问题描述
默认情况下Erlang的集群访问是全授权的,只要cookie认证过了后,新加入的节点可以访问集群里面的任何机器,这给运维带来很大风险。目前erlang有二种方法可以限制 1. IP网段限制,参看这里 2. 节点名称限制。这个是通过net_kernel:allow来实现的,参看: allow/1 Limits access to the specified set of nodes. Any access attempts made from (or to) nodes not in Nodes will be rejected. Returns error if any element in Nodes is not an atom.我们假设集群有节点x,y,z, foo:1. 有个节点叫foo, 它只允许来自x,y节点的请求,其他的节点访问被拒;2. z只能访问x,其他拒我们来试验下:1$ erl -name foo@127.0.0.12Erlang R14B04 (erts-5.8.5) 1 3 4Eshell V5.8.5 (abort with ^G)5(foo@127.0.0.1)1> net_kernel:allow().6ok7(foo@127.0.0.1)2>在其他终端运行:$ erl -name x@127.0.0.102 03Erlang R14B04 (erts-5.8.5) 1 04 05 06 07Eshell V5.8.5 (abort with ^G)08 09(x@127.0.0.1)1> net_adm:ping('foo@127.0.0.1').10 11pong12 13(x@127.0.0.1)2>14 15 16 17$ erl -name y@127.0.0.118 19Erlang R14B04 (erts-5.8.5) 1 20 21 22 23Eshell V5.8.5 (abort with ^G)24 25(y@127.0.0.1)1> net_adm:ping('foo@127.0.0.1').26 27pong28 29(y@127.0.0.1)2>30 31 32 33$ erl -name z@127.0.0.134 35Erlang R14B04 (erts-5.8.5) 1 36 37 38 39Eshell V5.8.5 (abort with ^G)40 41(z@127.0.0.1)1> net_adm:ping('foo@127.0.0.1').42 43pang44 45(z@127.0.0.1)2> net_adm:ping('y@127.0.0.1').46 47pong48 49(z@127.0.0.1)3> net_kernel:disconnect('y@127.0.0.1').50 51true52 53(z@127.0.0.1)4> net_kernel:allow().54 55ok56 57(z@127.0.0.1)5> net_adm:ping('y@127.0.0.1'). 58 59 60 61=ERROR REPORT==== 24-Oct-2011::01:23:34 ===62 63** Connection attempt with disallowed node 'y@127.0.0.1' **64 65pang同时我们会在foo的终端上看到:=ERROR REPORT==== 24-Oct-2011::01:08:20 ===2 3** Connection attempt from disallowed node 'z@127.0.0.1' **4 5(foo@127.0.0.1)2>看代码:...02 03%% dist_util.erl04 05%% 06 07%% check if connecting node is allowed to connect 08 09%% with allow-node-scheme 10 11%% 12 13is_allowed(#hs_data{other_node = Node,14 15 allowed = Allowed} = HSData) ->16 17 case lists:member(Node, Allowed) of18 19 false when Allowed =/= [] ->20 21 send_status(HSData, not_allowed),22 23 error_msg("** Connection attempt from "24 25 "disallowed node ~w ** ~n", ),26 27 ?shutdown(Node);28 29 _ -> true30 31 end.32 33...可以知道如果Allowed空的话,代表不做任何限制,否则net_kernel:allow限制主动和被动连接的节点。祝玩得开心!