[omd-users] Question RE anonymous thruk access / default_user_name

Jakob Curdes jc at info-systems.de
Tue Dec 13 12:38:24 CET 2016



Am 06.12.2016 um 20:00 schrieb Sven Nierlein:
> Hi,
>
> i did implement that once in a customer setup but i cannot remember all details. Basically you need to change the
> apache config in a way, that everything except <site>/thruk/cgi-bin/cmd.cgi is not protected and free to access.
> In order to do so you need to add an exception to the rewrite block which make the redirect for the thruk cookie
> auth.
> Just add
> RewriteCond %{REQUEST_URI}         ^/${OMD_SITE}/thruk/cgi-bin/cmd.cgi
> in etc/apache/conf.d/thruk_cookie_auth.conf.
> I haven't tested it, but i'd say that should do the trick already.
This works "almost" - we can navigate through the site without auth and 
get an auth request when directly accessing cmd.cgi. However, you cannot 
access actions from inside the "anonymous" pages because thruk knows 
that the user does not have permissions. Plus after authorization of 
cmd.cgi this says "no command was specified", making the succeeded auth 
somewhat useless (unless I know and guess the commands in advance...) . 
So what is probably missing is a second URL so that we have two separate 
URL trees, one with default authorization (and without command 
interface) and one with normal authentication and full permissions. I 
know how to do this in general, you could use a file system link or 
whatever, but in this case all the URL's are "virtual", they have no 
direct file system equivalent so I am not sure how I can publish these a 
second time with a different URL.

JC



>
> On 06/12/16 17:40, Jakob Curdes wrote:
>> Hello, we use an OMD-based system with naemon and thruk for our monitoring and are trying to implement a two level access model:
>>
>> - anonymous access to status information (read-only)
>>
>> - cookie-based access for the rest.
>>
>> This means that apache and thruk must interact to allow access to certain URLs with a default username while requiring cookie auth for orther URLs.
>>
>> The Thruk part of this is easy and solved, we set a "default_user_name" and limited access and permissions of that user, this works nicely.
>> But then all the interface is limited and we cannot use a different username.
>>
>> Now we are trying to configure apache to pass this username to thruk, but only for certain URL's, i.e. status.cgi.
>>
>> In other cases, suggestions were to make a link to the directory with the CGI's and use the different URLs to distinguish the two cases in the apache configuration.
>> This seems to be difficult with thruk, as the URL's are not directories and how do you make a link to a location ?? We tried setting an alias but this did not help.
>>
>> Another approach could be to allow only this URL without auth by a combination of location and file directives; however there we seem to get stuck in the rewrite rules used for the cookie based auth. It seems that even if the user is passed the rewrite rule changes the status.cgi to the login page.
>>
>> Has anybody gotten a working solution for such a setup? Are we doing something wrong?
>>
>>
>> Regards, Jakob Curdes
>> _______________________________________________
>> omd-users mailing list
>> omd-users at lists.mathias-kettner.de
>> http://lists.mathias-kettner.de/mailman/listinfo/omd-users



More information about the omd-users mailing list