Securing DRb Services with Access Control Lists

Credit: James Edward Gray II

Problem

You want to keep everybody in the world (literally!) from having access to your DRb service. Instead you want to control which hosts can, and cannot, connect.

Solution

Heres the simple shared hash from Recipe 16.10, only this time its locked down with DRbs ACL (access control list) class:

	#!/usr/bin/ruby
	# acl_hash_server.rb

	require drb
	require drb/acl

	# Setup the security--remember to call before DRb.start_service()
	DRb.install_acl(ACL.new(%w{ deny all
	 allow 192.168.1.*
	 allow 127.0.0.1 } ) )
	# Start up DRb with a URI and a hash to share
	shared_hash = {:server => Some data set by the server }
	DRb.start_service("druby://127.0.0.1:61676", shared_hash)
	puts Listening for connection…
	DRb.thread.join # Wait on DRb thread to exit…

Discussion

If you bind your DRb server to localhost, itll only be accessible to other Ruby processes on your computer. Thats not very distributed. But if you bind your DRb server to some other hostname, anyone on your local network (if youve got a local network) or anyone on the Internet at large will be able to share your Ruby objects. You e probably not feeling that generous.

DRbs ACL class provides simple white/blacklist security similar to that used by the Unix /etc/hosts.allow and /etc/hosts.deny files. The ACL constructor takes an array of strings. The first string of a pair is always "allow" or "deny", and its followed by the address or addresses to allow or deny access.

String addresses can include wildcards ("**"), as shown in the solution, to allow or deny an entire range of addresses. The ACL class also understands the term "all," and your first address should be either "deny all" or (less likely) "allow all". Subsequent entries can relax or restrict access, as needed.

In the Solution above, the default is to deny access. Exceptions are carved out afterwards for anyone on the local IP network (192.168.1.**) and anyone on the same host as the server itself (127.0.0.1). A public DRb server might allow access by default, and deny access only to troublesome client IPs.

See Also

  • Recipe 16.10, "Sharing a Hash Between Any Number of Computers"


Strings

Numbers

Date and Time

Arrays

Hashes

Files and Directories

Code Blocks and Iteration

Objects and Classes8

Modules and Namespaces

Reflection and Metaprogramming

XML and HTML

Graphics and Other File Formats

Databases and Persistence

Internet Services

Web Development Ruby on Rails

Web Services and Distributed Programming

Testing, Debugging, Optimizing, and Documenting

Packaging and Distributing Software

Automating Tasks with Rake

Multitasking and Multithreading

User Interface

Extending Ruby with Other Languages

System Administration



Ruby Cookbook
Ruby Cookbook (Cookbooks (OReilly))
ISBN: 0596523696
EAN: 2147483647
Year: N/A
Pages: 399

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net