mirror of
https://github.com/Icinga/icingaweb2.git
synced 2025-07-31 01:34:09 +02:00
Johannes Meyer
commit
edaa51c41d
@ -78,7 +78,7 @@ class DbTool
|
|||||||
'INSERT' => 29,
|
'INSERT' => 29,
|
||||||
'LOCK TABLES' => 5,
|
'LOCK TABLES' => 5,
|
||||||
'PROCESS' => 1,
|
'PROCESS' => 1,
|
||||||
'REFERENCES' => 0,
|
'REFERENCES' => 12,
|
||||||
'RELOAD' => 1,
|
'RELOAD' => 1,
|
||||||
'REPLICATION CLIENT' => 1,
|
'REPLICATION CLIENT' => 1,
|
||||||
'REPLICATION SLAVE' => 1,
|
'REPLICATION SLAVE' => 1,
|
||||||
@ -629,10 +629,6 @@ EOD;
|
|||||||
$mysqlPrivileges = array_intersect($privileges, array_keys($this->mysqlGrantContexts));
|
$mysqlPrivileges = array_intersect($privileges, array_keys($this->mysqlGrantContexts));
|
||||||
list($_, $host) = explode('@', $this->query('select current_user()')->fetchColumn());
|
list($_, $host) = explode('@', $this->query('select current_user()')->fetchColumn());
|
||||||
$grantee = "'" . ($username === null ? $this->config['username'] : $username) . "'@'" . $host . "'";
|
$grantee = "'" . ($username === null ? $this->config['username'] : $username) . "'@'" . $host . "'";
|
||||||
$privilegeCondition = sprintf(
|
|
||||||
'privilege_type IN (%s)',
|
|
||||||
join(',', array_map(array($this, 'quote'), $mysqlPrivileges))
|
|
||||||
);
|
|
||||||
|
|
||||||
if (isset($this->config['dbname'])) {
|
if (isset($this->config['dbname'])) {
|
||||||
$dbPrivileges = array();
|
$dbPrivileges = array();
|
||||||
@ -653,7 +649,7 @@ EOD;
|
|||||||
. ' FROM information_schema.schema_privileges'
|
. ' FROM information_schema.schema_privileges'
|
||||||
. ' WHERE grantee = :grantee'
|
. ' WHERE grantee = :grantee'
|
||||||
. ' AND table_schema = :dbname'
|
. ' AND table_schema = :dbname'
|
||||||
. ' AND ' . $privilegeCondition
|
. ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $dbPrivileges)) . ')'
|
||||||
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
||||||
array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
|
array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
|
||||||
);
|
);
|
||||||
@ -666,14 +662,13 @@ EOD;
|
|||||||
!$dbPrivilegesGranted || array_intersect($dbPrivileges, $tablePrivileges) != $tablePrivileges
|
!$dbPrivilegesGranted || array_intersect($dbPrivileges, $tablePrivileges) != $tablePrivileges
|
||||||
)
|
)
|
||||||
) {
|
) {
|
||||||
$tableCondition = 'table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')';
|
|
||||||
$query = $this->query(
|
$query = $this->query(
|
||||||
'SELECT COUNT(*) as matches'
|
'SELECT COUNT(*) as matches'
|
||||||
. ' FROM information_schema.table_privileges'
|
. ' FROM information_schema.table_privileges'
|
||||||
. ' WHERE grantee = :grantee'
|
. ' WHERE grantee = :grantee'
|
||||||
. ' AND table_schema = :dbname'
|
. ' AND table_schema = :dbname'
|
||||||
. ' AND ' . $tableCondition
|
. ' AND table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')'
|
||||||
. ' AND ' . $privilegeCondition
|
. ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $tablePrivileges)) . ')'
|
||||||
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
||||||
array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
|
array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
|
||||||
);
|
);
|
||||||
@ -688,7 +683,8 @@ EOD;
|
|||||||
|
|
||||||
$query = $this->query(
|
$query = $this->query(
|
||||||
'SELECT COUNT(*) as matches FROM information_schema.user_privileges WHERE grantee = :grantee'
|
'SELECT COUNT(*) as matches FROM information_schema.user_privileges WHERE grantee = :grantee'
|
||||||
. ' AND ' . $privilegeCondition . ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
. ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $mysqlPrivileges)) . ')'
|
||||||
|
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
|
||||||
array(':grantee' => $grantee)
|
array(':grantee' => $grantee)
|
||||||
);
|
);
|
||||||
return (int) $query->fetchObject()->matches === count($mysqlPrivileges);
|
return (int) $query->fetchObject()->matches === count($mysqlPrivileges);
|
||||||
@ -721,7 +717,8 @@ EOD;
|
|||||||
foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) {
|
foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) {
|
||||||
if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) {
|
if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) {
|
||||||
$tablePrivileges[] = $privilege;
|
$tablePrivileges[] = $privilege;
|
||||||
} elseif ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
|
}
|
||||||
|
if ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
|
||||||
$dbPrivileges[] = $privilege;
|
$dbPrivileges[] = $privilege;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -760,14 +757,14 @@ EOD;
|
|||||||
// connected to the database defined in the resource configuration it is safe to just ignore them
|
// connected to the database defined in the resource configuration it is safe to just ignore them
|
||||||
// as the chances are very high that the database is created later causing the current user being
|
// as the chances are very high that the database is created later causing the current user being
|
||||||
// the owner with ALL privileges. (Which in turn can be granted to others.)
|
// the owner with ALL privileges. (Which in turn can be granted to others.)
|
||||||
}
|
|
||||||
|
|
||||||
if (array_search('CREATE', $privileges) !== false) {
|
if (array_search('CREATE', $privileges) !== false) {
|
||||||
$query = $this->query(
|
$query = $this->query(
|
||||||
'select rolcreatedb from pg_roles where rolname = :user',
|
'select rolcreatedb from pg_roles where rolname = :user',
|
||||||
array(':user' => $username !== null ? $username : $this->config['username'])
|
array(':user' => $username !== null ? $username : $this->config['username'])
|
||||||
);
|
);
|
||||||
$privilegesGranted &= $query->fetchColumn() !== false;
|
$privilegesGranted &= $query->fetchColumn() !== false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (array_search('CREATEROLE', $privileges) !== false) {
|
if (array_search('CREATEROLE', $privileges) !== false) {
|
||||||
|
|||||||
@ -17,7 +17,7 @@ use Icinga\Module\Setup\Forms\PreferencesPage;
|
|||||||
use Icinga\Module\Setup\Forms\AuthBackendPage;
|
use Icinga\Module\Setup\Forms\AuthBackendPage;
|
||||||
use Icinga\Module\Setup\Forms\AdminAccountPage;
|
use Icinga\Module\Setup\Forms\AdminAccountPage;
|
||||||
use Icinga\Module\Setup\Forms\LdapDiscoveryPage;
|
use Icinga\Module\Setup\Forms\LdapDiscoveryPage;
|
||||||
use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
|
//use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
|
||||||
use Icinga\Module\Setup\Forms\LdapResourcePage;
|
use Icinga\Module\Setup\Forms\LdapResourcePage;
|
||||||
use Icinga\Module\Setup\Forms\RequirementsPage;
|
use Icinga\Module\Setup\Forms\RequirementsPage;
|
||||||
use Icinga\Module\Setup\Forms\GeneralConfigPage;
|
use Icinga\Module\Setup\Forms\GeneralConfigPage;
|
||||||
@ -41,6 +41,17 @@ use Icinga\Module\Setup\Requirement\ConfigDirectoryRequirement;
|
|||||||
*/
|
*/
|
||||||
class WebWizard extends Wizard implements SetupWizard
|
class WebWizard extends Wizard implements SetupWizard
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* The privileges required by Icinga Web 2 to create the database and a login
|
||||||
|
*
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
protected $databaseCreationPrivileges = array(
|
||||||
|
'CREATE',
|
||||||
|
'CREATE USER', // MySQL
|
||||||
|
'CREATEROLE' // PostgreSQL
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The privileges required by Icinga Web 2 to setup the database
|
* The privileges required by Icinga Web 2 to setup the database
|
||||||
*
|
*
|
||||||
@ -48,10 +59,8 @@ class WebWizard extends Wizard implements SetupWizard
|
|||||||
*/
|
*/
|
||||||
protected $databaseSetupPrivileges = array(
|
protected $databaseSetupPrivileges = array(
|
||||||
'CREATE',
|
'CREATE',
|
||||||
'ALTER',
|
'ALTER', // MySQL only
|
||||||
'REFERENCES',
|
'REFERENCES'
|
||||||
'CREATE USER', // MySQL
|
|
||||||
'CREATEROLE' // PostgreSQL
|
|
||||||
);
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -148,7 +157,9 @@ class WebWizard extends Wizard implements SetupWizard
|
|||||||
$page->setResourceConfig($this->getPageData('setup_ldap_resource'));
|
$page->setResourceConfig($this->getPageData('setup_ldap_resource'));
|
||||||
}
|
}
|
||||||
} elseif ($page->getName() === 'setup_database_creation') {
|
} elseif ($page->getName() === 'setup_database_creation') {
|
||||||
$page->setDatabaseSetupPrivileges($this->databaseSetupPrivileges);
|
$page->setDatabaseSetupPrivileges(
|
||||||
|
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges)
|
||||||
|
);
|
||||||
$page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges);
|
$page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges);
|
||||||
$page->setResourceConfig($this->getPageData('setup_db_resource'));
|
$page->setResourceConfig($this->getPageData('setup_db_resource'));
|
||||||
} elseif ($page->getName() === 'setup_summary') {
|
} elseif ($page->getName() === 'setup_summary') {
|
||||||
@ -211,8 +222,8 @@ class WebWizard extends Wizard implements SetupWizard
|
|||||||
try {
|
try {
|
||||||
$db->connectToDb(); // Are we able to login on the database?
|
$db->connectToDb(); // Are we able to login on the database?
|
||||||
if (array_search(key($this->databaseTables), $db->listTables()) === false) {
|
if (array_search(key($this->databaseTables), $db->listTables()) === false) {
|
||||||
// In case the database schema does not yet exist the user
|
// In case the database schema does not yet exist the
|
||||||
// needs the privileges to create and setup the database
|
// user needs the privileges to setup the database
|
||||||
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
|
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
|
||||||
} else {
|
} else {
|
||||||
// In case the database schema exists the user needs the required privileges
|
// In case the database schema exists the user needs the required privileges
|
||||||
@ -224,7 +235,10 @@ class WebWizard extends Wizard implements SetupWizard
|
|||||||
$db->connectToHost(); // Are we able to login on the server?
|
$db->connectToHost(); // Are we able to login on the server?
|
||||||
// It is not possible to reliably determine whether a database exists or not if a user can't
|
// It is not possible to reliably determine whether a database exists or not if a user can't
|
||||||
// log in to the database, so we just require the user to be able to create the database
|
// log in to the database, so we just require the user to be able to create the database
|
||||||
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
|
$skip = $db->checkPrivileges(
|
||||||
|
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges),
|
||||||
|
$this->databaseTables
|
||||||
|
);
|
||||||
} catch (PDOException $_) {
|
} catch (PDOException $_) {
|
||||||
// We are NOT able to login on the server..
|
// We are NOT able to login on the server..
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user