Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

classic ui: authorization for * in cgi.cfg via contactgroups (Stephen…

… Gran) #1752

        ** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
        ** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
        ** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only

refs #1752
  • Loading branch information...
Michael Friedrich
Michael Friedrich committed Jul 26, 2011
1 parent 0c6212d commit a85e3e6b3694ea0d3374c4148109098d489fe48e
Showing with 93 additions and 5 deletions.
  1. +1 −0 AUTHORS
  2. +4 −0 Changelog
  3. +68 −0 cgi/cgiauth.c
  4. +20 −5 sample-config/cgi.cfg.in
@@ -15,6 +15,7 @@ Mathieu Gagné
Ethan Galstad
Mark Gius
DECOIT GmbH
Stephen Gran
Marius Hein
Matthieu Kermagoret
Petya Kohts
@@ -19,6 +19,10 @@ ENHANCEMENTS
* classic ui: reduce the header part of status.cgi #1507
** &nostatusheader used in frameset menu, info table is smaller
** edit menu.html and remove &nostatusheader if old behavior wanted
* classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only

* install: add --with-p1-file-dir allowing custom location (default is now $libdir instead of $bindir) #1569
** only when embedded perl is enabled
@@ -44,6 +44,8 @@ int get_authentication_information(authdata *authinfo){
mmapfile *thefile;
char *input=NULL;
char *temp_ptr;
contact *temp_contact;
contactgroup *temp_contactgroup;

if(authinfo==NULL)
return ERROR;
@@ -182,6 +184,72 @@ int get_authentication_information(authdata *authinfo){
if(temp_ptr!=NULL)
parse_authorization_config_file(temp_ptr, authinfo);
}
else if ((temp_contact=find_contact(authinfo->username)) != NULL) {
if(strstr(input,"authorized_contactgroup_for_all_hosts=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_all_hosts=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_all_services=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_all_services=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_system_information=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_system_information=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_configuration_information=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_configuration_information=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_all_host_commands=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_all_host_commands=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_all_service_commands=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_all_service_commands=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_system_commands=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_system_commands=TRUE;
}
}
else if(strstr(input,"authorized_contactgroup_for_read_only=")==input){
temp_ptr=strtok(input,"=");
while((temp_ptr=strtok(NULL,","))){
temp_contactgroup=find_contactgroup(temp_ptr);
if(is_contact_member_of_contactgroup(temp_contactgroup, temp_contact))
authinfo->authorized_for_read_only=TRUE;
}
}
}
}

/* free memory and close the file */
@@ -187,9 +187,11 @@ use_ssl_authentication=0
# default, *no one* has access to this unless you choose to
# not use authorization. You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_system_information=icingaadmin

#authorized_contactgroup_for_system_information=


# CONFIGURATION INFORMATION ACCESS
@@ -199,9 +201,11 @@ authorized_for_system_information=icingaadmin
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_configuration_information=icingaadmin

#authorized_contactgroup_for_configuration_information=


# SYSTEM/PROCESS COMMAND ACCESS
@@ -212,9 +216,11 @@ authorized_for_configuration_information=icingaadmin
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_system_commands=icingaadmin

#authorized_contactgroup_for_system_commands=


# GLOBAL HOST/SERVICE VIEW ACCESS
@@ -224,11 +230,14 @@ authorized_for_system_commands=icingaadmin
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0


authorized_for_all_services=icingaadmin
authorized_for_all_hosts=icingaadmin

#authorized_contactgroup_for_all_services=
#authorized_contactgroup_for_all_hosts=


# GLOBAL HOST/SERVICE COMMAND ACCESS
@@ -239,19 +248,25 @@ authorized_for_all_hosts=icingaadmin
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

authorized_for_all_service_commands=icingaadmin
authorized_for_all_host_commands=icingaadmin

#authorized_contactgroup_for_all_service_commands=
#authorized_contactgroup_for_all_host_commands=


# READ-ONLY USERS
# A comma-delimited list of usernames that have read-only rights in
# the CGIs. This will block any service or host commands normally shown
# on the extinfo CGI pages. It will also block comments from being shown
# to read-only users.
# Alternatively you can specify contactgroups too, starting
# with Icinga 1.5.0

#authorized_for_read_only=user1,user2
#authorized_contactgroup_for_read_only=


# SHOW ALL SERVICES THE HOST IS AUTHORIZED FOR

0 comments on commit a85e3e6

Please sign in to comment.
You can’t perform that action at this time.