Switch nagios over to krb

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/nagios/server/files/nagios-external/cgi.cfg

@@ -140,7 +140,7 @@ authorized_for_configuration_information=*
 # authenticated to the web server.
 
 #authorized_for_system_commands=nagiosadmin
-authorized_for_system_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://parasense.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_system_commands=athmane,ausil,averi,badone,codeblock,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,karsten,parasense,pingou,tflink,mizdebsk,msimacek
 
 
 
@@ -168,9 +168,9 @@ authorized_for_all_hosts=*
 
 #authorized_for_all_service_commands=nagiosadmin
 #authorized_for_all_host_commands=nagiosadmin
-authorized_for_all_service_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_all_service_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek
 
-authorized_for_all_host_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_all_host_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek
 
 
 

roles/nagios/server/files/nagios/cgi.cfg

@@ -140,7 +140,7 @@ authorized_for_configuration_information=*
 # authenticated to the web server.
 
 #authorized_for_system_commands=nagiosadmin
-authorized_for_system_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://parasense.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_system_commands=athmane,ausil,averi,badone,codeblock,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,karsten,parasense,pingou,tflink,mizdebsk,msimacek
 
 
 
@@ -168,9 +168,9 @@ authorized_for_all_hosts=*
 
 #authorized_for_all_service_commands=nagiosadmin
 #authorized_for_all_host_commands=nagiosadmin
-authorized_for_all_service_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_all_service_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek
 
-authorized_for_all_host_commands=http://athmane.id.fedoraproject.org/,http://ausil.id.fedoraproject.org/,http://averi.id.fedoraproject.org/,http://badone.id.fedoraproject.org/,http://codeblock.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://hvivani.id.fedoraproject.org/,http://ianweller.id.fedoraproject.org/,http://jspaleta.id.fedoraproject.org/,http://jstanley.id.fedoraproject.org/,http://kevin.id.fedoraproject.org/,http://lbazan.id.fedoraproject.org/,http://lmacken.id.fedoraproject.org/,http://maxamillio.id.fedoraproject.org/,http://mmahut.id.fedoraproject.org/,http://mmcgrath.id.fedoraproject.org/,http://nb.id.fedoraproject.org/,http://pfrields.id.fedoraproject.org/,http://puiterwijk.id.fedoraproject.org/,http://rafaelgomes.id.fedoraproject.org/,http://ralph.id.fedoraproject.org/,http://sijis.id.fedoraproject.org/,http://smooge.id.fedoraproject.org/,http://susmit.id.fedoraproject.org/,http://tibbs.id.fedoraproject.org/,http://tmz.id.fedoraproject.org/,http://wsterling.id.fedoraproject.org/,http://mdomsch.id.fedoraproject.org/,http://notting.id.fedoraproject.org/,http://ricky.id.fedoraproject.org/,http://toshio.id.fedoraproject.org/,http://spot.id.fedoraproject.org/,http://mahrud.id.fedoraproject.org/,http://dwa.id.fedoraproject.org/,http://karsten.id.fedoraproject.org/,http://pingou.id.fedoraproject.org/,http://tflink.id.fedoraproject.org/,http://mizdebsk.id.fedoraproject.org/,http://msimacek.id.fedoraproject.org/
+authorized_for_all_host_commands=athmane,ausil,averi,badone,codeblock,dwa,hvivani,ianweller,jspaleta,jstanley,kevin,lbazan,lmacken,maxamillio,mmahut,mmcgrath,nb,pfrields,puiterwijk,rafaelgomes,ralph,sijis,smooge,susmit,tibbs,tmz,wsterling,mdomsch,notting,ricky,toshio,spot,mahrud,dwa,karsten,pingou,tflink,mizdebsk,msimacek
 
 
 # STATUSMAP BACKGROUND IMAGE

roles/nagios/server/templates/nagios-httpd.conf

@@ -8,28 +8,22 @@ ScriptAlias /nagios-just-a-test/cgi-bin/ /usr/lib64/nagios/cgi-bin/
 
 ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
 
+<Location />
+  AuthName "Nagios GSSAPI Login"
+  GssapiCredStore keytab:/etc/krb5.HTTP_admin.fedoraproject.org.keytab
+  AuthType GSSAPI
+  # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+  GssapiSSLonly Off
+  GssapiLocalName on
+  Require valid-user
+</Location>
+
 <Location ~ "/(nagios|nagios-external|nagios-just-a-test)/cgi-bin/>
   Options ExecCGI
-  AuthType OpenID
-  require valid-user
-  AuthOpenIDSingleIdP https://id.fedoraproject.org/
-  AuthOpenIDSecureCookie on
-  AuthOpenIDTrustRoot https://admin.fedoraproject.org
-  AuthOpenIDServerName https://admin.fedoraproject.org
-  # 3 hours
-  AuthOpenIDCookieLifespan 10800
 </Location>
 
 <Directory "/usr/share/nagios/html">
   Options None
-  AuthType OpenID
-  AuthOpenIDSingleIdP https://id.fedoraproject.org/openid/
-  AuthOpenIDSecureCookie on
-  AuthOpenIDTrustRoot https://admin.fedoraproject.org
-  AuthOpenIDServerName https://admin.fedoraproject.org
-  # 3 hours
-  AuthOpenIDCookieLifespan 10800
-  Require valid-user granted
 </Directory>
 
 Alias /nagios /usr/share/nagios/html/