[rrd-developers] [PATCH] rrdcached server-side authentication

kevin brintnall kbrint at rufus.net
Wed May 6 21:06:03 CEST 2009


On Wed, May 06, 2009 at 06:12:15PM +0200, Florian Forster wrote:
> Hi,
> 
> On Tue, May 05, 2009 at 08:58:37AM -0500, kevin brintnall wrote:
> > Until we have per-command authorization, I'm thinking we should add a
> > 3rd type of socket that requires authentication for everything.  This
> > type would be appropriate for any untrusted connections.  This would
> > let us maintain local read-only users while still heavily restricting
> > external use.
> 
> I have to admit I don't think this good socket/bad socket architecture
> will get us anywhere. Wouldn't it be easier to implement per-command
> permissions for each socket now instead of creating a legacy we won't
> lose for some time? I won't have enough time myself to take a look at it
> before Monday, May 11th, but I'm willing to work in that direction after
> that.

Florian,

I agree that the socket-based privileges do not have much utility in the
long term.

> I know Tobi wants to release 1.4 soon but I think we shouldn't let this
> rush us into premature designs that will be a problem to work with in
> later version.

Perhaps the existing code (without auth) is sufficient for 1.4?  rrdcached
still presents a dramatic local performance increase.  If it takes more
time to extend that (correctly) to remote access, I'm OK with it.

I don't have a problem with it if it doesn't impact Tobi's schedule/goals
for 1.4.  The cleaner code in the long run is probably worth it.

-- 
 kevin brintnall =~ /kbrint at rufus.net/



More information about the rrd-developers mailing list