hidding buckets and keys

Russell Brown russell.brown at mac.com
Fri May 27 02:40:45 EDT 2011


On 27 May 2011, at 07:10, Antonio Rohman Fernandez wrote:

> "In our case, the only nodes that are allowed to hit the Riak cluster are those of our applications"... what if your app is more complex than that and you have thousands of servers all around the world ( different datacenters, different networks ) with crawlers, scanners, blackboxes, etc... all communicating with Riak and adding/removing new scanners/crawlers/blackboxes/etc... every now and then... quite troublesome to set up and maintain a firewall for that.
> 
> "It is not recommended that you deploy Riak on the public internet"... what if apart from webservers with a web-app i want to build iPhone/iPad/Android apps that access Riak directly? one thing i love from Riak is its RESTfull architecture, but if i have to build some API somewhere for the mobile apps to interact with Riak... well... the 'cloud' paradigm just vanished for me... also, i would have a single point of failure on the API implementation.
> 
> any other suggestions?
> 
> 
Something linke nginx set up as a reverse proxy with re-write rules/filters for urls you consider a security risk? Instance per riak instance, riak only available on localhost and nginx facing the outside world?
> Rohman
> 
> On Fri, 27 May 2011 01:20:00 -0400, Alexander Sicular <siculars at gmail.com> wrote:
> 
>> Hi Rohman,
>> 
>> It is not recommended that you deploy Riak on the public internet. Keep all access private and then implement iptables on each individual node securing access to upstream clients.
>> 
>> Ports to keep in mind - 
>> 
>> http(s) port (8098)
>> protocol buffers port (8099)
>> epmd (4369)
>> forcing the range of ports erlang uses to communicate amongst other erlang nodes.
>> 
>> The latter is not part of the default configuration but I think it should be. At least commented out in app.config.
>> 
>> Put it right at the top of the config array above the riak_core directives like so:
>> 
>> [
>> %% limit dynamic ports erlang uses to communicate
>> %% pick some range that works in your environment 
>> %{kernel, [
>> %   {inet_dist_listen_min, 21000},   
>> %   {inet_dist_listen_max, 22000}
>> %]},
>>  %% Riak Core config
>>  {riak_core, [
>> ...
>> Cheers,
>>  
>> Alexander Sicular
>> @siculars
>> http://sicuars.posterous.com
>> 
>> On Friday, May 27, 2011 at 12:55 AM, Antonio Rohman Fernandez wrote:
>> 
>> hello all,
>> 
>> http://IP:8098/riak?buckets=true [ will show all available buckets on Riak ]
>> http://IP:8098/riak/bucketname?keys=true&props=false [ will show all available keys on a bucket ]
>> 
>> to me, this proves a very big security risk, as if somebody discovers your Riak server's IP, is very easy to read all the information from it, even if you try to obfuscate the buckets/keys... everything is highly readable.
>> there is any way to disable those options? like {riak_kv_stat, false} hides the /stats page
>> 
>> thanks
>> 
>> Rohman
>> 
>> <blocked.gif>
>> <blocked.gif>		Antonio Rohman Fernandez
>> CEO, Founder & Lead Engineer
>> rohman at mahalostudio.com	 	Projects
>> MaruBatsu.es
>> PupCloud.com
>> Wedding Album
>> <blocked.gif>
>> _______________________________________________
>> riak-users mailing list
>> riak-users at lists.basho.com
>> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> -- 
> 
> 		Antonio Rohman Fernandez
> CEO, Founder & Lead Engineer
> rohman at mahalostudio.com	 	Projects
> MaruBatsu.es
> PupCloud.com
> Wedding Album
> 
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20110527/fc1d0269/attachment.html>


More information about the riak-users mailing list