You really should have some level of IP filtering to prevent people from connecting directly to your BEAM / EPM instances, but even if they do have the ability to make a TCP/IP connection, they have to know the distributed Erlang cookie in order to connect. More on this: http://www.erlang.org/doc/reference_manual/distributed.html - See, section 13.7. You can actually use inet_tls for communication between your VMs to ensure authenticity of clients, as well as confidentiality.
On Mon, Jun 30, 2014 at 2:47 AM, Alex De la rosa <alex.rosa....@gmail.com> wrote: > Hi there, > > Imaging the following IP configuration for Riak 2.0: > > # /etc/riak/riak.conf > > nodename = riak@111.222.333.1 > listener.http.internal = 127.0.0.1:8098 > listener.protobuf.internal = 127.0.0.1:8087 > listener.https.internal = 127.0.0.1:8098 > > I put the server's real IP in the nodename so they can join/communicate with > each other but then I limit any HTTP/PB communication to the localhost so > nobody can mess with the node from outside (we assume I have an own Python > API in each node doing the security and being a middleman between the > cluster and the webapp). > > But how can I avoid 3rd-parties to just build a Riak server themselves and > join my cluster without permission... they can freely join like this: > > # riak-admin join riak@111.222.333.1 > > Of course, they will have to find out the IP address, but if they do, they > can simply put a server themselves in the cluster and do whatever they want > with it. > > Maybe a solution is creating subdomains on my domain just for the riak-ring > in a way that is extremely hard to find out to be able to do the JOIN, > something like: nodename = r...@rk001blahblahblah.mydomain.com > > Is this approach reasonable? Am I doing/thinking something very wrong? What > would be the suggested way to prevent undesired JOINs? > > Cheers, > Alex > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > _______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
