[erlang-questions] Erlang cookies, rpc, security, mnesia, hidden nodes, VPN tunnels and stuff!

Bengt Kleberg <>
Wed Sep 21 09:28:25 CEST 2016


FWIW: I use different cookies for different nodes in 'production'.

A management node handles different pools, where each pool has its own 
cookie.

The manager is hidden. Theoretically we could have many (10-50) pools 
with max 50 machines in each. In practice we only use 2-3 pools with 
10-20 machines in each.


bengt


On 09/21/2016 09:20 AM, Tobias Schlager wrote:
> Hi Trent,
>
> AFAIK it is possible to use different cookies for different nodes, the distribution protocol allows it. Furthermore it is possible to set different cookies on a node for remote nodes manually, see [1]. However, most probably this is not a good idea and I have to admit that I've never used this 'feature' (in production).
>
> Regards
> Tobias
>
> [1] http://erlang.org/doc/man/erlang.html#set_cookie-2
>
> ________________________________________
> Von:  []" im Auftrag von "Trent Hampton []
> Gesendet: Dienstag, 20. September 2016 20:47
> An: 
> Betreff: [erlang-questions] Erlang cookies, rpc, security, mnesia,      hidden nodes, VPN tunnels and stuff!
>
> Greetings Erlang Wizards!
>
> I have a client server erlang application where each server is connected to every other and is running an instance of an mnesia database across point to point VPN tunnels.
>
> I would like to be able to use erlang rpc on the clients to make function calls on the servers without exposing raw access to the mnesia database. That is, I do not want to expose, to the clients, the cookie that I use to connect mnesia nodes together.
>
> Is it possible to have the servers and mnesia communicate using one cookie but have the clients connect to the servers using another cookie so that the clients cannot gain access to the raw database and so that there are no transitive connections?
>
> According to http://erlang.org/doc/reference_manual/distributed.html section 13.3-5; it is possible to turn off transitive connections with the -connect_all false flag or by making a node hidden. Is it possible to use the hidden node and also use a different cookie for the client to server connection than the cookie used between the servers?
>
> Thank you!
>
> Trent
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list