Percona Monitoring Plugins for Cacti and Redis auth

In implementing the Percona Monitoring Plugins for Redis on our Cacti server we discovered that they don’t support authentication. This creates a problem when your servers require authentication to issue the “INFO” command.

The Percona templates use ss_get_by_ssh.php to fetch the data, and there are functions specific to Redis in this file. So I added a variable to store the password, and modified the redis_get function to run an AUTH command on the socket before INFO.

There are of course some caveats with such a quick hack. The main problem that the password is hard-coded in a file which is not supposed to contain end-user configuration. And I haven’t implemented it as a command line option either, but the program allows you to set variables in a config file if you wish.

Below is the patch, this should only be used against Percona Monitoring Plugins for Cacti version 1.0.1, which is available from Percona.

It’s a pretty trivial hack so if you know any coding at all it’s pretty easy to apply these changes to a different version.

> $redis_auth    = "password";        # HACK - redis auth password
<    global $redis_port; --- >    global $redis_port, $redis_auth;
>    $authstring = "AUTH ".$redis_auth."\r\n";
>    $auth = fwrite($sock, $authstring);
>    $auth_response = fread($sock, 3);
>    if ( $auth_response !== '+OK' ) {
>       debug("Redis auth failed");
>       return;
>    }

To apply it:

$ patch ss_get_by_ssh.php ss_get_by_ssh.patch

Where ss_get_by_ssh.patch contains the text above.

Be aware that this operates with netcat over unencrypted TCP, so it should only be used when the Cacti server and Redis servers are on the same network!

I’ve also uploaded it along with the originals and a patched version to github:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.