Security
Enable & Disable
Riak TS security may be checked, enabled, or disabled through the command line, allowing an administrator to change security settings for the whole cluster without needing to go node-by-node.
Enabling SSL
SSL is disabled by default. In order to use any authentication or authorization features, you must enable SSL for Riak TS.
Enabling SSL on a given node requires you to specify a host and port for the node:
listener.protobuf.$name = {"127.0.0.1",8087}
Enabling Security
Enabling security will change the way your client libraries and your applications interact with Riak TS.
Once security is enabled, all client connections must be encrypted and all permissions will be denied by default. Do not enable this in production until you have worked through the security checklist and tested everything in a non-production environment.
Riak TS security is disabled by default. To enable it:
riak-admin security enable
All users, groups, authentication sources, and permissions can be configured while security is disabled. This lets you create a security configuration without prematurely impacting the service. Keep this in mind when you are managing users and managing sources.
Disabling Security
If you disable security, all of the various permissions checks that take place when executing operations against Riak TS will be disabled. Users, groups, and other security attributes remain available for configuration while security is disabled, and will be applied if and when security is re-enabled.
riak-admin security disable
While security is disabled, clients will need to be reconfigured to no longer require TLS and send credentials.
Checking Security Status
To check whether security is currently enabled for the cluster, use the
status command:
riak-admin security status
This command will return Enabled or Disabled.
Next Steps
For further guides on security in Riak TS, check out: