[rrd-developers] [PATCH] rrdcached server-side authentication
kevin brintnall
kbrint at rufus.net
Wed May 6 21:06:03 CEST 2009
On Wed, May 06, 2009 at 06:12:15PM +0200, Florian Forster wrote:
> Hi,
>
> On Tue, May 05, 2009 at 08:58:37AM -0500, kevin brintnall wrote:
> > Until we have per-command authorization, I'm thinking we should add a
> > 3rd type of socket that requires authentication for everything. This
> > type would be appropriate for any untrusted connections. This would
> > let us maintain local read-only users while still heavily restricting
> > external use.
>
> I have to admit I don't think this good socket/bad socket architecture
> will get us anywhere. Wouldn't it be easier to implement per-command
> permissions for each socket now instead of creating a legacy we won't
> lose for some time? I won't have enough time myself to take a look at it
> before Monday, May 11th, but I'm willing to work in that direction after
> that.
Florian,
I agree that the socket-based privileges do not have much utility in the
long term.
> I know Tobi wants to release 1.4 soon but I think we shouldn't let this
> rush us into premature designs that will be a problem to work with in
> later version.
Perhaps the existing code (without auth) is sufficient for 1.4? rrdcached
still presents a dramatic local performance increase. If it takes more
time to extend that (correctly) to remote access, I'm OK with it.
I don't have a problem with it if it doesn't impact Tobi's schedule/goals
for 1.4. The cleaner code in the long run is probably worth it.
--
kevin brintnall =~ /kbrint at rufus.net/
More information about the rrd-developers
mailing list