Understood, thanks. To confirm, this means the basic-auth-{user|password} only
control the credentials presented by one HA peer to another but are not used by
the second peer for authentication, correct?
Does this mean that when HTTP authentication is required we have to disable the
dedicated HA listener and open another control socket? The docs still refer to
kea-ctrl-agent
(https://kea.readthedocs.io/en/stable/arm/hooks.html#multi-threaded-configuration-ha-mt)
which was deprecated so I don't fully understand the implications / downsides
compared to when the DHCP4 server opens the socket itself.
Or perhaps having a dedicated control socket for HA traffic is unnecessary.
Something like:
--8<---------------cut here---------------start------------->8---
{
"Dhcp4": {
"hooks-libraries": [{
"library":
"/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_lease_cmds.so",
"parameters": { }
}, {
"library":
"/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [{
// ...
"multi-threading": {
"http-dedicated-listener": false,
}
}]
}
}],
"control-sockets": [
{
"socket-type": "http",
"socket-address": "127.0.0.1",
"socket-port": 8004, // general use
"authentication": {
"type": "basic",
"realm": "kea-dhcpv4-server",
"clients": [
{
"user": "admin",
"password": "12345678"
} ]
}
},
{
"socket-type": "http",
"socket-address": "127.0.0.1",
"socket-port": 8005, // Specific to HA
"authentication": {
"type": "basic",
"realm": "kea-dhcpv4-server",
"clients": [
{
"user": "ha-admin",
"password": "foobar"
} ]
}
}
]
}
}
--8<---------------cut here---------------end--------------->8---
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]
