hidding buckets and keys

Antonio Rohman Fernandez rohman at mahalostudio.com
Fri May 27 02:49:53 EDT 2011



"riak only available on localhost and nginx facing the outside
world"... that sounds like something worth trying! thanks.
even i still
think it could be great to have some options to enable/disable those
"?buckets=true" and "?keys=true"

Rohman 

On Fri, 27 May 2011 07:40:45
+0100, Russell Brown  wrote: 

On 27 May 2011, at 07:10, Antonio Rohman
Fernandez wrote: 

"In our case, the only nodes that are allowed to hit
the Riak cluster are those of our applications"... what if your app is
more complex than that and you have thousands of servers all around the
world ( different datacenters, different networks ) with crawlers,
scanners, blackboxes, etc... all communicating with Riak and
adding/removing new scanners/crawlers/blackboxes/etc... every now and
then... quite troublesome to set up and maintain a firewall for
that.

"It is not recommended that you deploy Riak on the public
internet"... what if apart from webservers with a web-app i want to
build iPhone/iPad/Android apps that access Riak directly? one thing i
love from Riak is its RESTfull architecture, but if i have to build some
API somewhere for the mobile apps to interact with Riak... well... the
'cloud' paradigm just vanished for me... also, i would have a single
point of failure on the API implementation. 

any other suggestions? 
 
Something linke nginx set up as a reverse proxy with re-write
rules/filters for urls you consider a security risk? Instance per riak
instance, riak only available on localhost and nginx facing the outside
world?

Rohman 

On Fri, 27 May 2011 01:20:00 -0400, Alexander Sicular 
wrote:  

Hi Rohman, 

It is not recommended that you deploy Riak on the
public internet. Keep all access private and then implement iptables on
each individual node securing access to upstream clients. 

Ports to
keep in mind -  

http(s) port (8098) 
protocol buffers port (8099)

epmd (4369) 
forcing the range of ports erlang uses to communicate
amongst other erlang nodes. 

The latter is not part of the default
configuration but I think it should be. At least commented out in
app.config.

Put it right at the top of the config array above the
riak_core directives like so:   

[ 

%% limit dynamic ports erlang uses
to communicate 
%% pick some range that works in your environment 

%{kernel, [ 
% {inet_dist_listen_min, 21000},  
%
{inet_dist_listen_max, 22000} 
%]},  
 %% Riak Core config 
 {riak_core,
[ 
... 
Cheers, 

Alexander Sicular 
@siculars

http://sicuars.posterous.com [2] 

On Friday, May 27, 2011 at 12:55 AM,
Antonio Rohman Fernandez wrote:  

hello
all,

http://IP:8098/riak?buckets=true [3] [ will show all available
buckets on Riak ]
http://IP:8098/riak/bucketname?keys=true&props=false
[4] [ will show all available keys on a bucket ]

to me, this proves a
very big security risk, as if somebody discovers your Riak server's IP,
is very easy to read all the information from it, even if you try to
obfuscate the buckets/keys... everything is highly readable.
there is
any way to disable those options? like {riak_kv_stat, false} hides the
/stats page

thanks

Rohman 

		 [5]

ANTONIO ROHMAN FERNANDEZ
CEO,
Founder & Lead Engineer
rohman at mahalostudio.com [6]		

PROJECTS
MaruBatsu.es [7]
PupCloud.com [8]
Wedding Album
[9]

_______________________________________________
riak-users mailing
list
riak-users at lists.basho.com
[10]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[11]      
-- 

		 [12]

ANTONIO ROHMAN FERNANDEZ
CEO, Founder & Lead
Engineer
rohman at mahalostudio.com [13]		 
PROJECTS
MaruBatsu.es
[14]
PupCloud.com [15]
Wedding Album [16]

 
_______________________________________________
riak-users mailing
list
riak-users at lists.basho.com
[17]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[18]

-- 

		 [19]

ANTONIO ROHMAN FERNANDEZ
CEO, Founder & Lead
Engineer
rohman at mahalostudio.com [20]		 
PROJECTS
MaruBatsu.es
[21]
PupCloud.com [22]
Wedding Album [23]

 

Links:
------
[1]
mailto:siculars at gmail.com
[2] http://sicuars.posterous.com
[3]
http://IP:8098/riak?buckets=true
[4]
http://IP:8098/riak/bucketname?keys=true&props=false
[5]
http://mahalostudio.com/
[6] mailto:rohman at mahalostudio.com
[7]
http://marubatsu.es/
[8] http://pupcloud.com/
[9]
http://wedding.mahalostudio.com/
[10]
mailto:riak-users at lists.basho.com
[11]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[12]
http://mahalostudio.com/
[13] mailto:rohman at mahalostudio.com
[14]
http://marubatsu.es/
[15] http://pupcloud.com/
[16]
http://wedding.mahalostudio.com/
[17]
mailto:riak-users at lists.basho.com
[18]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[19]
http://mahalostudio.com
[20] mailto:rohman at mahalostudio.com
[21]
http://marubatsu.es
[22] http://pupcloud.com
[23]
http://wedding.mahalostudio.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20110527/b333989a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20110527/b333989a/attachment.gif>


More information about the riak-users mailing list