predictionio-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mars Hall <>
Subject Re: Securing Event Server on Heroku?
Date Fri, 01 Sep 2017 19:16:27 GMT

A whole different perspective to this, still involving private networks, is
to deploy all the apps that need to access PIO directly onto the same
network. No auth required!

Or, peer the PredictionIO private network with other cloud resources, such
as Salesforce org IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall <> wrote:

> Hi Shane,
> As you've found, PredictionIO itself does not include a complete
> authorization solution. A general solution is to isolate PredictionIO from
> the internet on a private network, and then implement a gateway/proxy to
> authorize and route traffic to PredictionIO eventserver and engine query
> API.
> With Heroku Enterprise, this architectural pattern may be implemented by
> provisioning two Private Spaces <>;
> recommended naming pattern: *example-public* (frontend) & *example*
> (backend).
> Configure the backend space to only trust incoming traffic from the public
> space and itself. In the Heroku Dashboard <>:
>    1. With two side-by-side browser windows, open the frontend & the
>    backend spaces' *Network* settings.
>    2. Copy each of the *frontend* *Space Outbound IPs* to the *backend* *Trusted
>    IP Ranges*.
>    CIDR notation for each individual IP is X.X.X.X/32.
>    3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
>    IP Ranges*.
>    CIDR notation for each individual IP is X.X.X.X/32.
> Then, deploy PredictionIO apps to the backend space. In the frontend
> space, deploy a public proxy/gateway. We've used Node to make simple
> proxies, or try something like Kong API gateway on Heroku
> <> and configure API's with simple
> key authorization.
> Keep in mind, all public-facing traffic and inter-space traffic should be
> encrypted. SSL/TLS is not available by default for Private Spaces apps.
> Therefore, a custom domain name and certificates must be procured and
> installed for every app.
> I'd like to see a best-practices pattern emerge around securing
> PredictionIO. I would love to hear about your ongoing progress,
> *Mars
> On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
>> wrote:
>> Hi everyone. We are building an app exchange app that is leveraging the
>> Heroku deployment of PIO. We are needing to secure the posts to the
>> events.json endpoint as well the queries.json endpoint on Heroku.
>> Do you have any suggestions on how to add security around adding events
>> and querying predictions. Is there an add-on on Heroku or would it be
>> necessary to extend the scala code to look for a secret key. I would prefer
>> to not extend the scala and have authentication happen at the heroku level
>> if possible.
>> Thank you in advance!
>> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
>> LinkedIn <> | Facebook
>> <>

*Mars Hall
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California

View raw message