[MEDIUM] stats: add an admin level
The stats web interface must be read-only by default to prevent security
holes. As it is now allowed to enable/disable servers, a new keyword
"stats admin" is introduced to activate this admin level, conditioned by ACLs.
(cherry picked from commit 5334bab92ca7debe36df69983c19c21b6dc63f78)
diff --git a/include/common/uri_auth.h b/include/common/uri_auth.h
index bffd694..906cb2c 100644
--- a/include/common/uri_auth.h
+++ b/include/common/uri_auth.h
@@ -43,6 +43,7 @@
struct stat_scope *scope; /* linked list of authorized proxies */
struct userlist *userlist; /* private userlist to emulate legacy "stats auth user:password" */
struct list req_acl; /* http stats ACL: allow/deny/auth */
+ struct list admin_rules; /* 'stats admin' rules (chained) */
struct uri_auth *next; /* Used at deinit() to build a list of unique elements */
};
@@ -61,6 +62,12 @@
#endif
+struct stats_admin_rule {
+ struct list list; /* list linked to from the proxy */
+ struct acl_cond *cond; /* acl condition to meet */
+};
+
+
/* Various functions used to set the fields during the configuration parsing.
* Please that all those function can initialize the root entry in order not to
* force the user to respect a certain order in the configuration file.
diff --git a/include/proto/dumpstats.h b/include/proto/dumpstats.h
index 7038f46..9cf5eec 100644
--- a/include/proto/dumpstats.h
+++ b/include/proto/dumpstats.h
@@ -33,6 +33,7 @@
#define STAT_SHOW_INFO 0x00000004 /* dump the info part */
#define STAT_HIDE_DOWN 0x00000008 /* hide 'down' servers in the stats page */
#define STAT_NO_REFRESH 0x00000010 /* do not automatically refresh the stats page */
+#define STAT_ADMIN 0x00000020 /* indicate a stats admin level */
#define STAT_BOUND 0x00800000 /* bound statistics to selected proxies/types/services */
#define STATS_TYPE_FE 0
@@ -58,6 +59,7 @@
#define STAT_STATUS_DONE "DONE" /* the action is successful */
#define STAT_STATUS_NONE "NONE" /* nothing happened (no action chosen or servers state didn't change) */
#define STAT_STATUS_EXCD "EXCD" /* an error occured becayse the buffer couldn't store all data */
+#define STAT_STATUS_DENY "DENY" /* action denied */
int stats_accept(struct session *s);