Skip to content
This repository has been archived by the owner. It is now read-only.

[dev.icinga.com #1752] authorization for * in cgi.cfg via contactgroups #701

Closed
icinga-migration opened this issue Jul 24, 2011 · 3 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Jul 24, 2011

This issue has been migrated from Redmine: https://dev.icinga.com/issues/1752

Created by mfriedrich on 2011-07-24 18:26:25 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2011-08-01 16:53:02 +00:00)
Target Version: 1.5
Last Update: 2014-12-08 09:32:40 +00:00 (in Redmine)


  • authorized_contactgroup_for_all_hosts
  • authorized_contactgroup_for_all_services
  • authorized_contactgroup_for_system_information
  • authorized_contactgroup_for_configuration_information
  • authorized_contactgroup_for_all_host_commands
  • authorized_contactgroup_for_all_service_commands
  • authorized_contactgroup_for_system_commands
  • authorized_contactgroup_for_read_only
-------- Original Message --------
Subject:    Re: [Nagios-devel] Reduce some code duplication
Date:   Sun, 24 Jul 2011 14:03:07 +0100
From:   Stephen Gran 
Reply-To:   Nagios Developers List 
To:     Nagios Developers List 


Hi again,

On Thu, Jan 13, 2011 at 02:58:01PM +0100, Andreas Ericsson said:
> On 01/13/2011 01:43 PM, Stephen Gran wrote:
> > Hi,
> > 
> > I'm looking slightly longer term at extending cgi.cfg to support using
> > contact_group names in the authorized_for* settings, and this is step
> > one on the road.  If someone thinks the above is a bad idea (or if reuse
> > of code is a bad idea) let me know and I'll stop.
> 
> There's one problem with this approach;
> The users in cgi.cfg don't have to be contacts. They only have to be able
> to log in to Nagios.
> 
> With that in light, I wonder what happens when eu-admins is both a user
> (from the apache view of things) as well as a contactgroup, but not a
> contact. That's one of the things that absolutely has to keep working,
> or a lot of people's setups will break.

On Thu, Jan 13, 2011 at 07:21:37PM +0100, Jochen Bern said:
> On 01/13/2011 04:52 PM, Stephen Gran wrote:
> > On Thu, Jan 13, 2011 at 02:58:01PM +0100, Andreas Ericsson said:
> >> I wonder what happens when eu-admins is both a user
> >> (from the apache view of things) as well as a contactgroup, but not a
> >> contact. That's one of the things that absolutely has to keep working,
> >> or a lot of people's setups will break.
> > I was planning to use a marker to specify that it is a group, whether %
> > like sudo or @ like many other things
> 
> 1. Both "%" and "@" are legal separators for e-mail addresses, which are
>    getting more and more popular as "usernames" for all sorts of web UI
>    logins. I doubt they're safe to forcefully overload, even as
>    username[0].
> 2. I don't think that there's *any* printable character which is prima
>    facie illegal in Basic Auth usernames. Not even the "," (and "="?)
>    that cgi.cfg sets aside as its separator char(s).
> 3. Suggestion: Make the marker configurable (so that admins can work
>    around odd username[0]s already in use), with setting it to '\0' or
>    somesuch effectively disabling the new feature (for the rare cases
>    where the user base took pride in having really *every* printable
>    character covered ;-).

Sorry to let this sit for so long - the objections were all good ones,
and I had to go have a think, and then other things came up, as they
always do ...

Anyway, I think I've hit on something that may be useful, if you're
amenable.  I'm proposing new cgi.cfg parameters that allow you to
specify contactgroups that are authorized for the various levels of auth
in addition to users.  I think the attached patch does this, and in a
way that should ensure it doesn't interfere with existing practices.

Cheers,
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | Labor, n.:  One of the processes by     |
|  steve@lobefin.net             | which A acquires property for B.   --   |
|  http://www.lobefin.net/~steve | Ambrose Bierce, "The Devil's            |
|                                | Dictionary"                             |
 --------------------------------------------------------------------------

Attachments

Changesets

2011-07-26 15:51:22 +00:00 by mfriedrich a85e3e6

classic ui: authorization for * in cgi.cfg via contactgroups (Stephen Gran) #1752
        ** authorized_contactgroup_for_all_hosts, authorized_contactgroup_for_all_services, authorized_contactgroup_for_system_information,
        ** authorized_contactgroup_for_configuration_information, authorized_contactgroup_for_all_host_commands,
        ** authorized_contactgroup_for_all_service_commands, authorized_contactgroup_for_system_commands, authorized_contactgroup_for_read_only

refs #1752

Relations:

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by mfriedrich on 2011-07-29 16:24:37 +00:00

  • Category set to 43
  • Status changed from New to Feedback
  • Assigned to set to mfriedrich
  • Target Version set to 1.5
  • Done % changed from 0 to 100
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2011

Updated by mfriedrich on 2011-08-01 16:53:02 +00:00

  • Status changed from Feedback to Resolved
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Dec 8, 2014

Updated by mfriedrich on 2014-12-08 09:32:40 +00:00

  • Project changed from 19 to Core, Classic UI, IDOUtils
  • Category changed from 43 to Classic UI
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.