[rrd-developers] [PATCH] rrdcached server-side authentication
Tobias Oetiker
tobi at oetiker.ch
Tue May 5 16:01:20 CEST 2009
Hi Kevin,
Today kevin brintnall wrote:
> > * make sure that un-authed users may not do anything when
> > authentication is active
>
> Enforcing this rule on all sockets obviates a common use case.. It
> doesn't allow us to separate read-only users (who should be able to FLUSH)
> from read-write users (who can UPDATE, etc). Having a local (127.0.0.1 or
> UNIX) low-privilege socket that accepts FLUSH for all local users is bound
> to be a common use case.
>
> Until we have per-command authorization, I'm thinking we should add a 3rd
> type of socket that requires authentication for everything. This type
> would be appropriate for any untrusted connections. This would let us
> maintain local read-only users while still heavily restricting external
> use.
>
> Once we have per-command authorization, we won't need to make the
> distinction at the socket level.
makes sense
cheers
tobi
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list