[rrd-developers] [PATCH] rrdcached server-side authentication

Tobias Oetiker tobi at oetiker.ch
Tue May 5 16:01:20 CEST 2009


Hi Kevin,

Today kevin brintnall wrote:

> > * make sure that un-authed users may not do anything when
> >   authentication is active
>
> Enforcing this rule on all sockets obviates a common use case..  It
> doesn't allow us to separate read-only users (who should be able to FLUSH)
> from read-write users (who can UPDATE, etc).  Having a local (127.0.0.1 or
> UNIX) low-privilege socket that accepts FLUSH for all local users is bound
> to be a common use case.
>
> Until we have per-command authorization, I'm thinking we should add a 3rd
> type of socket that requires authentication for everything.  This type
> would be appropriate for any untrusted connections.  This would let us
> maintain local read-only users while still heavily restricting external
> use.
>
> Once we have per-command authorization, we won't need to make the
> distinction at the socket level.

makes sense

cheers
tobi

>
>

-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900



More information about the rrd-developers mailing list