[hobbit] restricting access to hobbit

Thu Nov 15 17:06:34 CET 2007

Phil Wild wrote:
> This is correct and I expect this part to work. But all the tools 
> bypass this security. For example, If you run an sla report, it builds 
> a new directory structure and hence the user that ran the report can 
> see everything from the top level down. Also, the enable/disable menu 
> option lets you see all hosts, same with findhost or even if you muck 
> around with the hostsvc URL.

Ah ha. I see you issue.

I guess you could run multiple instances of hobbit on the same machine, 
one for each customer, and have virtual hosts in apache. Very ugly 
solution though :(

What is the hobbit server currently running on? If you are using solaris 
you could use containers to seperate the hobbit processes. And I believe 
that the linux kernel will soon have container support too.

I think Henrik posted a workaround to this on the 7th Nov.

Cheers

Iain

>
> I was wondering if there was some way of either wrapping this 
> functionality with something that restricts the hosts (like as if 
> bbhostgrep is used as the input to all these functions or something).
>
> Has anyone achieved this or is it not possible without changing the 
> source?
>
> Phil
>
> On 16/11/2007, *Iain Conochie* <iain at shihad.org 
> <mailto:iain at shihad.org>> wrote:
>
>     Josh Luthman wrote:
>     > With two groups of hosts you still only have one directory
>     accessible
>     > by web.  This means Apache HTTP authentication is out of the
>     question.
>     >
>     > That's about all I can tell you =/
>
>     Not necessarily!
>
>     You can use the PAGE statement in bb-hosts and then you have a new
>     directory for each page and sub-page underneath. You can then use
>     apache
>     auth for that.
>
>     Then for the top level you can also use apache auth for admins
>
>     Cheers
>
>     Iain
>
>     >
>     > On 11/15/07, *Phil Wild* <philwild at gmail.com
>     <mailto:philwild at gmail.com>
>     > <mailto:philwild at gmail.com <mailto:philwild at gmail.com>>> wrote:
>     >
>     >     No, not quite, I want to make a single hobbit install work
>     for two
>     >     groups of users, and I don't want group A to have any access to
>     >     see or do anything to Group B hosts and vice versa.
>     >
>     >     I am tryingto find out if there is a way of restricting the
>     >     reports/tools/executables to only run against a subset of the
>     >     hosts defined in bbhosts say like using bbgrep to filter on
>     a tag
>     >     or something for all functions.
>     >
>     >     Any ideas?
>     >
>     >     Phil
>     >
>     >
>     >     On 16/11/2007, *Josh Luthman* < josh at imaginenetworksllc.com
>     <mailto:josh at imaginenetworksllc.com>
>     >     <mailto:josh at imaginenetworksllc.com
>     <mailto:josh at imaginenetworksllc.com>>> wrote:
>     >
>     >         The default Apache configuration that Hobbit makes for you
>     >         will specify requiring HTTP logins for the cgisec
>     directory.
>     >         Is this what you're looking for?
>     >
>     >
>     >         On 11/14/07, * Phil Wild* <philwild at gmail.com
>     <mailto:philwild at gmail.com>
>     >         <mailto: philwild at gmail.com
>     <mailto:philwild at gmail.com>>> wrote:
>     >
>     >             Hello,
>     >
>     >             I am looking at setting up hobbit to manage two
>     groups of
>     >             hosts. I would prefer to just deploy one hobbit
>     >             installation for both groups. For most of the hobbit web
>     >             pages, Apache security solves a lot of the browsing
>     issues
>     >             but the cgi-bin executables and menus are the problem.
>     >
>     >             I want to make sure one group don't have access to
>     see or
>     >             make changes to the other groups hosts.
>     >
>     >             The areas I see a problem with are:
>     >
>     >             hobbit-enadis.sh
>     >             bb-findhost.sh
>     >             hobbit-confreport.sh
>     >
>     >             I would like to restrict the above to only work with a
>     >             subset of hosts (perhaps a tag in the bbhosts file)
>     >
>     >             The reports generate web pages on the fly and drop the
>     >             user at the top level page which is not what I would
>     >             prefer (each group have their own top level page etc.)
>     >
>     >             All nongreen view is also an issue
>     >
>     >             and lastly, manually modifying the URL based on
>     >             bb-hostsvc.sh to get to a web page for a host in the
>     other
>     >             groups list is also a problem.
>     >
>     >             Any ideas how I can address this?
>     >
>     >             Thanks
>     >
>     >             Phil
>     >
>     >
>     >
>     >
>     >         --
>     >         Josh Luthman
>     >         Office: 937-552-2340
>     >         Direct: 937-552-2343
>     >         1100 Wayne St
>     >         Suite 1337
>     >         Troy, OH 45373
>     >
>     >         Those who don't understand UNIX are condemned to
>     reinvent it,
>     >         poorly.
>     >         --- Henry Spencer
>     >
>     >
>     >
>     >
>     >     --
>     >     Tel: 0400 466 952
>     >     Fax: 0433 123 226
>     >     email: philwild at gmail.com <mailto:philwild at gmail.com>
>     <mailto:philwild at gmail.com <mailto:philwild at gmail.com>>
>     >
>     >
>     >
>     >
>     > --
>     > Josh Luthman
>     > Office: 937-552-2340
>     > Direct: 937-552-2343
>     > 1100 Wayne St
>     > Suite 1337
>     > Troy, OH 45373
>     >
>     > Those who don't understand UNIX are condemned to reinvent it,
>     poorly.
>     > --- Henry Spencer
>
>
>     To unsubscribe from the hobbit list, send an e-mail to
>     hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>
>
>
>
>
>
> -- 
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com <mailto:philwild at gmail.com> 