In this section, we will look at some basic security mechanisms that can help secure the database.
Earlier in the book, I mentioned that RethinkDB was being actively developed and that there maybe features that have been added since the publication of this book. This is especially true for security mechanisms in RethinkDB. Although, there are already some basic security options available while I'm writing these lines, more features are being discussed.
Securing your RethinkDB cluster is extremely important as the default options allow queries to be executed by anyone. If your database instance is on a public network, anyone can access the web interface and driver ports. Thus, anyone can practically create tables, delete documents, and change database settings.
The very best thing that you can do to secure your database is to run it on a private network that doesn't allow access from the outside world. However, this may not always be feasible, especially if you're working on small projects because more than likely, you will have your web application servers and database on the same machine. However, when your database starts becoming bigger and requires more performance, you usually move it to a dedicated server, and this makes it much easier to secure it as you can block all incoming connections except from your web servers and application servers.
Another case in which using a private network is difficult is if you're using cloud-based services to deploy your software. Cloud deployments often require access from the internet, so setting up a private network is not possible. If this is the case, there are two major parts of a cluster that can be secured: the web interface and drivers.
The best way to secure the web interface is to block all incoming connections from the outside world and only allow connections on port 8080 from the localhost. Depending on your firewall, there are various ways to achieve this.
If you're using a hardware firewall or router, you will most likely need to change the firewall rules from the web interface.
If, instead, you want to use a software firewall, you can use Linux's built-in firewall—iptables. The following lines will create the firewall rules that block incoming connections on port 8080 from everyone except the localhost:
sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP sudo iptables -I INPUT -i eth0 -s 127.0.0.1 -p tcp --dport 8080 -j ACCEPT
Many cloud deployment services allow you to specify firewall rules, so if you're using an online service, such as Amazon Web Services, you can secure the web interface by editing the security group:
The driver port is the port that clients use to connect to the database server to run queries. You can secure this port by restricting access to the 28015 port using a firewall or, even better, you can set an authentication key.
RethinkDB allows you to edit the cluster settings and set a secret key. Once you set it, client drivers will be required to pass the key to the server in order to connect and run queries.
You can set the authentication key by editing the value of the auth field in the cluster_config system table. If we want to set the authentication key to mypassword, we can set it by running the following query from the web interface:
r.db('rethinkdb').table('cluster_config').get('auth').update({auth_key: mypassword})Now, every time you create a connection to the database, you must supply the secret key to the connect command.
If you're connecting to the database from a Node.js script, the code will look as follows:
r.connect({authKey: 'mypassword'}, function(err, conn) {
// run queries
});Without the authentication key, the connect function will fail.