Bucket ACLs?

Bob Ippolito bob at redivi.com
Thu Feb 4 10:09:56 EST 2010


The performance would be a lot better with separate clusters and
security at the network layer, you'd waste a lot of cycles verifying
authentication details on every request. You'd also force all of your
customers into the same upgrade cycle if they were using the same
cluster. Also, many systems have data that really should use more than
one bucket, or even dynamic buckets.

The best way to actually segregate datasets is at the physical layer :)

On Thu, Feb 4, 2010 at 6:49 AM, Timothy Perrett <timothy at getintheloop.eu> wrote:
> Certainly managing security / ACLs with the front end proxy is far from ideal.
>
> I should have thought that quite a lot of Riak users would like to achieve this kind of setup right? Otherwise there is no real way to segregate your datasets.
>
> Cheers, Tim
>
> On 4 Feb 2010, at 13:00, Sean Cribbs wrote:
>
>> Although it's probably not the best solution, you could definitely add those restrictions in a reverse-proxy, say with Apache or nginx in front of Riak.  Require your applications to authenticate with the front end, and then restrict their access accordingly.
>>
>> There are definite uses for multiple clusters, but I think having a cluster per customer might not be the best solution, simply for the sake of the duplication of effort.  It depends on your application's needs of course.  For managing the cluster(s), I definitely recommend looking into a configuration management tool that can ease new deployments (Chef, Puppet, cfengine, etc) and then adding monitoring (monit, god, munin, nagios, etc).
>>
>> Sean
>>
>> On 2/4/10 7:33 AM, Timothy Perrett wrote:
>>> Hey all,
>>>
>>> Whilst I appreciate there are "buckets" in Riak, how would one setup a situation where a customer only has access to Bucket A and B, whilst customer2 has access to buckets C, D and E. When I say customer, I really mean there systems, but I guess you get that :-)
>>>
>>> If this is not possible, I presume different  Riak instances are the only way to go to keep that separation? If so, what is the best way of managing all these instances and what would be a memory foot print of such an instance?
>>>
>>> Cheers, Tim
>>> _______________________________________________
>>> riak-users mailing list
>>> riak-users at lists.basho.com
>>> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>>>
>>>
>>
>>
>> _______________________________________________
>> riak-users mailing list
>> riak-users at lists.basho.com
>> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>>
>
>
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>




More information about the riak-users mailing list