[rrd-developers] [PATCH 1/5] src/rrd_daemon.c: Switch to per-socket, per-command permissions.
Florian Forster
rrdtool at nospam.verplant.org
Mon May 25 12:09:44 CEST 2009
Hi Kevin,
On Sat, May 23, 2009 at 04:30:17PM -0500, kevin brintnall wrote:
> Any ideas on how the authorization scheme may change once we have
> per-user authentication (i.e. with client certs)?
my plan for authentication was something along these lines:
-P flush,stats/flushall,update
All commands before the slash (`/') can be used with or without
authentication, the commands following the slash can only be used when
authenticated. In this case `flush' and `stats' can be used without
authentication, `flushall' and `update' require authentication, other
commands cannot be used.
This doesn't work with a per-user authorization setup, I'm afraid. To do
that, we could adopt a slightly different argument syntax:
-P [user0[,user1[...]]=]command0[,command1[...]]
For example:
-P flush,stats -P foo,bar=flushall,update
In this example the commands `flush' and `stats' can be used without
authentication again, the commands `flushall' and `update' may be used
by the users `foo' and `bar' after they authenticated.
For a more complicated and/or fine-grained we should probably think
about implementing support for a configuration file.
Any feedback is welcome, of course. :)
Regards,
-octo
--
Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
http://verplant.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20090525/140030a2/attachment.bin
More information about the rrd-developers
mailing list