Commit fb7460e4 authored by Hamza Dely's avatar Hamza Dely
Browse files

nagios a besoin d'accéder à l'annuaire LDAP en RO pour Icinga

parent e6b6c87e
...@@ -154,7 +154,7 @@ class SequenceLoader(list): ...@@ -154,7 +154,7 @@ class SequenceLoader(list):
return loader(name) return loader(name)
except SecretNotFound as exc: except SecretNotFound as exc:
notfound_error = notfound_error or exc notfound_error = notfound_error or exc
raise notfound_error raise notfound_error
class ACLChecker(object): class ACLChecker(object):
...@@ -175,17 +175,17 @@ class ACLChecker(object): ...@@ -175,17 +175,17 @@ class ACLChecker(object):
def check(self, name): def check(self, name):
"""Teste si ``name`` a le droit d'être lu""" """Teste si ``name`` a le droit d'être lu"""
user = os.getenv('SUDO_USER') user = os.getenv('SUDO_USER')
# TODO Trigger et sa clé SSH ! # TODO Trigger et sa clé SSH !
if user == 'root': if user == 'root':
return True return True
# radius a besoin des mdp clients (pour dynamic_clients), # radius a besoin des mdp clients (pour dynamic_clients),
# du ldap et du dhcp pour inscrire des gens # du ldap et du dhcp pour inscrire des gens
if user == 'freerad' and in_group('freeradius') and \ if user == 'freerad' and in_group('freeradius') and \
name.split('_', 1)[0] in ['radius', 'dhcp', 'ldap']: name.split('_', 1)[0] in ['radius', 'dhcp', 'ldap']:
return True return True
if user == 'www-data' and in_group('intranet2-service'): if user == 'www-data' and in_group('intranet2-service'):
logger.debug('ici: %s' % name.split('_', 1)[0]) logger.debug('ici: %s' % name.split('_', 1)[0])
if name.split('_', 1)[0] in [ 'comnpay', 'dhcp', 'digicode', 'intranet', if name.split('_', 1)[0] in [ 'comnpay', 'dhcp', 'digicode', 'intranet',
...@@ -202,6 +202,12 @@ class ACLChecker(object): ...@@ -202,6 +202,12 @@ class ACLChecker(object):
if user == 'gammu' and in_group('service-sms') and name == "rabbitmq_sms": if user == 'gammu' and in_group('service-sms') and name == "rabbitmq_sms":
return True return True
# nagios a besoin de faire des recherches dans la base LDAP
if (user == 'nagios' and
in_group('icinga2-master') and
name in ['ldap_readonly_auth_dn', 'ldap_readonly_password']):
return True
# Rempli loader avec la variable qu'on veut # Rempli loader avec la variable qu'on veut
loader = SequenceLoader([python_loader, single_file_loader, json_loader]) loader = SequenceLoader([python_loader, single_file_loader, json_loader])
...@@ -223,7 +229,7 @@ def get(name): ...@@ -223,7 +229,7 @@ def get(name):
""" Récupère un secret. """ """ Récupère un secret. """
prog = os.path.basename(getattr(sys, 'argv', ['undefined'])[0]) prog = os.path.basename(getattr(sys, 'argv', ['undefined'])[0])
logger.debug('%s (in %s) asked for %s' % (getpass.getuser(), prog, name)) logger.debug('%s (in %s) asked for %s' % (getpass.getuser(), prog, name))
try: try:
return loader(name) return loader(name)
except SecretNotFound: except SecretNotFound:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment