[erlang-questions] Securing remote spawning
maarten@REDACTED
maarten@REDACTED
Wed Apr 23 20:39:36 CEST 2008
Hi,
Thanks, but basically that means that I have to trust the firewall. If somebody gets past the first "layer of defense", they can do more damage. With great power.....
--Maarten
----------------------------------
From: "Gleb Peregud" <gleber.p@REDACTED>
Date: 4/23/08 17:53Subject: Re: [erlang-questions] Securing remote spawning
Hi,
No. At this moment there is no such mechanism (at least none i heard
of). Erlang security is based on simple concept of "secret cookie". If
one knows cookie of running node then he gets absolute power over this
node. Same goes to inter-node communication - if two nodes share the
same cookie they trust each other fully. If it differs - they do not
communicate at all.
For details see http://www.erlang.org/doc/reference_manual/distributed.html#11.7
Of course you can roll out your own mechanism. For specific task with
term_to_binary/1 and binary_to_term/1 is should not be too hard.
Also you may want to read this:
http://www.trapexit.org/Distributed_erlang_using_ssl_through_firewalls
Best regards.
On 4/23/08, Maarten Koopmans <maarten@REDACTED> wrote:
> Hi,
>
> New to this list and Erlang, and I have a simple question that I
> couldn't find an answer to in any of the docs: is it possible to
> restrict the possibility of remote spawning or rpc on a given set of
> nodes to only a subset of the functions?
>
> Because if I think "trust no one" then only cookies for SaaS
> applications imply that I loose a layer of defense (and have only the
> firewall left). Especially because the Big Plus with Erlang woudl be
> using Mnesia as well - but this implies moving all code busines + Db) in
> the same zone.
>
> The only option I can think of is doing all communication socket based
> with custom protocols/DSLs that limit what you can do.
>
> Any help/insights greatly appreciated!
>
> --Maarten
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://www.erlang.org/mailman/listinfo/erlang-questions
>
--
Gleb Peregud
http://gleber.pl/
Every minute is to be grasped.
Time waits for nobody.
-- Inscription on a Zen Gong
More information about the erlang-questions
mailing list