Module: check_mk
Branch: master
Commit: f1c7ee228270b083e81dbdf7b13108686caf9024
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f1c7ee228270b0…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Thu Sep 8 09:16:51 2011 +0200
Livestatus: downtimes/comment/logs now honor AuthUser:
Table log does honor AuthUser only for entries of type
notification, alert, passive check or state. Entries
for deleted hosts are hidden if AuthUser is used.
---
.bugs/366 | 11 +++++++++++
ChangeLog | 3 +++
livestatus/src/Makefile.am | 2 +-
livestatus/src/Query.cc | 1 +
livestatus/src/Query.h | 1 -
livestatus/src/TableDownComm.cc | 7 +++++++
livestatus/src/TableDownComm.h | 1 +
livestatus/src/TableHosts.cc | 7 ++-----
livestatus/src/TableLog.cc | 14 ++++++++++----
livestatus/src/TableServices.cc | 15 +--------------
livestatus/src/auth.cc | 25 +++++++++++++++++++++++++
livestatus/src/auth.h | 14 ++++++++++++++
12 files changed, 76 insertions(+), 25 deletions(-)
diff --git a/.bugs/366 b/.bugs/366
new file mode 100644
index 0000000..62167c8
--- /dev/null
+++ b/.bugs/366
@@ -0,0 +1,11 @@
+Title: Livestatus: table log: EXTERNAL_COMMAND should get host info
+Component: livestatus
+Benefit: 1
+State: open
+Cost: 5
+Date: 2011-09-08 09:29:57
+Class: feature
+
+The table log could parse the external command entries and assign
+them to the correct host and service. This needs a complete list
+of all known external commands :-(.
diff --git a/ChangeLog b/ChangeLog
index 2ea7ba4..a3e813c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,9 @@
Livestatus:
* FIX: fix compile error in TableLog.cc by including stddef.h
+ * FIX: tables comments and downtimes now honor AuthUser
+ * Table log honors AuthUser for entries that belong to hosts
+ (not for external commands, though. Sorry...)
1.1.11i3:
Core, Setup, etc.:
diff --git a/livestatus/src/Makefile.am b/livestatus/src/Makefile.am
index 054027d..7a7f6c2 100644
--- a/livestatus/src/Makefile.am
+++ b/livestatus/src/Makefile.am
@@ -47,7 +47,7 @@ livestatus_so_SOURCES = \
OffsetStringHostMacroColumn.cc StatsColumn.cc IntAggregator.cc CountAggregator.cc \
DoubleAggregator.cc AttributelistColumn.cc AttributelistFilter.cc \
global_counters.c module.c logger.c waittriggers.c TimeperiodsCache.cc pnp4nagios.cc
\
- ContactgroupsColumn.cc opids.cc
+ ContactgroupsColumn.cc opids.cc auth.cc
livestatus_so_CXXFLAGS = -I$(top_srcdir)/nagios -fPIC
livestatus_so_CFLAGS = $(livestatus_so_CXXFLAGS)
diff --git a/livestatus/src/Query.cc b/livestatus/src/Query.cc
index d429440..2519340 100644
--- a/livestatus/src/Query.cc
+++ b/livestatus/src/Query.cc
@@ -44,6 +44,7 @@
#include "NegatingFilter.h"
#include "waittriggers.h"
#include "data_encoding.h"
+#include "auth.h"
extern int g_debug_level;
extern unsigned long g_max_response_size;
diff --git a/livestatus/src/Query.h b/livestatus/src/Query.h
index 187d267..b7df988 100644
--- a/livestatus/src/Query.h
+++ b/livestatus/src/Query.h
@@ -55,7 +55,6 @@ class Aggregator;
#define ANDOR_AND 1
#define ANDOR_NEGATE 2
-#define UNKNOWN_AUTH_USER ((contact *)0xdeadbeaf)
class Query
{
diff --git a/livestatus/src/TableDownComm.cc b/livestatus/src/TableDownComm.cc
index c16dc93..4b6d529 100644
--- a/livestatus/src/TableDownComm.cc
+++ b/livestatus/src/TableDownComm.cc
@@ -31,6 +31,7 @@
#include "OffsetStringColumn.h"
#include "OffsetIntColumn.h"
#include "OffsetTimeColumn.h"
+#include "auth.h"
#include "tables.h"
// Todo: the dynamic data in this table must be
@@ -158,6 +159,12 @@ void TableDownComm::answerQuery(Query *query)
}
}
+bool TableDownComm::isAuthorized(contact *ctc, void *data)
+{
+ DowntimeOrComment *dtc = (DowntimeOrComment *)data;
+ return is_authorized_for(ctc, dtc->_host, dtc->_service);
+}
+
DowntimeOrComment *TableDownComm::findEntry(unsigned long id)
{
_entries_t::iterator it = _entries.find(id);
diff --git a/livestatus/src/TableDownComm.h b/livestatus/src/TableDownComm.h
index 652bb35..d12cf5e 100644
--- a/livestatus/src/TableDownComm.h
+++ b/livestatus/src/TableDownComm.h
@@ -54,6 +54,7 @@ public:
void add(DowntimeOrComment *data);
void remove(unsigned id);
void answerQuery(Query *);
+ bool isAuthorized(contact *ctc, void *data);
_entries_t::iterator entriesIteratorBegin() { return _entries.begin(); }
_entries_t::iterator entriesIteratorEnd() { return _entries.end(); }
};
diff --git a/livestatus/src/TableHosts.cc b/livestatus/src/TableHosts.cc
index a3d03eb..a629c77 100644
--- a/livestatus/src/TableHosts.cc
+++ b/livestatus/src/TableHosts.cc
@@ -45,6 +45,7 @@
#include "ContactgroupsColumn.h"
#include "HostSpecialIntColumn.h"
#include "tables.h"
+#include "auth.h"
extern host *host_list;
extern hostgroup *hostgroup_list;
@@ -57,12 +58,8 @@ struct hostbygroup {
bool TableHosts::isAuthorized(contact *ctc, void *data)
{
- if (ctc == UNKNOWN_AUTH_USER)
- return false;
-
host *hst = (host *)data;
- return is_contact_for_host(hst, ctc)
- || is_escalated_contact_for_host(hst, ctc);
+ return is_authorized_for(ctc, hst, 0);
}
diff --git a/livestatus/src/TableLog.cc b/livestatus/src/TableLog.cc
index 912c2a9..5d3031a 100644
--- a/livestatus/src/TableLog.cc
+++ b/livestatus/src/TableLog.cc
@@ -42,6 +42,7 @@
#include "TableHosts.h"
#include "TableCommands.h"
#include "TableContacts.h"
+#include "auth.h"
#define CHECK_MEM_CYCLE 1000 /* Check memory every N'th new message */
@@ -399,10 +400,15 @@ bool TableLog::isAuthorized(contact *ctc, void *data)
service *svc = entry->_service;
host *hst = entry->_host;
- if (svc)
- return g_table_services->isAuthorized(ctc, svc);
- else if (hst)
- return g_table_hosts->isAuthorized(ctc, hst);
+ if (hst || svc)
+ return is_authorized_for(ctc, hst, svc);
+ // suppress entries for messages that belong to
+ // hosts that do not exist anymore.
+ else if (entry->_logclass == LOGCLASS_ALERT
+ || entry->_logclass == LOGCLASS_NOTIFICATION
+ || entry->_logclass == LOGCLASS_PASSIVECHECK
+ || entry->_logclass == LOGCLASS_STATE)
+ return false;
else
return true;
}
diff --git a/livestatus/src/TableServices.cc b/livestatus/src/TableServices.cc
index f53e7b3..c381211 100644
--- a/livestatus/src/TableServices.cc
+++ b/livestatus/src/TableServices.cc
@@ -160,21 +160,8 @@ void TableServices::answerQuery(Query *query)
bool TableServices::isAuthorized(contact *ctc, void *data)
{
- if (ctc == UNKNOWN_AUTH_USER)
- return false;
-
service *svc = (service *)data;
- if (g_service_authorization == AUTH_STRICT) {
- return is_contact_for_service(svc, ctc);
- is_escalated_contact_for_service(svc, ctc);
- }
- else { // AUTH_LOOSE
- host *hst = svc->host_ptr;
- return is_contact_for_host(hst, ctc)
- || is_escalated_contact_for_host(hst, ctc)
- || is_contact_for_service(svc, ctc)
- || is_escalated_contact_for_service(svc, ctc);
- }
+ return is_authorized_for(ctc, svc->host_ptr, svc);
}
TableServices::TableServices(bool by_group, bool by_hostgroup)
diff --git a/livestatus/src/auth.cc b/livestatus/src/auth.cc
new file mode 100644
index 0000000..d63f01f
--- /dev/null
+++ b/livestatus/src/auth.cc
@@ -0,0 +1,25 @@
+#include "auth.h"
+
+int is_authorized_for(contact *ctc, host *hst, service *svc) {
+ if (ctc == UNKNOWN_AUTH_USER)
+ return false;
+
+ if (svc) {
+ if (g_service_authorization == AUTH_STRICT) {
+ return is_contact_for_service(svc, ctc)
+ || is_escalated_contact_for_service(svc, ctc);
+ }
+ else { // AUTH_LOOSE
+ return is_contact_for_host(hst, ctc)
+ || is_escalated_contact_for_host(hst, ctc)
+ || is_contact_for_service(svc, ctc)
+ || is_escalated_contact_for_service(svc, ctc);
+ }
+ }
+ // Entries for hosts
+ else {
+ return is_contact_for_host(hst, ctc)
+ || is_escalated_contact_for_host(hst, ctc);
+ }
+}
+
diff --git a/livestatus/src/auth.h b/livestatus/src/auth.h
index 754558b..0fceb3c 100644
--- a/livestatus/src/auth.h
+++ b/livestatus/src/auth.h
@@ -25,11 +25,25 @@
#ifndef auth_h
#define auth_h
+#include "nagios.h"
+
#define AUTH_LOOSE 0
#define AUTH_STRICT 1
+// Dummy pointer for unknown user (not no user)
+#define UNKNOWN_AUTH_USER ((contact *)0xdeadbeaf)
+
+
extern int g_service_authorization;
extern int g_group_authorization;
+#ifdef __cplusplus
+extern "C" {
+#endif
+ int is_authorized_for(contact *ctc, host *host, service *svc);
+#ifdef __cplusplus
+}
+#endif
+
#endif // auth_h