Hello all, hello Sven,
(I am top-posting as the original post is rather old and most info
should be in the new text)
we have finally had time to re-test the combination of
"default_user_name" and a cookie-based auth for issuing commands only.
I think we are pretty near the result and it looks as it should work,
but actually it doas not... here our steps
1. We used a fresh OMD setup and set the "default_user_name" in thruk's
cgi.cfg.
2. This immediately gives access to all thruk parts as the user defined
in the variable as expected. Now we want to limit access to the commands,
as per the hint from Sven (see below), to use cookie-based auth only for
that part:
RewriteCond %{REQUEST_URI} ^/${OMD_SITE}/thruk/cgi-bin/cmd.cgi
(in addition to other RewriteCond's)
That works "almost"; when we activate cookie auth we still can navigate
through the thruk main part and when we want to access the command.cgi
we are presented with a login page.
3. Login there throwed an error "Can't connect to localhost:80" and the
URL "http://localhost/test/thruk/cgi-bin/restricted.cgi;
which shows that we need to adapt the variable
"cookie_auth_restricted_url" in thruk/thruk.conf for our https-based setup:
cookie_auth_restricted_url =
https://localhost/test/thruk/cgi-bin/restricted.cgi
(instead of http://)
4. Done that, we get a different error when accessing command.cgi (after
entering the credentials on the cookie-based login page). This time the
error is:
auth: expected code 401, got 200
So probably at this point the default_user_name gets in the way?? -
apache already has a user and allows access, but the code in
Thruk::Utils::CookieAuth.pm wants either 302 or 401 to pass a user name.
Either we need to adapt the apache configuration not to pass the user at
this point or we would probably adapt the code to remove the auth info
if response 200 is encountered.
Any ideas?
Best regards, Jakob Curdes
Am 07.12.2016 um 19:57 schrieb Jakob Curdes:
Hello Sven, thank you, the approach sounds sensible and I will try
that out and document a working setup.
Regards, Jakob
Am 06.12.2016 um 20:00 schrieb Sven Nierlein:
Hi,
i did implement that once in a customer setup but i cannot remember
all details. Basically you need to change the
apache config in a way, that everything except
/thruk/cgi-bin/cmd.cgi is not protected and free to access.
In order to do so you need to add an exception to the rewrite block
which make the redirect for the thruk cookie
auth.
Just add
RewriteCond %{REQUEST_URI} ^/${OMD_SITE}/thruk/cgi-bin/cmd.cgi
in etc/apache/conf.d/thruk_cookie_auth.conf.
I haven't tested it, but i'd say that should do the trick already.
If that works, please document it next to the apache ldap config here:
https://github.com/sni/Thruk/blob/master/docs/documentation/install-webserver.asciidoc#ldap--ad-authentication
So next time someone asks he has the chance to find something :-)
Cheers,
Sven
On 06/12/16 17:40, Jakob Curdes wrote:
Hello, we use an OMD-based system with naemon and thruk for our
monitoring and are trying to implement a two level access model:
- anonymous access to status information (read-only)
- cookie-based access for the rest.
This means that apache and thruk must interact to allow access to
certain URLs with a default username while requiring cookie auth for
orther URLs.
The Thruk part of this is easy and solved, we set a
"default_user_name" and limited access and permissions of that user,
this works nicely.
But then all the interface is limited and we cannot use a different
username.
Now we are trying to configure apache to pass this username to
thruk, but only for certain URL's, i.e. status.cgi.
In other cases, suggestions were to make a link to the directory
with the CGI's and use the different URLs to distinguish the two
cases in the apache configuration.
This seems to be difficult with thruk, as the URL's are not
directories and how do you make a link to a location ?? We tried
setting an alias but this did not help.
Another approach could be to allow only this URL without auth by a
combination of location and file directives; however there we seem
to get stuck in the rewrite rules used for the cookie based auth. It
seems that even if the user is passed the rewrite rule changes the
status.cgi to the login page.
Has anybody gotten a working solution for such a setup? Are we doing
something wrong?
Regards, Jakob Curdes
___
omd-users mailing list
omd-users@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
___
omd-users mailing list
omd-users@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
___
omd-users mailing list
omd-users@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
