Authentication and an example deploy script?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication and an example deploy script?

Tyler Smart
Hi Riak users!

As a newbie, I am wondering what the best way to authenticate is? Let's say I have a eroku server that will connect to the riak server over https. How should the Riak node handle authentication such that only the heroku server can access the data? Also, if we are deploying onto Amazon, do you guys have any pre-built chef scripts I could study to get up to speed with Riak deploys?

Sincerely,
Tyler

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and an example deploy script?

Preston Marshall
I haven't seen any authentication in Riak, they might expect you to to throw a web server or something similar in front of it to handle authentication.  I'm sure Nginx can more than handle the job of authentication.

On Sun, Apr 11, 2010 at 1:30 AM, Tyler Smart <[hidden email]> wrote:
Hi Riak users!

As a newbie, I am wondering what the best way to authenticate is? Let's say I have a eroku server that will connect to the riak server over https. How should the Riak node handle authentication such that only the heroku server can access the data? Also, if we are deploying onto Amazon, do you guys have any pre-built chef scripts I could study to get up to speed with Riak deploys?

Sincerely,
Tyler

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com



_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and an example deploy script?

Sean Cribbs-2
As Preston says, we recommend putting a web-server in front of your Riak machine when you need authentication.  If you're using SSL to connect, you could also use client certificate verification.  In general, however, it would be easiest to put your Riak machines and your application machines in the same EC2 security group.

Sean Cribbs <[hidden email]>
Developer Advocate
Basho Technologies, Inc.

On Apr 11, 2010, at 2:33 AM, Preston Marshall wrote:

I haven't seen any authentication in Riak, they might expect you to to throw a web server or something similar in front of it to handle authentication.  I'm sure Nginx can more than handle the job of authentication.

On Sun, Apr 11, 2010 at 1:30 AM, Tyler Smart <[hidden email]> wrote:
Hi Riak users!

As a newbie, I am wondering what the best way to authenticate is? Let's say I have a eroku server that will connect to the riak server over https. How should the Riak node handle authentication such that only the heroku server can access the data? Also, if we are deploying onto Amazon, do you guys have any pre-built chef scripts I could study to get up to speed with Riak deploys?

Sincerely,
Tyler

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com


_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com


_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and an example deploy script?

Tyler Smart
Thank you Sean and Preston!

I will look into client certificate verification as the Riak server will be on EC/2 but our application server is still Heroku. I saw over at 37 signals that they had some cookbooks for chef that used ec/2 and a bunch of others. I am wondering If I can modify their cookbooks to deploy Riak (maybe the EC-2 one)

Tyler

On Sun, Apr 11, 2010 at 8:04 AM, Sean Cribbs <[hidden email]> wrote:
As Preston says, we recommend putting a web-server in front of your Riak machine when you need authentication.  If you're using SSL to connect, you could also use client certificate verification.  In general, however, it would be easiest to put your Riak machines and your application machines in the same EC2 security group.

Sean Cribbs <[hidden email]>
Developer Advocate
Basho Technologies, Inc.

On Apr 11, 2010, at 2:33 AM, Preston Marshall wrote:

I haven't seen any authentication in Riak, they might expect you to to throw a web server or something similar in front of it to handle authentication.  I'm sure Nginx can more than handle the job of authentication.

On Sun, Apr 11, 2010 at 1:30 AM, Tyler Smart <[hidden email]> wrote:
Hi Riak users!

As a newbie, I am wondering what the best way to authenticate is? Let's say I have a eroku server that will connect to the riak server over https. How should the Riak node handle authentication such that only the heroku server can access the data? Also, if we are deploying onto Amazon, do you guys have any pre-built chef scripts I could study to get up to speed with Riak deploys?

Sincerely,
Tyler

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com


_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com



_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and an example deploy script?

Orlin Bozhinov
Wondering if Basho doesn't already have cookbooks / recipes for deploying with Chef...  I'm facing the exact same scenario.  A Heroku web app + Riak on EC2.  This is the only starting point I've found http://github.com/damm/ey-cloud-recipes/tree/aeb2941c3e7ad03dba7104bc6530777b90c2d71d/cookbooks/riak so far. 

Nginx seems like the usual choice for proxying to Riak.  Is this http://rigelgroupllc.com/wp/?s=nginx the best practice? 

I like the idea of unauthenticated clients bypassing the the web site / api (where appropriate).  It could mean a lighter Heroku bill.  However, one probably wouldn't want to open up all the data.  So maybe with a whitelist (or blacklist) restricting what is ok for the world to GET.  This thread http://riak.markmail.org/thread/fzob4dkfm7ebx65g comes to mind. 

Whatever the method for controlling access at the bucket level though, a modeling question comes to mind...  Do you recommend spitting certain buckets into public and private counterparts?  Perhaps the data model would be the same - with documents going into the public bucket only if shared.  What are the usage implications from an authenticated application's point of view?  Would it be easy to treat both buckets "as one" when accessing through a client library - Ripple in my case. 

Sharing is such a common pattern it could make a really useful mixin.  Of-course it's not always black & white.  Sometimes it's both.  Some parts of the document may have to remain private even if its "shared".  So now we are talking about having the same document in both buckets (public 1:1 private) and a property :whatever, :shareable => true #(for example).  From this mixed scenario pov, maybe it makes sense to have all the data in the private bucket with the shared properties copied to the public bucket.  So linking & map/reduce would refer to the private (otherwise solo) bucket without any special cases.  Does such a thing make sense to have in Ripple?  Perhaps sharing is a use case for the upcoming triggers? 

Well, a bit of diversion from authentication & ACLs, but I thought an idea worth sharing in this context. 

Orlin


Tyler Smart wrote:
Thank you Sean and Preston!

I will look into client certificate verification as the Riak server will be on EC/2 but our application server is still Heroku. I saw over at 37 signals that they had some cookbooks for chef that used ec/2 and a bunch of others. I am wondering If I can modify their cookbooks to deploy Riak (maybe the EC-2 one)

Tyler

On Sun, Apr 11, 2010 at 8:04 AM, Sean Cribbs <[hidden email]> wrote:
As Preston says, we recommend putting a web-server in front of your Riak machine when you need authentication.  If you're using SSL to connect, you could also use client certificate verification.  In general, however, it would be easiest to put your Riak machines and your application machines in the same EC2 security group.

Sean Cribbs <[hidden email]>
Developer Advocate
Basho Technologies, Inc.

On Apr 11, 2010, at 2:33 AM, Preston Marshall wrote:

I haven't seen any authentication in Riak, they might expect you to to throw a web server or something similar in front of it to handle authentication.  I'm sure Nginx can more than handle the job of authentication.

On Sun, Apr 11, 2010 at 1:30 AM, Tyler Smart <[hidden email]> wrote:
Hi Riak users!

As a newbie, I am wondering what the best way to authenticate is? Let's say I have a eroku server that will connect to the riak server over https. How should the Riak node handle authentication such that only the heroku server can access the data? Also, if we are deploying onto Amazon, do you guys have any pre-built chef scripts I could study to get up to speed with Riak deploys?

Sincerely,
Tyler

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com



_______________________________________________ riak-users mailing list [hidden email] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com