Loosely related to the other discussion item I just sent, but one of the ideas I've thrown out there for updating connection weights inside the Guacamole Client is to create a REST API endpoint that can be used to POST the connection weight and have the field in the database updated. The goal of this is to provide a method of dynamically polling hosts that are part of a BALANCING connection group and update their weights based on their resource utilization. Since the Guacamole client already implements and heavily uses its REST API, since these have become an extremely common way of passing this type of information, and since recent changes to the Guacamole client make way for extension-specific endpoints, this seems like a logical way to go. The concern at this point, is properly securing this particular functionality. As it stands right now, the user account used to access the API and update the connection weight would have to have fairly broad permissions - either pretty much administrative access to update all connections, or at least permission to update all attributes/parameters of every connection that it touches (which could be tedious to maintain). One idea I had was to create a separate permission set specifically for load balancing that would be able to change only items related to load balancing (which, at this point, it just connection weight). Mike points out that this has a couple of draw-backs - first, that Guacamole's current permission model is based on more traditional UNIX permissions and not so much on ACLs, and, second, that trying to expose a permission that only exists in, and is relevant to, and individual authentication module (JDBC in this case) is a little tricky. Sounds like it's doable, but just a decent amount of work to make it happen. Again, opening this up for discussion - anyone have any opinions or other idea on a proper way to expose this kind of REST API endpoint in secure fashion? -Nick
