Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions: Forward Icinga Web 2 auth to PNP #29

Open
dnsmichi opened this issue Aug 15, 2017 · 4 comments
Open

Permissions: Forward Icinga Web 2 auth to PNP #29

dnsmichi opened this issue Aug 15, 2017 · 4 comments

Comments

@dnsmichi
Copy link
Contributor

  • /pnp4nagios requires no auth currently, or via SSO
  • forward Icinga Web 2 auth to PNP as login provider (requires path for PNP)

Old TODO:

We should also provide an easy way to integrate our authentication and permission system into PNP4Nagios. This would require a small wrapper doing an embedded Icinga Web 2 bootstrap in order to provide our user object and a list of allowed hosts/services to PNP4Nagios.
Thomas-Gelf added a commit that referenced this issue Feb 19, 2018
@Thomas-Gelf
AuthenticateWithIcingaWeb: WIP
1b47206 
refs #29
Thomas-Gelf added a commit that referenced this issue Feb 19, 2018
@Thomas-Gelf
AuthenticateWithIcingaWeb: WIP
1b93a50 
refs #29
@SteScho
Copy link

SteScho commented Jun 15, 2018
edited
Loading

A simple workaround until your auth forwarder is ready when you use database authentification (https://www.icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#database-authentication)

apache authn_dbd could use the login data in the icingaweb2 database. Here is a simple apache config snippet which could be placed in the icinga vhost. This example uses mysql but should be easy to transform to other database engines.

#AuthnCacheSOCache dbm # <-- set global or apache will use the system default


<VirtualHost ...>
  DBDriver  mysql
  DBDParams "host=localhost dbname=icingaweb_db user=icingaweb_db pass=mypassword"
  <Location /pnp4nagios>
    AuthType Basic
    AuthName "PNP Access"
    AuthBasicProvider socache dbd
    AuthDBDUserPWQuery "SELECT password_hash FROM icingaweb_user WHERE name = %s"
    AuthnCacheProvideFor dbd
    AuthnCacheContext pnpauth
    Require valid-user
  </Location>
</VirtualHost>

You should have installed libaprutil1-dbd-mysql (ubuntu) and enable the apache modules authn_dbd and authn_socache. If you like you could omit the caching via socache. Apache db settings could be adjusted if a heavy auth load is present (DBDMin, DBDKeep, DBDMax, DBDExptime).

I was a little bit surprised that I have not found this solution on the internet anywhere. That's why I have posted this here because I'm not sure if this approach has been considered before.

This only does the authentication and does not take into account permissions for the hosts and services.

@nickcohen
Copy link

Just wondering if there was any further update on this authentication? I see the WIP branch but it hasn't been touched for a year. Thanks!

@durzo
Copy link

durzo commented Jan 8, 2020

I solved this by using a very hacky patch: https://gist.github.com/durzo/521b29f911496b6fe4c8a5a7a0bed495

We get the PHP session name on disk from the Icingaweb2 cookie, open it, check our groups membership and redirect to icinga if we are not in Administrators group.

@jmvictoria
Copy link

It seems not to be any update on this authentication issue...

An idea could be restricting the pnp4nagios web access enabling access only from icingaweb2 pages, and them disabling authentication of pnp4nagios.

It could be possible?

Is anyone still trying to use icingaweb2 and pnp4nagios?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@durzo @dnsmichi @SteScho @jmvictoria @nickcohen