[rrd-developers] [PATCH] rrdcached server-side authentication

Tobias Oetiker tobi at oetiker.ch
Wed Apr 29 22:29:31 CEST 2009

Today kevin brintnall wrote:

> > This means the client can use any of the secrets in my file, and I
> > will just test them all, to see if one matches ?
> >
> > What is the use case for this behaviour ?
> There will be a need to rotate client passwords.  This design allows the
> server to accept both old and new passwords during transition.  Then, the
> clients can be upgraded without interruption.

ah ... ok, now I see, so in the normal case this would be only one
or two lines in there ...

> > Would it make sense to have a secret and a user name, so that the
> > communication would look like this?
> A user name may reduce the number of SHA1 comparisons (since we'll be able
> to terminate the search earlier).  Currently we don't have any other
> access restrictions or logging that would benefit from a user name.  Do
> you foresee a need for any user-based authorization mechanisms?
> Do you foresee a need for a large number of secrets?

not at the moment, but florian has mentioned an idea for different
levels of rights.

but I guess if this comes to pass the protocol could be enhanced by
a second authentication key word which caters for authentication
including a user name ...

for my use case, the present implementation is all I need.

At the moment, if there were different security domains, I would
probably just run two cache daemons on different ports.


Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900

More information about the rrd-developers mailing list