[Ericsson AB]

auth

MODULE

auth

MODULE SUMMARY

The Erlang Network Authentication Server

DESCRIPTION

Authentication determines which nodes are allowed to communicate with each other. In a network of different Erlang nodes, it is built into the system at the lowest possible level. Each node has its Magic Cookie, which is an Erlang atom.

When nodes connect with eachother, the Magic Cookies are compared. If the Magic Cookies doesn't match the connected node rejects the connection.

At start-up, the first action of the standard auth server is to read a file named $HOME/erlang.cookie. An atom is created from the contents of this file and the cookie of the node is set to this atom with the use of erlang:set_cookie(node(), CookieAtom).

If the file does not exist, it is created. The UNIX permissions mode of the file is set to octal 400 (read-only by owner) and filled with a random string. For this reason, the same user, or group of users with identical cookie files, can have Erlang nodes which can communicate freely and without interference from the Magic Cookie system. Users who want to run nodes on separate file systems must be certain that their cookie files are identical on the different file systems.

Initially, each node has a random atom assigned as its magic cookie. Once the procedure described above has been concluded, the cookie is set to the contents of the $HOME/erlang.cookie file.

To communicate with another node, the magic cookie of that node must be known. The BIF erlang:set_cookie(Node, Cookie) sets the cookie for Node to Cookie. The call erlang:set_cookie(node(), CookieAtom) will set the current cookie to CookieAtom. It will, however, also set the cookie of all other unknown nodes to CookieAtom. In the case of the default auth server, this is the first thing done when the system starts. The default then, is to assume that all nodes which communicate have the same cookie. In the case of a single user on a single file system, this is indeed true and no further action is required. The original cookie can also be fetched by the BIF erlang:get_cookie().

If nodes which communicate do not have the same cookie, they can be set explicitly on each node with the aid of erlang:set_cookie(Node, Cookie). Distributed systems with multiple User IDs can be handled in this way.

Initially, the system cookie is set to a random atom, and the (assumed) cookie of all other nodes is initially set to the atom nocookie. Thus, an Erlang node is completely unprotected when erlang:set_cookie(node(), nocookie) is run. Sometimes, this may be appropriate for systems which are not normally networked, and it can also be appropriate for maintenance purposes.

In the standard system, the default when two nodes are connected is to immediately connect all other involved nodes as well. This way, there is always a fully connected network. If there are nodes with different cookies, this method might be inappropriate and the host OS command line option -connect_all false must be issued to the Erlang runtime system. See global(3).

This module uses the two BIFs erlang:get_cookie() which returns the magic cookie of the local node, and erlang:set_cookie(Node,Cookie) which sets the magic cookie of Node to Cookie. If Node is the user's node, the cookie of all other unknown nodes are also set to Cookie by this BIF.

EXPORTS

start()

Starts the auth server.

stop()

Stops the auth server.

is_auth(Node)

Returns the value yes if communication with Node is authorized, no if Node does not exist or communication is not authorized.

exists(Node)

Returns yes if Node exists, otherwise no.

cookie()

Reads cookie from $HOME/.erlang.cookie and sets it. This function is used by the auth server at start-up.

node_cookie(Node, Cookie)

If the cookie of Node is known to the user as Cookie but the user's cookie is not known at Node, this function informs Node of the identity of the user's cookie.

node_cookie([Node, Cookie])

Another version of the previous function with the arguments in a list which can be given on the host OS command line.

cookie([Cookie])

Equivalent to erlang:set_cookie(node(), Cookie), but with the argument in a list so it can be given on the host OS command line.

AUTHORS

Claes Wikstrom - support@erlang.ericsson.se

kernel 2.10.9
Copyright © 1991-2005 Ericsson AB