Distributed erlang security how to?

2019-03-28 19:45发布

问题:

I want to have 2 independent erlang nodes that could communicate with each other:

so node a@myhost will be able to send messages to b@myhost.

Are there any ways to restrict node a@myhost, so only a function from a secure_module could be called on b@myhost?

It should be something like:

a@myhost> rpc:call(b@myhost,secure_module,do,[A,B,C]) returns  {ok,Result}

and all other calls

a@myhost> rpc:call(b@myhost,Modue,Func,Args)  return {error, Reason}

One of the options would be to use ZeroMQ library to establish a communication between nodes, but would it be better if it could be done using some standard Erlang functions/modules?

回答1:

In this case distributed Erlang is not what you want. Connecting node A to node B makes a single cluster -- one huge, trusted computing environment. You don't want to trust part of this, so you don't want a single cluster.

Instead write a specific network service. Use the network itself as your abstraction layer. The most straightforward way to do this is to establish a stream connection (just boring old gen_tcp, or gen_sctp or use ssl, or whatever) from A to B.

The socket handling process on A receives messages from whatever parts of node A need to call B -- you write this exactly as you would if they were directly connected. Use a normal Erlang messaging style: Message = {name_of_request, Data} or similar. The connecting process on A simply does gen_tcp:send(Socket, term_to_binary(Message)).

The socket handling process on B shuttles received network messages between the socket and your servicing processes by simply receiving {tcp, Socket, Bin} -> Servicer ! binary_to_term(Bin).

Results of computation go back the other direction through the exact same process using the term_to_binary/binary_to_term translation again.

Your service processes should be receiving well defined messages, and disregarding whatever doesn't make sense (usually just logging the nonsense). So in this way you are not doing a direct RPC (which is unsafe in an untrusted environment) you are only responding to valid semantics defined in your (little tiny) messaging protocol. The way the socket handling processes are written is what can abstract this for you and make it feel just as though you are dealing with a trusted environment within distributed Erlang, but actually you have two independent clusters which are limited in what they can request of each other by the definition of your protocol.



标签: erlang