[rrd-developers] [PATCH] rrdcached server-side authentication

kevin brintnall kbrint at rufus.net
Tue May 5 15:58:37 CEST 2009

> * make sure that un-authed users may not do anything when
>   authentication is active

Enforcing this rule on all sockets obviates a common use case..  It
doesn't allow us to separate read-only users (who should be able to FLUSH)
from read-write users (who can UPDATE, etc).  Having a local ( or
UNIX) low-privilege socket that accepts FLUSH for all local users is bound
to be a common use case.

Until we have per-command authorization, I'm thinking we should add a 3rd
type of socket that requires authentication for everything.  This type
would be appropriate for any untrusted connections.  This would let us
maintain local read-only users while still heavily restricting external

Once we have per-command authorization, we won't need to make the
distinction at the socket level.

 kevin brintnall =~ /kbrint at rufus.net/

> -> release 1.4
> * add SSL support to guard against 3rd parties doing funney things
>   on the network level.
> * add configurable per-operation/per-file privileges
> * add support for certificate based authentication
> -> release 1.5
> cheers
> tobi
> -- 
> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
> http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900

More information about the rrd-developers mailing list