Graphite

reporting data securely across the internet?

Asked by TTimo

How would I securely report data to a central graphite server from multiple systems (about 50) setup over the internet? (e.g. with access control, authentication, and not allowing eavesdropping)

Question information

Language:
English Edit question
Status:
Solved
For:
Graphite Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Charlie (charlie-weiblen) said : 		#1

An SSH tunnel would meet those requirements

Revision history for this message
TTimo (ttimo) said : 		#2

That's not very satisfactory though.

You have a very simple and easy protocol to report data, but setting up ssh between hosts is a lot of trouble to setup and maintain. If you have a large number of machines, and want something automated and fairly secure, you're going to have to go with ssh keys, and setup accounts on the server, which is a security liability unless you setup those accounts to be very restricted. Then that doesn't solve the problem of access control of who can report what. It's not fine grained enough to say "this node can report only down this path", what you get is just a blanket "this node can report whatever"

Using SSL is probably a better approach, but still on the server end some functionality should be added to maintain access rights.

In my own deployment I think I will use node side agents I already have, and extend my existing server protocols to do access control and relaying to graphite.

Revision history for this message
chrismd (chrismd) said : 		#3

I have created bug #350998 to track this as a feature request.