Cluster security

Alex De la rosa alex.rosa.box at gmail.com
Mon Jun 30 05:47:05 EDT 2014


Hi there,

Imaging the following IP configuration for Riak 2.0:

# /etc/riak/riak.conf

nodename = riak at 111.222.333.1
listener.http.internal = 127.0.0.1:8098
listener.protobuf.internal = 127.0.0.1:8087
listener.https.internal = 127.0.0.1:8098

I put the server's real IP in the nodename so they can join/communicate
with each other but then I limit any HTTP/PB communication to the localhost
so nobody can mess with the node from outside (we assume I have an own
Python API in each node doing the security and being a middleman between
the cluster and the webapp).

But how can I avoid 3rd-parties to just build a Riak server themselves and
join my cluster without permission... they can freely join like this:

# riak-admin join riak at 111.222.333.1

Of course, they will have to find out the IP address, but if they do, they
can simply put a server themselves in the cluster and do whatever they want
with it.

Maybe a solution is creating subdomains on my domain just for the riak-ring
in a way that is extremely hard to find out to be able to do the JOIN,
something like: nodename = riak at rk001blahblahblah.mydomain.com

Is this approach reasonable? Am I doing/thinking something very wrong? What
would be the suggested way to prevent undesired JOINs?

Cheers,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20140630/63f6ba81/attachment.html>


More information about the riak-users mailing list