[rrd-developers] [RRDCacheD] Authentication (was: Why / How / When is version 1.2 developed?)

Florian Forster rrdtool at nospam.verplant.org
Wed Apr 8 10:18:17 CEST 2009

Hi Tobi,

On Wed, Apr 08, 2009 at 07:38:06AM +0200, Tobias Oetiker wrote:
> I have been telling people about the daemon feature at recent talks
> and the auth question came up often ... the reason fetch is tipping
> the scale for me is that with this functionality rrdcached goes
> from a 'submit only' server to a 'read/write' server ...

interesting point that ‘write’ without authentication is less of a
security concern than ‘read/write’.

> and providing something read/write over the network without
> authentication is a recepie for trouble in my book.

My point of view is that currently, RRDCacheD is simply not suited to be
used in the public without protection. If people don't like this,
they're free not to use the daemon. If they want to use the daemon, it
is (always!) their responsibility to ensure security and currently this
means setting up a firewall/packet filter, VPN, tunnel or use only UNIX
domain sockets. And if all that doesn't fit their bill they should – in
the best of all FOSS traditions – “submit patches!”

Please note that I'm not at all against implementing authentication. I'm
only arguing that currently it's not available and people have to cope
with that one way or another. Keeping out features because of that is
not the way to go in my opinion.

> I am sure create / delete / tune ... will follow shortly ...

Of course they will, and therefore it's a good idea to ‘think big’ from
the beginning. The privileges currently implemented (the ‘-L’ option)
will not nearly match the demands people will have. We should seriously
rethink that concept and come up with something more flexible. For
example, make is possible to specify which commands are allowed on the
command line:
  --allow flush,flushall,update
  --deny flushall

This would make the argument of ‘commands too dangerous for not having
authentication’ obsolete once and for all, because everybody can decide
for himself which commands are okay to use in the current environment.

Last but not least, authentication without encryption creates a wrong
sense of security that is much more dangerous than not having any
security at all and people knowing about it. So we should think about a
‘STARTTLS’ command (or similar), too.

Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20090408/3dbd047c/attachment-0001.bin 

More information about the rrd-developers mailing list