Hi Shane, As you've found, PredictionIO itself does not include a complete authorization solution. A general solution is to isolate PredictionIO from the internet on a private network, and then implement a gateway/proxy to authorize and route traffic to PredictionIO eventserver and engine query API.
With Heroku Enterprise, this architectural pattern may be implemented by provisioning two Private Spaces <https://www.heroku.com/private-spaces>; recommended naming pattern: *example-public* (frontend) & *example* (backend). Configure the backend space to only trust incoming traffic from the public space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>: 1. With two side-by-side browser windows, open the frontend & the backend spaces' *Network* settings. 2. Copy each of the *frontend* *Space Outbound IPs* to the *backend* *Trusted IP Ranges*. CIDR notation for each individual IP is X.X.X.X/32. 3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted IP Ranges*. CIDR notation for each individual IP is X.X.X.X/32. Then, deploy PredictionIO apps to the backend space. In the frontend space, deploy a public proxy/gateway. We've used Node to make simple proxies, or try something like Kong API gateway on Heroku <https://github.com/heroku/heroku-kong> and configure API's with simple key authorization. Keep in mind, all public-facing traffic and inter-space traffic should be encrypted. SSL/TLS is not available by default for Private Spaces apps. Therefore, a custom domain name and certificates must be procured and installed for every app. I'd like to see a best-practices pattern emerge around securing PredictionIO. I would love to hear about your ongoing progress, *Mars On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson < shanewaldenjohn...@gmail.com> wrote: > Hi everyone. We are building an app exchange app that is leveraging the > Heroku deployment of PIO. We are needing to secure the posts to the > events.json endpoint as well the queries.json endpoint on Heroku. > > Do you have any suggestions on how to add security around adding events > and querying predictions. Is there an add-on on Heroku or would it be > necessary to extend the scala code to look for a secret key. I would prefer > to not extend the scala and have authentication happen at the heroku level > if possible. > > Thank you in advance! > > *Shane Johnson | 801.360.3350 <(801)%20360-3350>* > LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook > <https://www.facebook.com/shane.johnson.71653> >
