I'd personally like to see the ability to get subsets of gmetad's stored
dataset. Remember, I'm at 8 seconds per fricken' page load over here. :)
Now the question becomes, where does the authentication take place? In the
front-end code, I should think. Unless there's a plan to write a whole
authentication subsystem (seems excessive if complicated authentication
will only be used on the front-ends).
Let me ask this question in a slightly different way, actually:
Has anyone thought about gexec lately?
The monitoring core's changed a lot since the last release of the execution
environment. And while it might not be really worth it to put any effort
into authentication "just" for the metadaemon functionality, maybe it would
be worth it to get the authentication portion of gexec working, thereby
making it about 700% more portable than it is right now?
And finally, on the subject of g3 security, has there been any
consideration towards hardcoding the plugin list at compile-time or a
similar measure to prevent mischief that could arise from executing
"arbitrary" Ganglia code?
All right, all right, it was just an idea...
Federico Sacerdoti wrote:
Although there are no plans for such a fine-grained access control, it
is a good idea. A design you can implement today is a daemon that sits
in between gmeta and your users.
Gmetad trusts nobody except localhost. When a user requests the ganglia
XML, your daemon (lets call it gsecure) intercepts the query,
authenticates the user, queries the local gmetad on the users behalf,
and prunes the tree as necessary.
Gsecure now only sends the appropriate parts of the tree to the user.
Federico
On Thursday, January 30, 2003, at 01:30 PM, Jason A. Smith wrote:
I believe that currently the gmetad collector shares all or none of its
data based on an access list of allowed IP addresses, correct?
I have a few questions about the future plans of ganglia with respect to
security. I would basically like to know if it will be possible to
limit the type of data that is sent to other gmetad collectors. I was
looking through Matt's slides from a talk he gave and noticed that the
data will be stored in a hierarchical data structure and there will
exist a query system that will allow one to ask for only a subset of the
data. I would like to know if this will work in the other direction so
that a collector will be able to select a subset of data it allows other
collectors access to.
The reason I am asking is because we are planning on testing ganglia
here to monitor our servers and compute farm for both our internal local
facility monitoring use (where we will restrict who can view the data)
and for more public use by our users. We are very concerned about some
of the data that is exported to collectors because our compute farm is
intentionally not kept up to date with the latest security patches. We
would like to have our own collector monitor everything and at the same
time allow our users access to a subset of this data for their own use,
like their own public web servers which might add in data from other
clusters, monitoring/scheduling scripts and globus MDS.
~Jason
--
/------------------------------------------------------------------\
| Jason A. Smith Email: [EMAIL PROTECTED] |
| Atlas Computing Facility, Bldg. 510M Phone: (631)344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: (631)344-7616 |
| Upton, NY 11973-5000 |
\------------------------------------------------------------------/
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Ganglia-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Federico
Rocks Cluster Group, SDSC, San Diego
GPG Fingerprint: 3C5E 47E7 BDF8 C14E ED92 92BB BA86 B2E6 0390 8845
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Ganglia-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
