[rrd-developers] [PATCH] rrdcached server-side authentication
kevin brintnall
kbrint at rufus.net
Tue May 5 15:58:37 CEST 2009
> * make sure that un-authed users may not do anything when
> authentication is active
Enforcing this rule on all sockets obviates a common use case.. It
doesn't allow us to separate read-only users (who should be able to FLUSH)
from read-write users (who can UPDATE, etc). Having a local (127.0.0.1 or
UNIX) low-privilege socket that accepts FLUSH for all local users is bound
to be a common use case.
Until we have per-command authorization, I'm thinking we should add a 3rd
type of socket that requires authentication for everything. This type
would be appropriate for any untrusted connections. This would let us
maintain local read-only users while still heavily restricting external
use.
Once we have per-command authorization, we won't need to make the
distinction at the socket level.
--
kevin brintnall =~ /kbrint at rufus.net/
> -> release 1.4
>
> * add SSL support to guard against 3rd parties doing funney things
> on the network level.
>
> * add configurable per-operation/per-file privileges
>
> * add support for certificate based authentication
>
> -> release 1.5
>
> cheers
> tobi
>
> --
> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
> http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list