icingaweb2-module-pnp icon indicating copy to clipboard operation
icingaweb2-module-pnp copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Permissions: Forward Icinga Web 2 auth to PNP

Open dnsmichi opened this issue 7 years ago • 4 comments

  • /pnp4nagios requires no auth currently, or via SSO
  • forward Icinga Web 2 auth to PNP as login provider (requires path for PNP)

Old TODO:

We should also provide an easy way to integrate our authentication and permission system into PNP4Nagios. This would require a small wrapper doing an embedded Icinga Web 2 bootstrap in order to provide our user object and a list of allowed hosts/services to PNP4Nagios.

dnsmichi avatar Aug 15 '17 15:08 dnsmichi

A simple workaround until your auth forwarder is ready when you use database authentification (https://www.icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#database-authentication)

apache authn_dbd could use the login data in the icingaweb2 database. Here is a simple apache config snippet which could be placed in the icinga vhost. This example uses mysql but should be easy to transform to other database engines.

#AuthnCacheSOCache dbm # <-- set global or apache will use the system default


<VirtualHost ...>
  DBDriver  mysql
  DBDParams "host=localhost dbname=icingaweb_db user=icingaweb_db pass=mypassword"
  <Location /pnp4nagios>
    AuthType Basic
    AuthName "PNP Access"
    AuthBasicProvider socache dbd
    AuthDBDUserPWQuery "SELECT password_hash FROM icingaweb_user WHERE name = %s"
    AuthnCacheProvideFor dbd
    AuthnCacheContext pnpauth
    Require valid-user
  </Location>
</VirtualHost>

You should have installed libaprutil1-dbd-mysql (ubuntu) and enable the apache modules authn_dbd and authn_socache. If you like you could omit the caching via socache. Apache db settings could be adjusted if a heavy auth load is present (DBDMin, DBDKeep, DBDMax, DBDExptime).

I was a little bit surprised that I have not found this solution on the internet anywhere. That's why I have posted this here because I'm not sure if this approach has been considered before.

This only does the authentication and does not take into account permissions for the hosts and services.

SteScho avatar Jun 15 '18 22:06 SteScho

Just wondering if there was any further update on this authentication? I see the WIP branch but it hasn't been touched for a year. Thanks!

nickcohen avatar Feb 06 '19 12:02 nickcohen

I solved this by using a very hacky patch: https://gist.github.com/durzo/521b29f911496b6fe4c8a5a7a0bed495

We get the PHP session name on disk from the Icingaweb2 cookie, open it, check our groups membership and redirect to icinga if we are not in Administrators group.

durzo avatar Jan 08 '20 13:01 durzo

It seems not to be any update on this authentication issue...

An idea could be restricting the pnp4nagios web access enabling access only from icingaweb2 pages, and them disabling authentication of pnp4nagios.

It could be possible?

Is anyone still trying to use icingaweb2 and pnp4nagios?

jmvictoria avatar Dec 04 '20 18:12 jmvictoria