[rrd-developers] [rrd] Why / How / When is version 1.2 developed?
Tobias Oetiker
tobi at oetiker.ch
Wed Apr 8 18:00:46 CEST 2009
Today kevin brintnall wrote:
> On Wed, Apr 08, 2009 at 07:38:06AM +0200, Tobias Oetiker wrote:
> > I have been telling people about the daemon feature at recent talks
> > and the auth question came up often ... the reason fetch is tipping
> > the scale for me is that with this functionality rrdcached goes
> > from a 'submit only' server to a 'read/write' server ... and
> > providing something read/write over the network without
> > authentication is a recepie for trouble in my book. and after all,
> > it is my name associated with rrdtool ...
>
> Tobi et al,
>
> Here is what I'm thinking for authentication:
>
> * server has a list of secrets that it accepts
> * easier than user:pass mapping, which is overkill IMO
> * allows for secrets to be rotated with overlap time.. no flash cut
I agree I would also go for secrets ... overlap is cool :-)
>
> * some sort of challenge/response authentication would be nice
> * pick something easily implemented in 3rd-party rrdcached client
> * i.e. CRAM-MD5 ? (concerned with MD5 weakness?)
yep
> * a place to stash the secret
> * by default, some file like $HOME/.rrd*
> * override with some environment variable?
> * modify all APIs to pass on the command line ??
all three sound like a good thing
> * successful authentication can turn an un-privileged socket into a
> privileged one.
> * this still allows any user to execute things like "flush", "stats", etc
> * operations privileged sockets still don't require auth
ok
> On the wire, looking something like:
>
> C: AUTH
> S: 1 Challenge:
> S: <nonce>
> C: AUTH <nonce> hash(<nonce>,<secret>)
> S: 0 AUTH OK
> or S: -1 AUTH FAILED
>
> OR
> C: AUTH
> S: 0 Not required.
>
> Thoughts?
sounds good by me ...
not sure of the multi-secret and overlap is necessary but it does
sound cool ... are you up for implementation ?
cheers
tobi
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list