perfSONAR User Q&A and Other Discussion

[Michael Johnson <>]

Hi Ignacio,

Indeed, Esmond does need to be reachable by all the hosts that you're testing 
to, at the very least. You could probably hack something together with 
iptables and apache directives to restrict access further, but I wouldn't 
have a high degree of confidence that that would be effective.

Esmond does offer several authentication methods, explained here:
https://docs.perfsonar.net/multi_ma_install.html

I'm not sure whether there is a way to lock down Esmond "reads." And keep in 
mind that pscheduler also stores test results for 24-48 hours, so the test data would 
still be there temporarily.

If you did want to just "hide" the test result listing, restricting access to 
/perfsonar-graphs/ to authenticated users would effectively break the test listing on 
the toolkit home page, I think. so that would be one way of hiding those pieces. You 
might get a basic auth prompt when loading the toolkit then. Again, Esmond would still 
be open.

I'm not sure what your deployment looks like, but I think that you might be 
better served by using a Central MA that's separate from your 
toolkits/testpoints. This way, all your test results go to the central MA, 
and you have some more options for how to lock that down; however, if you do 
this, you lose the ability to configure your tests using the Toolkit GUI. (It 
might still work, if you manually added the central archive to the test 
points.)

If you think a configuration option would be helpful (either in a config file 
or in the toolkit GUI) to hide the test results panel on the Toolkit home 
page, let me know. I could create a a feature request in our tracker for that 
for future development.

Thanks,
Michael

On Tue, Feb 02, 2021 at 10:44:30AM +0000, Ignacio Peluaga Lozada wrote:
> Hi Michael,
>
> thank you for your message.
>
> It would be ideal if the data was completely inaccessible to non 
> authenticated users.
>
> But I am assuming that is not possible without lots of modifications, 
> considering there has to be open communication between perfSONAR components, 
> right?
>
> I managed to make the toolkit private by editing 
> /etc/httpd/conf.d/apache-toolkit_web_gui.conf to move the password protection 
> from '/toolkit/auth' to '/toolkit'.
> But that applies only to the toolkit so as you pointed out, I can still 
> access the measurement archive of the host in an incognito window for example.
>
> Also I tried setting the password protection to '/' and that indeed makes everything 
> private. Tests run (apparently) with no problem, I can see them with 'pscheduler 
> monitor' but the Toolkit shows "Error loading test listing; measurement archive 
> unreachable" and hence the graphs are not updated...
>
> Should I give up and rely on toolkit privacy?
>
> Thanks.
>
> Regards,
> Ignacio
>
> ________________________________________
> From: Michael Johnson []
> Sent: 01 February 2021 20:07
> To: Ignacio Peluaga Lozada
> Cc: 
> Subject: Re: [perfsonar-user] Make toolkit results private
>
> Hi Ignacio,
>
> We don't have a way of doing this at the moment.
>
> We could add an option to hide the test results, but the data would still be 
> accessible via pscheduler and esmond, so I'm not sure how useful that would 
> really be.
>
> Are you wanting to ensure the data is inaccessible, or just hide the display 
> on the Toolkit page?
>
> Thanks,
> Michael
>
>
> On Fri, Jan 29, 2021 at 09:39:16AM +0000, Ignacio Peluaga Lozada wrote:
> > Hello all,
> >
> > Is it possible to hide the "Test Results" section in the toolkit web 
> > interface so only authenticated users can see the results and graphs?
> >
> > Thanks.
> >
> > Regards,
> > Ignacio
>
> > --
> > To unsubscribe from this list: 
> > https://lists.internet2.edu/sympa/signoff/perfsonar-user

> --
> To unsubscribe from this list: 
> https://lists.internet2.edu/sympa/signoff/perfsonar-user