Cluster security

Alex De la rosa at
Mon Jun 30 05:47:05 EDT 2014

Hi there,

Imaging the following IP configuration for Riak 2.0:

# /etc/riak/riak.conf

nodename = riak at 111.222.333.1
listener.http.internal =
listener.protobuf.internal =
listener.https.internal =

I put the server's real IP in the nodename so they can join/communicate
with each other but then I limit any HTTP/PB communication to the localhost
so nobody can mess with the node from outside (we assume I have an own
Python API in each node doing the security and being a middleman between
the cluster and the webapp).

But how can I avoid 3rd-parties to just build a Riak server themselves and
join my cluster without permission... they can freely join like this:

# riak-admin join riak at 111.222.333.1

Of course, they will have to find out the IP address, but if they do, they
can simply put a server themselves in the cluster and do whatever they want
with it.

Maybe a solution is creating subdomains on my domain just for the riak-ring
in a way that is extremely hard to find out to be able to do the JOIN,
something like: nodename = riak at

Is this approach reasonable? Am I doing/thinking something very wrong? What
would be the suggested way to prevent undesired JOINs?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the riak-users mailing list