You have two classes[1] of access control for Riak: - other Riak nodes in the ring - clients making use of the Riak ring
For both access groups, the settings you want are in riak/etc/app.config. The config directives you care about for client access all end in "_ip" and "_port": web_ip, web_port, pb_ip, and pb_port. Make note of those and configure your firewall to incoming TCP access to those ports or IP and port combinations. The exceptions to this is the handoff_ip and handoff_port directives. Those are for communication between Riak nodes only. Riak uses the Erlang distribution mechanism for most inter-node communication. Riak identifies other machines in the ring using Erlang identifiers(<identifier>@<hostname or IP>, i.e. "r...@10.9.8.7"). Erlang resolves these node identifiers to a TCP port on a given machine via the Erlang Port Mapper daemon(epmd) running on each machine in a ring. epmd listens on TCP port 4369 on the wildcard interface. You can configure Riak to tell the Erlang interpreter(and thence epmd) to only use a limited range of ports in riak/etc/app.config. If you want to restrict the range of ports that Erlang and epmd will use for inter-Erlang node communication to 6000-7999, you can add the following lines to riak/etc/app.config: { kernel, [ {inet_dist_listen_min, 6000}, {inet_dist_listen_max, 7999} ]}, Then just configure your firewall to allow incoming access to TCP ports 6000 to 7999 from whichever network(s) contain your riak nodes are located on. The short and sweet: - Riak nodes need to be able to communicate freely on the following ports: - epmd's listener: TCP:4369 - handoff_port listener: TCP:8099 - range of ports you configure in app.config - Riak clients need to be able to contact a Riak node on the following ports: - web_port: TCP:8098 - pb_port: TCP:8097 One important note: if you do add the inet_dist_listen_min and inet_dist_listen_max entries to riak/etc/app.config, you need to kill off any running epmd so it it will pick up the new settings. epmd will continue to run on a given machine even after all Erlang interpreters have exited. --Ryan 1. Technically speaking there's a third class for inter-data center replication if you're using the enterprise edition of Riak but its access patterns are essentially that of a client. See the handoff_port directive.
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com