How to implement client and worker authorization for gearman

A

avorobiev2012-04-09 18:53:07

System administration

avorobiev, 2012-04-09 18:53:07

You can connect to the Gearman Task Server without any authorization. To connect, you just need to know the ip and port.
It is clear that data for processing can be forcibly encrypted (out of the box does gearman only work over http? ssl or tls is not implemented yet?), then an attacker who has connected is unlikely to cope with decryption. You can even try to validate something on the workers in order to distinguish your own tasks from third-party ones.
But how to protect yourself from:
- an attacker connecting his workers to the server (this can lead to tasks dropping out - they will be transferred by the server to third-party workers and not actually executed);
- placement by an attacker of his own tasks in existing queues in order to simply spam the queues?

Questions for those who use Gearman:
- Tell me, with what help do you implement the authorization of clients and workers?
- And if you do not use authorization, then how do you solve the above problems?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

avorobiev, 2012-04-10
@avorobiev

Further immersion in the issue gave the following picture:
The issue of security constantly pops up, but no decisions are made in this direction.
Those who think about security raise a VPN and set up german to work on a local network.
Eh, they should have a page in the documentation on this subject, with examples ... How much time would be saved!

C

CrazySquirrel, 2012-04-09
@CrazySquirrel

It is not entirely clear how the left workers will “steal” tasks, given that the functionName of the task must match the functionName of the worker + the left port + the rule in iptables “only for the local network”