X-Git-Url: https://git.octo.it/?p=rrdtool.git;a=blobdiff_plain;f=doc%2Frrdcached.pod;h=7c0b30c6e2b33dd6fb12fd6c40748188a89c4cc0;hp=56a032116167a8b1c1e989e818ff7e30374f0ee1;hb=afcd0eb5b0e71964e9c5691b4a9794c2f4059928;hpb=e1fd8d4df5333663cdb02f558b244577f13d95aa diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod index 56a0321..7c0b30c 100644 --- a/doc/rrdcached.pod +++ b/doc/rrdcached.pod @@ -422,14 +422,15 @@ ASCII art rocks. =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea! @@ -447,6 +448,8 @@ accepted commands to those needed by external clients. If, for example, external clients want to draw graphs of the cached data, they should only be allowed to use the C command. +Authorization does not work when rrcached is socket-activated by systemd. + =head2 Encryption There is no encryption.