Security
Overview

In Riak TS, security is supported for the Protocol Buffers Client (PBC) interface (like in Riak KV).

Security is not currently supported through the HTTP interface in Riak TS

The following is an overview of standard configurations and port settings to use for network security in a Riak TS Cluster. This document also contains a list of links to more information on best practices for enabling security features, managing users, and managing security sources.

Access Control

There are two classes of access control for Riak TS:

  • Other Riak TS nodes participating in the cluster
  • Clients making use of the Riak TS cluster

The settings for both access groups are located in your cluster’s configuration settings. You can set a host and port for each node in that node’s riak.conf file with the listener.protobuf setting.

Make note of these configurations and set up your firewall to allow incoming TCP access to those ports or IP address/port combinations. Exceptions to this are the handoff_ip and handoff_port directives. Those are for communication between Riak TS nodes only.

Inter-node Communication

Riak TS uses the Erlang distribution mechanism for most inter-node communication. Riak TS identifies other machines in the ring using Erlang identifiers (»hostname or IP«, e.g. riak@10.9.8.7). Erlang resolves these node identifiers to a TCP port on a given machine via the Erlang Port Mapper daemon (epmd) running on each cluster node.

By default, epmd binds to TCP port 4369 and listens on the wildcard interface. For inter-node communication, Erlang uses an unpredictable port by default; it binds to port 0, which means the first available port.

For ease of firewall configuration, Riak TS can be configured to instruct the Erlang interpreter to use a limited range of ports. For example, to restrict the range of ports that Erlang will use for inter-Erlang node communication to 6000-7999, add the following lines to the configuration file on each Riak TS node:

erlang.distribution.port_range.minimum = 6000
erlang.distribution.port_range.maximum = 7999

Then configure your firewall to allow incoming access to TCP ports 6000 through 7999 from whichever network(s) contain your Riak TS nodes.

Riak TS Node Ports

Riak TS nodes in a cluster need to be able to communicate freely with one another on the following ports:

  • epmd listener: TCP:4369
  • handoff_port listener: TCP:8099
  • range of ports specified in app.config or riak.conf

Riak TS Client Ports

Riak TS clients must be able to contact at least one machine in a Riak cluster on the following TCP ports:

Protocol Port
Protocol Buffers TCP port 8087

Best Practices

Security Checklist

Before enabling security on your Riak TS cluster be sure to check out the Security Checklist.

Enabling, Disabling, and Checking Security

For a brief tutorial on how to enable, disable, or check the security status of a cluster, visit the Security: Enable & Disable page.

Managing User Authentication and Permissions

For instructions on how to apply permissions and require client authentication in Riak TS, please see our Security: User Management documentation.

Managing Security Sources

For more on creating and managing security sources for authentication in Riak TS, check out Security: Sources Management.

Notifying Riak

If you discover a potential security issue with Riak TS or want to know more about Riak’s approach to security, visit the Security: Notifying Riak page.