Cluster security

Sargun Dhillon sargun at sargun.me
Mon Jun 30 06:08:32 EDT 2014


You really should have some level of IP filtering to prevent people
from connecting directly to your BEAM / EPM instances, but even if
they do have the ability to make a TCP/IP connection, they have to
know the distributed Erlang cookie in order to connect. More on this:
http://www.erlang.org/doc/reference_manual/distributed.html - See,
section 13.7. You can actually use inet_tls for communication between
your VMs to ensure authenticity of clients, as well as
confidentiality.

On Mon, Jun 30, 2014 at 2:47 AM, Alex De la rosa
<alex.rosa.box at gmail.com> wrote:
> Hi there,
>
> Imaging the following IP configuration for Riak 2.0:
>
> # /etc/riak/riak.conf
>
> nodename = riak at 111.222.333.1
> listener.http.internal = 127.0.0.1:8098
> listener.protobuf.internal = 127.0.0.1:8087
> listener.https.internal = 127.0.0.1:8098
>
> I put the server's real IP in the nodename so they can join/communicate with
> each other but then I limit any HTTP/PB communication to the localhost so
> nobody can mess with the node from outside (we assume I have an own Python
> API in each node doing the security and being a middleman between the
> cluster and the webapp).
>
> But how can I avoid 3rd-parties to just build a Riak server themselves and
> join my cluster without permission... they can freely join like this:
>
> # riak-admin join riak at 111.222.333.1
>
> Of course, they will have to find out the IP address, but if they do, they
> can simply put a server themselves in the cluster and do whatever they want
> with it.
>
> Maybe a solution is creating subdomains on my domain just for the riak-ring
> in a way that is extremely hard to find out to be able to do the JOIN,
> something like: nodename = riak at rk001blahblahblah.mydomain.com
>
> Is this approach reasonable? Am I doing/thinking something very wrong? What
> would be the suggested way to prevent undesired JOINs?
>
> Cheers,
> Alex
>
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>




More information about the riak-users mailing list