-
Notifications
You must be signed in to change notification settings - Fork 170
Authorization System
Ganglia contains a simple authorization system to selectively allow or deny users access to certain parts of the gweb application. We rely on the web server to provide authentication, so any Apache authentication system (htpasswd, LDAP, etc) is supported.
The authorization system has three modes of operation.
-
$conf['auth_system'] = 'readonly';
: Anyone is allowed to view any resource. No-one can edit anything. This is the default setting. -
$conf['auth_system'] = 'disabled';
: Anyone is allowed to view or edit any resource. -
$conf['auth_system'] = 'enabled';
: Anyone may view public clusters without login. Authenticated users may gain elevated privileges.
If you wish to enable or disable authorization, please add your change to your conf.php
file.
When a user successfully authenticates, a hash is generated from the username + a secret key, and is stored in a cookie and made available to the rest of gweb. If the secret key value becomes known, it is possible for an attacker to assume the identity of any user.
You may change this secret value at any time. Users who have already logged in will need to log in again.
Enabling authentication requires two steps:
-
Configure your web server to require authentication when accessing
gweb/login.php
, and to provide the$_SERVER['REMOTE_USER']
variable togweb/login.php
. (This variable is not needed on any other gweb page.) -
Configure your web server to provide
$_SERVER['ganglia_secret']
. This is a secret value used for hashing authenticated user names.
If login.php does not require authentication, the user will see an error message and no authorization will be allowed.
[[authentication_failed.jpg|alt=A Failed Authentication]]
SetEnv ganglia_secret yourSuperSecretValueGoesHere
<Files "login.php">
AuthType Basic
AuthName "Ganglia Access"
AuthUserFile /var/lib/ganglia/htpasswd
Require valid-user
</Files>
More information about configuring authentication in Apache can be found at http://httpd.apache.org/docs/2.2/howto/auth.html. Note that Apache need only provide authentication. Authorization is provided by gweb configuration.
WARNING: This configuration is untested. If you are able to test this, please report results to ganglia-developers at lists.sourceforge.net
.
location ~ \.php$ { {
fastcgi_param ganglia_secret yourSuperSecretValueGoesHere;
}
location /login.php {
auth_basic "Ganglia Access";
auth_basic_user_file /var/lib/ganglia/htpasswd;
fastcgi_param REMOTE_USER $remote_user;
}
WARNING: This configuration is untested. If you are able to test this, please report results to ganglia-developers at lists.sourceforge.net
.
setenv.add-environment = (
"ganglia_secret" => "yourSuperSecretValueGoesHere"
)
server.modules += ( "mod_auth" )
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/lighttpd.user"
auth.require = (
"/login.php" => (
"method" => "basic",
"realm" => "Ganglia Access",
"require" => "valid-user",
)
)
The default access control setup has the following properties: * Guests may view all public clusters. * Admins may view all public & private clusters, and edit configuration (views) for them. * Guests may not view private clusters.
Additional rules may be configured as required. This configuration should go in conf.php
. GangliaAcl
is based on Zend_Acl
. More documentation is available at http://framework.zend.com/manual/en/zend.acl.html.
Note that there is no built-in distinction between a 'user' and a 'group' in Zend_Acl
. Both are implemented as roles. The system supports the configuration of heirarchical sets of ACL rules. We implement user/group semantics by making all user roles children of the GangliaAcl::GUEST
role, and all clusters children of GangliaAcl::ALL
.
Name | Meaning |
---|---|
|
Every cluster should descend from this role. Guests have 'view' access on |
|
Every user should descend from this role. (Users may also have other roles, but this one grants global view privileges to public clusters.) |
|
Admins may access all private clusters and edit configuration for any cluster. |
|
This permission is granted to guests on all clusters, and then selectively denied for private clusters. |
|
This permission is used to determine if a user may update views and perform any other configuration tasks. |
Currently we only support two actions, 'view' and 'edit'. These are applied on a per-cluster basis. So one user may have 'view' access to all clusters, but 'edit' access to only one.
These should go in your conf.php
file. The usernames you use will be the ones provided by whatever authentication system you are using in Apache. If you want to explicitly allow/deny access to certain clusters, you need to spell that out here.
All later examples assume you have this code to start with:
$acl = GangliaAcl::getInstance();
$acl->addPrivateCluster( 'clustername' );
$acl->addRole( 'username', GangliaAcl::GUEST );
$acl->allow( 'username', 'clustername', GangliaAcl::VIEW );