Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] MA authentication feature request

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] MA authentication feature request


Chronological Thread 
  • From: Andrew Lake <>
  • To: , Casey Russell <>
  • Subject: Re: [perfsonar-user] MA authentication feature request
  • Date: Thu, 10 May 2018 11:54:49 -0700
  • Ironport-phdr: 9a23:u7emJxxdNXD+zZrXCy+O+j09IxM/srCxBDY+r6Qd2+4SIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWROXMhRWStODY2ybIUBEvQPMvpDoobnu1cDtwGzCBOwCO7tzDJDm3/43bc90+QkCQzLwAogEM8UsHvKotT+KaEcXvq2zKbW0D7OaOlZ2THg54nIaR0uv+qMUah2ccXP1UkiDgXIhUiep4ziOjOazOUNs26D4upkVOKvjW0npB9srTiuwMcgkJXGhoUQylzc6SV4zoc1JcGkSEFle96oCodftyafN4duQcMtWWdouDwkxb0Ao5K7ejYFyIghyhXCaPKHa5CF7g/9WOuSOzt1imhpdb2iixqo80Ws1/XwW8u73VpQsyZJjNnBumoO2hDN8MSLV/9w80Wn1D2SzQ7c8PtELloxlafDK54u3Lowlp0LvETNACD7l1/6jKuNeUUg4OSo5OPnYqv+qp+dMY97lB3+P7wzlsChAuk0KAYDU3KU9OihzrHu/1D1TK1PjvIsk6nZtJ7aJd4cpq68GwJayIAj5Au/Djq9ztsYhmMLLFRbdxKbl4TpIU3BIOjkDfejhFShiC9ryO7cPr3vGZXNKX7Dn637fbpk9k5c0xQ8zcpE6pJQC7EBO+7zWlTvuNDCDx85NRC0zPj9CNV7yIweRXyDDrWHP6zPrF/brt4odvGBfoEOvzD0Mb04/PP0pX4/hVIHe6S1h90aZG38Vt9vOEiIKUDxmcwMFWNC6gEkUffxhVmGeT1aYWy/WeQ66y1tW6y8CoKWb4ahmrGelAOyHZAeMmlABkGkHGyucYiYDaRfIBmOK9Nsx2RXHYOqTJUsgFT37Ff3
Hi Casey,

Having an esmond agent is an interesting idea.  In the forthcoming 4.1 we actually add some new options for managing authentication to an archive defined in the central file, but it is not quite what you describe. 

Right now for a central server defined in a mesh file people use IP authentication because we don't want to throw an API key in the public file (for obvious reasons). 4.1 will replace MeshConfig with a new component called pSConfig. All the old ways to define archives still work, but one new feature pSConfig has is that you can apply local transformations to the JSON the agent downloads. This includes adding things like API keys to measurement archives defined in the downloaded JSON. You can add these transformations by dropping a file in an include directory. The downside of course is that if you have 40 hosts, that could mean dropping a script defining the transformation into a directory on each host. This is painful to do by hand, but the thought is config management software like Ansible, etc is really good at this sort of thing. If all 40 of those hosts are at 40 different institutions you may still have an issue as you’ll need each administrator to setup the transform, hence something for the case you describe is still valid. No perfect for every case, but still more than we could do before though, so thought it was worth mentioning.

Thanks,
Andy



On May 10, 2018 at 1:47:11 PM, Casey Russell () wrote:

There might be a better place to make feature requests, but I'm sitting here adding 40+ individual "authenticate by IP" entries to esmond (again) because I reinstalled a host that participates in a large mesh.  

It occurs to me, it would dramatically simplify these authentication setups if I could say (perhaps in the meshconfig-agent.conf file?) something along the lines of esmond_authenticate=yes  So that any hosts that are a part of the "mesh configured" testing could be automatically authenticated by IP (and IPv6).  

I realize you'd have to do lookups for both A and AAAA records and somehow feed that to esmond.  But this would reduce the complexity of configuring these meshes (and making them green up) by a massive amount.  

I'd recommend of course that the default setting be esmond_authenticate=no so the default behavior is the (presumably safer) option where you have to manage authentication manually.

thoughts?

Sincerely,
Casey Russell
Network Engineer
KanREN
phone785-856-9809
2029 Becker Drive, Suite 282
Lawrence, Kansas 66047
linkedin twitter twitter


Archive powered by MHonArc 2.6.19.

Top of Page