Securing DRb Services with Access Control Lists

Credit: James Edward Gray II

Problem

You want to keep everybody in the world (literally!) from having access to your DRb service. Instead you want to control which hosts can, and cannot, connect.

Solution

Heres the simple shared hash from Recipe 16.10, only this time its locked down with DRbs ACL (access control list) class:

#!/usr/bin/ruby # acl_hash_server.rb require drb require drb/acl # Setup the security--remember to call before DRb.start_service() DRb.install_acl(ACL.new(%w{ deny all allow 192.168.1.* allow 127.0.0.1 } ) ) # Start up DRb with a URI and a hash to share shared_hash = {:server => Some data set by the server } DRb.start_service("druby://127.0.0.1:61676", shared_hash) puts Listening for connection… DRb.thread.join # Wait on DRb thread to exit…

Discussion

If you bind your DRb server to localhost, itll only be accessible to other Ruby processes on your computer. Thats not very distributed. But if you bind your DRb server to some other hostname, anyone on your local network (if youve got a local network) or anyone on the Internet at large will be able to share your Ruby objects. You e probably not feeling that generous.

DRbs ACL class provides simple white/blacklist security similar to that used by the Unix /etc/hosts.allow and /etc/hosts.deny files. The ACL constructor takes an array of strings. The first string of a pair is always "allow" or "deny", and its followed by the address or addresses to allow or deny access.

String addresses can include wildcards ("**"), as shown in the solution, to allow or deny an entire range of addresses. The ACL class also understands the term "all," and your first address should be either "deny all" or (less likely) "allow all". Subsequent entries can relax or restrict access, as needed.

In the Solution above, the default is to deny access. Exceptions are carved out afterwards for anyone on the local IP network (192.168.1.**) and anyone on the same host as the server itself (127.0.0.1). A public DRb server might allow access by default, and deny access only to troublesome client IPs.

See Also

Категории