node connectivity and security

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

node connectivity and security

Richard Bucker
When the various nodes are in the same datacenter.... connectivity is a no-brainer. Can anyone comment on their experiences over a WAN connection? I'm curious about the security and privacy issues? Or is the simple answer IPSEC/VPN?

/r

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
wde
Reply | Threaded
Open this post in threaded view
|

Re: node connectivity and security

wde
If I am right, the riak network layer is based on the erlang clustering system.

To build the TCP connections between your nodes, you have to open the TCP port 4369 and a dynamic TCP ports range that you can specify by editing the file vm.args :

 add something like

 -kernel inet_dist_listen_min 4000 inet_dist_listen_max 4005

to restrict the range  to 4000 to 4005 for example.

The range size depends of the size of your cluster (how many servers run riak).

I think that, you also have to open the port defined by the riak_handoff_port paramater in your configuration file.


Concerning security, erlang cluster securiy is mainly based on the shared secret : the cookie, that you define in your riak configuration file.
There is no other authentication system, and communications between nodes are not encrypted.


In WAN environment, I think that the real problem (as always) is the latency introduced by the network. I have no experience with riak in this context.
I starts to read the code, some timeouts seems to be hard coded, but it's nothing to change ;p



let me know if i'm wrong.
















>When the various nodes are in the same datacenter.... connectivity is a
>no-brainer. Can anyone comment on their experiences over a WAN connection?
>I'm curious about the security and privacy issues? Or is the simple answer
>IPSEC/VPN?
>
>/r
>
>_______________________________________________
>riak-users mailing list
>[hidden email]
>http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>



_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: node connectivity and security

Justin Sheehy
On Fri, Feb 12, 2010 at 1:21 PM, wde <[hidden email]> wrote:

> If I am right, the riak network layer is based on the erlang clustering system.

You are right, though not all communication between nodes is in Erlang
messaging (some is raw TCP and/or protobuffs) almost all of the
typical-behavior networking is in standard distributed Erlang.

The rest of your comments about both network setup and security are
spot-on as well.

> In WAN environment, I think that the real problem (as always) is the latency introduced by the network. I have no experience with riak in this context.

Completely correct, and we do not recommend running a single Riak
cluster across general purpose long-haul internet links.  The internal
protocols and models that Riak is built on for intra-cluster
communication are not intended for such highly-variable latency as
occurs in that situation.  Generally a single Riak cluster should be
composed of nodes with relatively local network connectivity between
them.

Our Enterprise product has long-haul cluster-to-cluster
multidirectional replication using entirely different communication
models for inter-cluster communication.  Just as failure conditions
are different across the internet than within the datacenter, so must
be our ways of dealing with them.

-Justin

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com