[rrd-developers] [PATCH] rrdcached server-side authentication
Tobias Oetiker
tobi at oetiker.ch
Wed Apr 29 22:29:31 CEST 2009
Today kevin brintnall wrote:
> > This means the client can use any of the secrets in my file, and I
> > will just test them all, to see if one matches ?
> >
> > What is the use case for this behaviour ?
>
> There will be a need to rotate client passwords. This design allows the
> server to accept both old and new passwords during transition. Then, the
> clients can be upgraded without interruption.
ah ... ok, now I see, so in the normal case this would be only one
or two lines in there ...
> > Would it make sense to have a secret and a user name, so that the
> > communication would look like this?
>
> A user name may reduce the number of SHA1 comparisons (since we'll be able
> to terminate the search earlier). Currently we don't have any other
> access restrictions or logging that would benefit from a user name. Do
> you foresee a need for any user-based authorization mechanisms?
>
> Do you foresee a need for a large number of secrets?
not at the moment, but florian has mentioned an idea for different
levels of rights.
but I guess if this comes to pass the protocol could be enhanced by
a second authentication key word which caters for authentication
including a user name ...
for my use case, the present implementation is all I need.
At the moment, if there were different security domains, I would
probably just run two cache daemons on different ports.
cheers
tobi
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list