predictionio-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mars Hall <mars.h...@salesforce.com>
Subject Re: Securing Event Server on Heroku?
Date Fri, 01 Sep 2017 19:10:08 GMT
Hi Shane,

As you've found, PredictionIO itself does not include a complete
authorization solution. A general solution is to isolate PredictionIO from
the internet on a private network, and then implement a gateway/proxy to
authorize and route traffic to PredictionIO eventserver and engine query
API.

With Heroku Enterprise, this architectural pattern may be implemented by
provisioning two Private Spaces <https://www.heroku.com/private-spaces>;
recommended naming pattern: *example-public* (frontend) & *example*
(backend).

Configure the backend space to only trust incoming traffic from the public
space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>:

   1. With two side-by-side browser windows, open the frontend & the backend
    spaces' *Network* settings.
   2. Copy each of the *frontend* *Space Outbound IPs* to the
*backend* *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.
   3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.

Then, deploy PredictionIO apps to the backend space. In the frontend space,
deploy a public proxy/gateway. We've used Node to make simple proxies, or
try something like Kong API gateway on Heroku
<https://github.com/heroku/heroku-kong> and configure API's with simple key
authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be
encrypted. SSL/TLS is not available by default for Private Spaces apps.
Therefore, a custom domain name and certificates must be procured and
installed for every app.

I'd like to see a best-practices pattern emerge around securing
PredictionIO. I would love to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
shanewaldenjohnson@gmail.com> wrote:

> Hi everyone. We are building an app exchange app that is leveraging the
> Heroku deployment of PIO. We are needing to secure the posts to the
> events.json endpoint as well the queries.json endpoint on Heroku.
>
> Do you have any suggestions on how to add security around adding events
> and querying predictions. Is there an add-on on Heroku or would it be
> necessary to extend the scala code to look for a secret key. I would prefer
> to not extend the scala and have authentication happen at the heroku level
> if possible.
>
> Thank you in advance!
>
> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
> LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook
> <https://www.facebook.com/shane.johnson.71653>
>

Mime
View raw message