hidding buckets and keys

Antonio Rohman Fernandez rohman at mahalostudio.com
Fri May 27 02:10:57 EDT 2011



"In our case, the only nodes that are allowed to hit the Riak cluster
are those of our applications"... what if your app is more complex than
that and you have thousands of servers all around the world ( different
datacenters, different networks ) with crawlers, scanners, blackboxes,
etc... all communicating with Riak and adding/removing new
scanners/crawlers/blackboxes/etc... every now and then... quite
troublesome to set up and maintain a firewall for that.

"It is not
recommended that you deploy Riak on the public internet"... what if
apart from webservers with a web-app i want to build iPhone/iPad/Android
apps that access Riak directly? one thing i love from Riak is its
RESTfull architecture, but if i have to build some API somewhere for the
mobile apps to interact with Riak... well... the 'cloud' paradigm just
vanished for me... also, i would have a single point of failure on the
API implementation. 

any other suggestions? 

Rohman 

On Fri, 27 May
2011 01:20:00 -0400, Alexander Sicular  wrote:  

Hi Rohman, 

It is not
recommended that you deploy Riak on the public internet. Keep all access
private and then implement iptables on each individual node securing
access to upstream clients. 

Ports to keep in mind -  

http(s) port
(8098) 
protocol buffers port (8099) 
epmd (4369) 
forcing the range of
ports erlang uses to communicate amongst other erlang nodes. 

The
latter is not part of the default configuration but I think it should
be. At least commented out in app.config.

Put it right at the top of
the config array above the riak_core directives like so:   

[ 

%%
limit dynamic ports erlang uses to communicate 
%% pick some range that
works in your environment  
%{kernel, [ 
% {inet_dist_listen_min,
21000},  
% {inet_dist_listen_max, 22000} 
%]},  

 %% Riak Core config

 {riak_core, [ 
... 

Cheers, 

Alexander Sicular 
@siculars

http://sicuars.posterous.com 

On Friday, May 27, 2011 at 12:55 AM,
Antonio Rohman Fernandez wrote:  

hello
all,

http://IP:8098/riak?buckets=true [1] [ will show all available
buckets on Riak ]
http://IP:8098/riak/bucketname?keys=true&props=false
[2] [ will show all available keys on a bucket ]

to me, this proves a
very big security risk, as if somebody discovers your Riak server's IP,
is very easy to read all the information from it, even if you try to
obfuscate the buckets/keys... everything is highly readable.
there is
any way to disable those options? like {riak_kv_stat, false} hides the
/stats page

thanks

Rohman 

		 [3]

ANTONIO ROHMAN FERNANDEZ
CEO,
Founder & Lead Engineer
rohman at mahalostudio.com [4]		

PROJECTS
MaruBatsu.es [5]
PupCloud.com [6]
Wedding Album
[7]

_______________________________________________
riak-users mailing
list
riak-users at lists.basho.com
[8]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[9]   

-- 

		 [10]

ANTONIO ROHMAN FERNANDEZ
CEO, Founder & Lead
Engineer
rohman at mahalostudio.com [11]		 
PROJECTS
MaruBatsu.es
[12]
PupCloud.com [13]
Wedding Album [14]

 

Links:
------
[1]
http://IP:8098/riak?buckets=true
[2]
http://IP:8098/riak/bucketname?keys=true&props=false
[3]
http://mahalostudio.com
[4] mailto:rohman at mahalostudio.com
[5]
http://marubatsu.es
[6] http://pupcloud.com
[7]
http://wedding.mahalostudio.com
[8]
mailto:riak-users at lists.basho.com
[9]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
[10]
http://mahalostudio.com
[11] mailto:rohman at mahalostudio.com
[12]
http://marubatsu.es
[13] http://pupcloud.com
[14]
http://wedding.mahalostudio.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20110527/ee24ac8c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20110527/ee24ac8c/attachment.gif>


More information about the riak-users mailing list