Cluster security

Alex De la rosa alex.rosa.box at gmail.com
Mon Jun 30 06:10:54 EDT 2014


Hi guys,

Thanks for the info about the "erlang cookie", will take a look at it :)

Yeah, of course that i will have firewalls and restrict access, that's also
why i will limit the querying to the localhost and have a middleman API to
talk to the node itself, just i was worried in the fact that somebody would
just find out an IP or domain and try to hook-up a node itself.

Cheers,
Alex


On Mon, Jun 30, 2014 at 12:08 PM, Sargun Dhillon <sargun at sargun.me> wrote:

> You really should have some level of IP filtering to prevent people
> from connecting directly to your BEAM / EPM instances, but even if
> they do have the ability to make a TCP/IP connection, they have to
> know the distributed Erlang cookie in order to connect. More on this:
> http://www.erlang.org/doc/reference_manual/distributed.html - See,
> section 13.7. You can actually use inet_tls for communication between
> your VMs to ensure authenticity of clients, as well as
> confidentiality.
>
> On Mon, Jun 30, 2014 at 2:47 AM, Alex De la rosa
> <alex.rosa.box at gmail.com> wrote:
> > Hi there,
> >
> > Imaging the following IP configuration for Riak 2.0:
> >
> > # /etc/riak/riak.conf
> >
> > nodename = riak at 111.222.333.1
> > listener.http.internal = 127.0.0.1:8098
> > listener.protobuf.internal = 127.0.0.1:8087
> > listener.https.internal = 127.0.0.1:8098
> >
> > I put the server's real IP in the nodename so they can join/communicate
> with
> > each other but then I limit any HTTP/PB communication to the localhost so
> > nobody can mess with the node from outside (we assume I have an own
> Python
> > API in each node doing the security and being a middleman between the
> > cluster and the webapp).
> >
> > But how can I avoid 3rd-parties to just build a Riak server themselves
> and
> > join my cluster without permission... they can freely join like this:
> >
> > # riak-admin join riak at 111.222.333.1
> >
> > Of course, they will have to find out the IP address, but if they do,
> they
> > can simply put a server themselves in the cluster and do whatever they
> want
> > with it.
> >
> > Maybe a solution is creating subdomains on my domain just for the
> riak-ring
> > in a way that is extremely hard to find out to be able to do the JOIN,
> > something like: nodename = riak at rk001blahblahblah.mydomain.com
> >
> > Is this approach reasonable? Am I doing/thinking something very wrong?
> What
> > would be the suggested way to prevent undesired JOINs?
> >
> > Cheers,
> > Alex
> >
> > _______________________________________________
> > riak-users mailing list
> > riak-users at lists.basho.com
> > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20140630/a66ed353/attachment.html>


More information about the riak-users mailing list