[erlang-questions] Erlang cookies, rpc, security, mnesia, hidden nodes, VPN tunnels and stuff!

Sergej Jurečko sergej.jurecko@REDACTED
Wed Sep 21 09:32:13 CEST 2016


You can set a cookie for nodes: http://erlang.org/doc/man/erlang.html#set_cookie-2
So if your server node first connects to other mnesia nodes with a mnesia cookie, you can then set this to change default cookie for all other nodes (clients). Theoretically I think it should work.

If I'm understanding your intention correctly you are attempting to add some security to an underlying system which has no security. There is nothing stopping clients from calling mnesia:.. functions on your server and do whatever they want. Unless clients are completely trusted, using erlang RPC for their connection is a really bad idea.

regards,
Sergej

> On 20 Sep 2016, at 20:47, Trent Hampton <trenthampton@REDACTED> wrote:
> 
> Greetings Erlang Wizards!
> 
> I have a client server erlang application where each server is connected to every other and is running an instance of an mnesia database across point to point VPN tunnels.
> 
> I would like to be able to use erlang rpc on the clients to make function calls on the servers without exposing raw access to the mnesia database. That is, I do not want to expose, to the clients, the cookie that I use to connect mnesia nodes together.   
> 
> Is it possible to have the servers and mnesia communicate using one cookie but have the clients connect to the servers using another cookie so that the clients cannot gain access to the raw database and so that there are no transitive connections?
> 
> According to http://erlang.org/doc/reference_manual/distributed.html section 13.3-5; it is possible to turn off transitive connections with the -connect_all false flag or by making a node hidden. Is it possible to use the hidden node and also use a different cookie for the client to server connection than the cookie used between the servers?
> 
> Thank you!
> 
> Trent
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions




More information about the erlang-questions mailing list