mirror of https://github.com/Icinga/icinga2.git
Merge pull request #10102 from Icinga/icingadb-redis-username
Icinga DB: Config no_user_modify and Support Redis username authentication
This commit is contained in:
commit
67175c43c0
|
@ -1387,7 +1387,9 @@ Configuration Attributes:
|
||||||
host | String | **Optional.** Redis host. Defaults to `127.0.0.1`.
|
host | String | **Optional.** Redis host. Defaults to `127.0.0.1`.
|
||||||
port | Number | **Optional.** Redis port. Defaults to `6380` since the Redis server provided by the `icingadb-redis` package listens on that port.
|
port | Number | **Optional.** Redis port. Defaults to `6380` since the Redis server provided by the `icingadb-redis` package listens on that port.
|
||||||
path | String | **Optional.** Redis unix socket path. Can be used instead of `host` and `port` attributes.
|
path | String | **Optional.** Redis unix socket path. Can be used instead of `host` and `port` attributes.
|
||||||
|
username | String | **Optional.** Redis auth username. Only possible if Redis ACLs are used. Requires `password` to be set as well.
|
||||||
password | String | **Optional.** Redis auth password.
|
password | String | **Optional.** Redis auth password.
|
||||||
|
db\_index | Number | **Optional.** Redis logical database by its number. Defaults to `0`.
|
||||||
enable\_tls | Boolean | **Optional.** Whether to use TLS.
|
enable\_tls | Boolean | **Optional.** Whether to use TLS.
|
||||||
cert\_path | String | **Optional.** Path to the certificate.
|
cert\_path | String | **Optional.** Path to the certificate.
|
||||||
key\_path | String | **Optional.** Path to the private key.
|
key\_path | String | **Optional.** Path to the private key.
|
||||||
|
|
|
@ -47,6 +47,11 @@ void IcingaDB::Validate(int types, const ValidationUtils& utils)
|
||||||
if (!(types & FAConfig))
|
if (!(types & FAConfig))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
if (!GetUsername().IsEmpty() && GetPassword().IsEmpty()) {
|
||||||
|
BOOST_THROW_EXCEPTION(ValidationError(this, std::vector<String>(),
|
||||||
|
"Redis password must be set, if username is provided."));
|
||||||
|
}
|
||||||
|
|
||||||
if (GetEnableTls() && GetCertPath().IsEmpty() != GetKeyPath().IsEmpty()) {
|
if (GetEnableTls() && GetCertPath().IsEmpty() != GetKeyPath().IsEmpty()) {
|
||||||
BOOST_THROW_EXCEPTION(ValidationError(this, std::vector<String>(), "Either both a client certificate (cert_path) and its private key (key_path) or none of them must be given."));
|
BOOST_THROW_EXCEPTION(ValidationError(this, std::vector<String>(), "Either both a client certificate (cert_path) and its private key (key_path) or none of them must be given."));
|
||||||
}
|
}
|
||||||
|
@ -76,7 +81,7 @@ void IcingaDB::Start(bool runtimeCreated)
|
||||||
|
|
||||||
m_WorkQueue.SetExceptionCallback([this](boost::exception_ptr exp) { ExceptionHandler(std::move(exp)); });
|
m_WorkQueue.SetExceptionCallback([this](boost::exception_ptr exp) { ExceptionHandler(std::move(exp)); });
|
||||||
|
|
||||||
m_Rcon = new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex(),
|
m_Rcon = new RedisConnection(GetHost(), GetPort(), GetPath(), GetUsername(), GetPassword(), GetDbIndex(),
|
||||||
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
|
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
|
||||||
GetTlsProtocolmin(), GetCipherList(), GetConnectTimeout(), GetDebugInfo());
|
GetTlsProtocolmin(), GetCipherList(), GetConnectTimeout(), GetDebugInfo());
|
||||||
m_RconLocked.store(m_Rcon);
|
m_RconLocked.store(m_Rcon);
|
||||||
|
@ -86,7 +91,7 @@ void IcingaDB::Start(bool runtimeCreated)
|
||||||
if (!ctype)
|
if (!ctype)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
RedisConnection::Ptr con = new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex(),
|
RedisConnection::Ptr con = new RedisConnection(GetHost(), GetPort(), GetPath(), GetUsername(), GetPassword(), GetDbIndex(),
|
||||||
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
|
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
|
||||||
GetTlsProtocolmin(), GetCipherList(), GetConnectTimeout(), GetDebugInfo(), m_Rcon);
|
GetTlsProtocolmin(), GetCipherList(), GetConnectTimeout(), GetDebugInfo(), m_Rcon);
|
||||||
|
|
||||||
|
|
|
@ -12,36 +12,37 @@ class IcingaDB : ConfigObject
|
||||||
{
|
{
|
||||||
activation_priority 100;
|
activation_priority 100;
|
||||||
|
|
||||||
[config] String host {
|
[config, no_user_modify] String host {
|
||||||
default {{{ return "127.0.0.1"; }}}
|
default {{{ return "127.0.0.1"; }}}
|
||||||
};
|
};
|
||||||
[config] int port {
|
[config, no_user_modify] int port {
|
||||||
default {{{ return 6380; }}}
|
default {{{ return 6380; }}}
|
||||||
};
|
};
|
||||||
[config] String path;
|
[config, no_user_modify] String path;
|
||||||
|
[config, no_user_modify] String username;
|
||||||
[config, no_user_view, no_user_modify] String password;
|
[config, no_user_view, no_user_modify] String password;
|
||||||
[config] int db_index;
|
[config, no_user_modify] int db_index;
|
||||||
|
|
||||||
[config] bool enable_tls {
|
[config, no_user_modify] bool enable_tls {
|
||||||
default {{{ return false; }}}
|
default {{{ return false; }}}
|
||||||
};
|
};
|
||||||
|
|
||||||
[config] bool insecure_noverify {
|
[config, no_user_modify] bool insecure_noverify {
|
||||||
default {{{ return false; }}}
|
default {{{ return false; }}}
|
||||||
};
|
};
|
||||||
|
|
||||||
[config] String cert_path;
|
[config, no_user_modify] String cert_path;
|
||||||
[config] String key_path;
|
[config, no_user_modify] String key_path;
|
||||||
[config] String ca_path;
|
[config, no_user_modify] String ca_path;
|
||||||
[config] String crl_path;
|
[config, no_user_modify] String crl_path;
|
||||||
[config] String cipher_list {
|
[config, no_user_modify] String cipher_list {
|
||||||
default {{{ return DEFAULT_TLS_CIPHERS; }}}
|
default {{{ return DEFAULT_TLS_CIPHERS; }}}
|
||||||
};
|
};
|
||||||
[config] String tls_protocolmin {
|
[config, no_user_modify] String tls_protocolmin {
|
||||||
default {{{ return DEFAULT_TLS_PROTOCOLMIN; }}}
|
default {{{ return DEFAULT_TLS_PROTOCOLMIN; }}}
|
||||||
};
|
};
|
||||||
|
|
||||||
[config] double connect_timeout {
|
[config, no_user_modify] double connect_timeout {
|
||||||
default {{{ return DEFAULT_CONNECT_TIMEOUT; }}}
|
default {{{ return DEFAULT_CONNECT_TIMEOUT; }}}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -30,18 +30,18 @@ namespace asio = boost::asio;
|
||||||
|
|
||||||
boost::regex RedisConnection::m_ErrAuth ("\\AERR AUTH ");
|
boost::regex RedisConnection::m_ErrAuth ("\\AERR AUTH ");
|
||||||
|
|
||||||
RedisConnection::RedisConnection(const String& host, int port, const String& path, const String& password, int db,
|
RedisConnection::RedisConnection(const String& host, int port, const String& path, const String& username, const String& password, int db,
|
||||||
bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
|
bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
|
||||||
const String& tlsProtocolmin, const String& cipherList, double connectTimeout, DebugInfo di, const RedisConnection::Ptr& parent)
|
const String& tlsProtocolmin, const String& cipherList, double connectTimeout, DebugInfo di, const RedisConnection::Ptr& parent)
|
||||||
: RedisConnection(IoEngine::Get().GetIoContext(), host, port, path, password, db,
|
: RedisConnection(IoEngine::Get().GetIoContext(), host, port, path, username, password, db,
|
||||||
useTls, insecure, certPath, keyPath, caPath, crlPath, tlsProtocolmin, cipherList, connectTimeout, std::move(di), parent)
|
useTls, insecure, certPath, keyPath, caPath, crlPath, tlsProtocolmin, cipherList, connectTimeout, std::move(di), parent)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
RedisConnection::RedisConnection(boost::asio::io_context& io, String host, int port, String path, String password,
|
RedisConnection::RedisConnection(boost::asio::io_context& io, String host, int port, String path, String username, String password,
|
||||||
int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
|
int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
|
||||||
String tlsProtocolmin, String cipherList, double connectTimeout, DebugInfo di, const RedisConnection::Ptr& parent)
|
String tlsProtocolmin, String cipherList, double connectTimeout, DebugInfo di, const RedisConnection::Ptr& parent)
|
||||||
: m_Host(std::move(host)), m_Port(port), m_Path(std::move(path)), m_Password(std::move(password)),
|
: m_Host(std::move(host)), m_Port(port), m_Path(std::move(path)), m_Username(std::move(username)), m_Password(std::move(password)),
|
||||||
m_DbIndex(db), m_CertPath(std::move(certPath)), m_KeyPath(std::move(keyPath)), m_Insecure(insecure),
|
m_DbIndex(db), m_CertPath(std::move(certPath)), m_KeyPath(std::move(keyPath)), m_Insecure(insecure),
|
||||||
m_CaPath(std::move(caPath)), m_CrlPath(std::move(crlPath)), m_TlsProtocolmin(std::move(tlsProtocolmin)),
|
m_CaPath(std::move(caPath)), m_CrlPath(std::move(crlPath)), m_TlsProtocolmin(std::move(tlsProtocolmin)),
|
||||||
m_CipherList(std::move(cipherList)), m_ConnectTimeout(connectTimeout), m_DebugInfo(std::move(di)), m_Connecting(false), m_Connected(false),
|
m_CipherList(std::move(cipherList)), m_ConnectTimeout(connectTimeout), m_DebugInfo(std::move(di)), m_Connecting(false), m_Connected(false),
|
||||||
|
|
|
@ -84,7 +84,7 @@ namespace icinga
|
||||||
: Config(config), State(state), History(history) { }
|
: Config(config), State(state), History(history) { }
|
||||||
};
|
};
|
||||||
|
|
||||||
RedisConnection(const String& host, int port, const String& path, const String& password, int db,
|
RedisConnection(const String& host, int port, const String& path, const String& username, const String& password, int db,
|
||||||
bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
|
bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
|
||||||
const String& tlsProtocolmin, const String& cipherList, double connectTimeout, DebugInfo di, const Ptr& parent = nullptr);
|
const String& tlsProtocolmin, const String& cipherList, double connectTimeout, DebugInfo di, const Ptr& parent = nullptr);
|
||||||
|
|
||||||
|
@ -196,7 +196,7 @@ namespace icinga
|
||||||
|
|
||||||
static boost::regex m_ErrAuth;
|
static boost::regex m_ErrAuth;
|
||||||
|
|
||||||
RedisConnection(boost::asio::io_context& io, String host, int port, String path, String password,
|
RedisConnection(boost::asio::io_context& io, String host, int port, String path, String username, String password,
|
||||||
int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
|
int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
|
||||||
String tlsProtocolmin, String cipherList, double connectTimeout, DebugInfo di, const Ptr& parent);
|
String tlsProtocolmin, String cipherList, double connectTimeout, DebugInfo di, const Ptr& parent);
|
||||||
|
|
||||||
|
@ -227,6 +227,7 @@ namespace icinga
|
||||||
String m_Path;
|
String m_Path;
|
||||||
String m_Host;
|
String m_Host;
|
||||||
int m_Port;
|
int m_Port;
|
||||||
|
String m_Username;
|
||||||
String m_Password;
|
String m_Password;
|
||||||
int m_DbIndex;
|
int m_DbIndex;
|
||||||
|
|
||||||
|
@ -457,7 +458,9 @@ void RedisConnection::Handshake(StreamPtr& strm, boost::asio::yield_context& yc)
|
||||||
// Trigger NOAUTH
|
// Trigger NOAUTH
|
||||||
WriteRESP(*strm, {"PING"}, yc);
|
WriteRESP(*strm, {"PING"}, yc);
|
||||||
} else {
|
} else {
|
||||||
if (!m_Password.IsEmpty()) {
|
if (!m_Username.IsEmpty()) {
|
||||||
|
WriteRESP(*strm, {"AUTH", m_Username, m_Password}, yc);
|
||||||
|
} else if (!m_Password.IsEmpty()) {
|
||||||
WriteRESP(*strm, {"AUTH", m_Password}, yc);
|
WriteRESP(*strm, {"AUTH", m_Password}, yc);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue