X-Git-Url: https://git.octo.it/?p=rrdtool.git;a=blobdiff_plain;f=doc%2Frrdcached.pod;h=7c0b30c6e2b33dd6fb12fd6c40748188a89c4cc0;hp=57b54b2c75b2cb449dfa634d1f5a715462ff4965;hb=afcd0eb5b0e71964e9c5691b4a9794c2f4059928;hpb=e5b05bec82bbff5db8add4e58dd6f0fcf2670291 diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod index 57b54b2..7c0b30c 100644 --- a/doc/rrdcached.pod +++ b/doc/rrdcached.pod @@ -52,7 +52,7 @@ For network sockets, a port may be specified by using the form CI
B<]:>I>. If the address is an IPv4 address or a fully qualified domain name (i.Ee. the address contains at least one dot (C<.>)), the square brackets can be omitted, resulting in the (simpler) -CB<:>I> pattern. The default port is B<42217/udp>. If you +CB<:>I> pattern. The default port is B<42217/tcp>. If you specify a network socket, it is mandatory to read the L section. @@ -422,14 +422,15 @@ ASCII art rocks. =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea! @@ -447,6 +448,8 @@ accepted commands to those needed by external clients. If, for example, external clients want to draw graphs of the cached data, they should only be allowed to use the C command. +Authorization does not work when rrcached is socket-activated by systemd. + =head2 Encryption There is no encryption.