LISTSERV 16.5 - QSERV-L Archives

Wait, I'm missing something.

In meta/python/lsst/qserv/meta/client.py, we have:

   def _connectToQMS(self, host, port, user, pwd, xmlPath):
         url = "http://%s:%d/%s" % (host, port, xmlPath)
         qms = xmlrpclib.Server(url)

So... there's no authentication to the qms, right? Which is good: I 
don't see any reason for any user/pass to the qms, at least until we 
have qserv users. At most, we might have a shared secret code among the 
qms, master, worker, and admin scripts. Anyway, I want to make sure that 
there is no user-configurable user/pass between the master-meta or 
worker-meta. Something we can do is autogenerate a shared-secret code 
file and just make sure that the meta, master, and worker all have a copy.

I didn't see any code for handling HTTP user/pass in server.py, either. 
Which is good.

The qms can care about authentication to its mysqld, so it can have 
user/pass to its mysqld. I hope we agree that nobody outside of the qms 
daemon (and its config) should know the mysql user/pass of the mysqld, 
or even that the qms uses mysql.  qms may need to execute GRANT, but the 
client should have no knowledge.

-Daniel

On 05/20/2013 06:01 PM, Becla, Jacek wrote:
> Daniel
>
> Yes, qms is paying attention to authentication.
> See meta/examples/permissions.sql. qms needs a
> grant similar to that to properly function.
> The user/password used in that grant should
> be passed to the QmsClient, it is done in
> app.py, see MetadataCacheIface class,
> newSession function. If you want to bypass it,
> just do the grant without password...
>
> Jacek
>
>
>
> On 05/20/2013 05:52 PM, Wang, Daniel Liwei wrote:
>> Hi Jacek,
>>
>> In the config for the master, I see:
>>
>> [metaServer]
>> passwd = qmsPass
>> host = localhost
>> port = 7082
>> user = qms
>>
>> Do you have password protection on the qms? I thought we left the qms
>> open (no authentication) for now. If those are mysqld user/pass, then
>> I'm a little confused--why does the master care?
>>
>> -Daniel
>>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the QSERV-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=QSERV-L&A=1