+ temp_ptr=strtok(input,"=");
+ while((temp_ptr=strtok(NULL,","))){
+ temp_contactgroup=find_contactgroup(temp_ptr);
+ if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
+ authinfo->authorized_for_read_only=TRUE;
+ }
+ }
+ }
}
/* free memory and close the file */
diff --git a/sample-config/cgi.cfg.in b/sample-config/cgi.cfg.in
index d2994f4..36ee6e7 100644
--- a/sample-config/cgi.cfg.in
+++ b/sample-config/cgi.cfg.in
@@ -187,9 +187,11 @@ use_ssl_authentication=0
# default, *no one* has access to this unless you choose to
# not use authorization. You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
authorized_for_system_information=icingaadmin
-
+#authorized_contactgroup_for_system_information=
# CONFIGURATION INFORMATION ACCESS
@@ -199,9 +201,11 @@ authorized_for_system_information=icingaadmin
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
authorized_for_configuration_information=icingaadmin
-
+#authorized_contactgroup_for_configuration_information=
# SYSTEM/PROCESS COMMAND ACCESS
@@ -212,9 +216,11 @@ authorized_for_configuration_information=icingaadmin
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
authorized_for_system_commands=icingaadmin
-
+#authorized_contactgroup_for_system_commands=
# GLOBAL HOST/SERVICE VIEW ACCESS
@@ -224,11 +230,14 @@ authorized_for_system_commands=icingaadmin
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
authorized_for_all_services=icingaadmin
authorized_for_all_hosts=icingaadmin
-
+#authorized_contactgroup_for_all_services=
+#authorized_contactgroup_for_all_hosts=
# GLOBAL HOST/SERVICE COMMAND ACCESS
@@ -239,10 +248,13 @@ authorized_for_all_hosts=icingaadmin
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
authorized_for_all_service_commands=icingaadmin
authorized_for_all_host_commands=icingaadmin
-
+#authorized_contactgroup_for_all_service_commands=
+#authorized_contactgroup_for_all_host_commands=
# READ-ONLY USERS
@@ -250,8 +262,11 @@ authorized_for_all_host_commands=icingaadmin
# the CGIs. This will block any service or host commands normally shown
# on the extinfo CGI pages. It will also block comments from being shown
# to read-only users.
+# Alternatively you can specify contactgroups too, starting
+# with Icinga 1.5.0
#authorized_for_read_only=user1,user2
+#authorized_contactgroup_for_read_only=
# SHOW ALL SERVICES THE HOST IS AUTHORIZED FOR
More information about the icinga-checkins
mailing list