From 14d8f8a12e390e67ee02cbcbf07a8d462e137a98 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Fri, 7 Mar 2014 15:21:57 +0100 Subject: [PATCH] Documentation: Add Domains. Fixes #5288 --- doc/4.3-object-types.md | 25 ++++++++++++++++++--- doc/6-advanced-topics.md | 46 +++++++++++++++++++++++++++++++++++++- lib/base/dynamicobject.cpp | 2 +- 3 files changed, 68 insertions(+), 5 deletions(-) diff --git a/doc/4.3-object-types.md b/doc/4.3-object-types.md index 2c51cbd08..4152fe69a 100644 --- a/doc/4.3-object-types.md +++ b/doc/4.3-object-types.md @@ -118,6 +118,7 @@ Attributes: notifications |**Optional.** Inline definition of notifications. Each dictionary item specifies a notification.

The `templates` attribute can be used to specify an array of templates that should be inherited by the notification object.

The new notification object's name is "hostname:service:notification" - where "notification" is the dictionary key in the notifications dictionary. dependencies |**Optional.** Inline definition of dependencies. Each dictionary item specifies a dependency.

The `templates` attribute can be used to specify an array of templates that should be inherited by the dependency object.

The new dependency object's name is "hostname:service:dependency" - where "dependency" is the dictionary key in the dependencies dictionary. authorities |**Optional.** A list of Endpoints on which this service check will be executed in a cluster scenario. + domains |**Optional.** A list of Domains for this service object in a cluster scenario. ### ServiceGroup @@ -950,14 +951,32 @@ Attributes: ### Domain -TODO +A [Service](#objecttype-service) object can be restricted using the `domains` attribute +array specifying endpoint privileges. + +A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint). Example: - TODO + object Domain "dmz-1" { + acl = { + node1 = (DomainPrivCheckResult), + node2 = (DomainPrivReadWrite) + } + } Attributes: Name |Description ----------------|---------------- - acl |TODO + acl |**Required.** Dictionary with items for Domain ACLs. + +Domain ACLs: + + Name |Description + ----------------------|---------------- + DomainPrivRead | Endpoint reads local messages and relays them to remote nodes. + DomainPrivCheckResult | Endpoint accepts check result messages from remote nodes. + DomainPrivCommand | Endpoint accepts command messages from remote nodes. + DomainPrevReadOnly | Endpoint reads local messages and relays them to remote nodes. + DomainPrivReadWrite | Combination of (DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand) diff --git a/doc/6-advanced-topics.md b/doc/6-advanced-topics.md index a67e26a8c..a05581dff 100644 --- a/doc/6-advanced-topics.md +++ b/doc/6-advanced-topics.md @@ -244,7 +244,7 @@ to send configuration files. A sample config part can look like this: /** - * Configure endpoints for cluster configuration + * Configure config master endpoint */ object Endpoint "icinga-node-1" { @@ -256,6 +256,18 @@ A sample config part can look like this: If you update the configuration files on the configured file sender, it will force a restart on all receiving nodes after validating the new config. +A sample config part for a config receiver endpoint can look like this: + + /** + * Configure config receiver endpoint + */ + + object Endpoint "icinga-node-2" { + host = "icinga-node-2.localdomain", + port = 8888, + accept_config = [ "icinga-node-1" ] + } + By default these configuration files are saved in /var/lib/icinga2/cluster/config. In order to load configuration files which were received from a remote Icinga 2 @@ -332,6 +344,38 @@ the Icinga 2 daemon. # icinga2 -c /etc/icinga2/node1/icinga2.conf -DIcingaLocalStateDir=/opt/node1/var +## Domains + +A [Service](#objecttype-service) object can be restricted using the `domains` attribute +array specifying endpoint privileges. +A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint). + +The following example assigns the domain `dmz-db` to the service `dmz-oracledb`. Endpoint +`icinga-node-dmz-1` does not allow any object modification (no commands, check results) and only +relays local messages to the remote node(s). The endpoint `icinga-node-dmz-2` processes all +messages read and write (accept check results, commands and also relay messages to remote +nodes). + +That way the service `dmz-oracledb` on endpoint `icinga-node-dmz-1` will not be modified +by any cluster event message, and could be checked by the local authority too presenting +a different state history. `icinga-node-dmz-2` still receives all cluster message updates +from the `icinga-node-dmz-1` endpoint. + + object Host "dmz-host1" inherits "generic-host" { + services["dmz-oracledb"] = { + templates = [ "generic-service" ], + domains = [ "dmz-db" ], + authorities = [ "icinga-node-dmz-1", "icinga-node-dmz-2"], + } + } + + object Domain "dmz-db" { + acl = { + icinga-node-dmz-1 = (DomainPrivReadOnly), + icinga-node-dmz-2 = (DomainPrivReadWrite) + } + } + ## Dependencies Icinga 2 uses host and service [Dependency](#objecttype-dependency) objects either directly diff --git a/lib/base/dynamicobject.cpp b/lib/base/dynamicobject.cpp index c5dc5e8ef..fe93751d7 100644 --- a/lib/base/dynamicobject.cpp +++ b/lib/base/dynamicobject.cpp @@ -53,7 +53,7 @@ void DynamicObject::StaticInitialize(void) ScriptVariable::Set("DomainPrivCheckResult", DomainPrivCheckResult, true, true); ScriptVariable::Set("DomainPrivCommand", DomainPrivCommand, true, true); - ScriptVariable::Set("DomainPrevReadOnly", DomainPrivRead, true, true); + ScriptVariable::Set("DomainPrivReadOnly", DomainPrivRead, true, true); ScriptVariable::Set("DomainPrivReadWrite", DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand, true, true); } -- 2.40.0