Print

Security

UpdatedNovember 9, 2024

This section contains instructions that are only relevant to on-prem deployments.

RioDB can run with its API enabled or disabled.

  • Disabling the API is a maximum security setting, and it means that nobody can send SQL or ADMIN statements to RioDB remotely via the HTTP API.
  • Enabling the API allows users to submit statements via HTTP API.

Disabling the API

If you disable the API, there’s no way to submit statements to RioDB. By default, RioDB loads sql files from the sql/ directory during start-up. For maximum security, you can place your statements (create stream, create window, create query) into SQL files in the sql/ directory and disable the API completely.
To disable the API, edit conf/riodb.conf and comment out the http_port and https_port parameters.
Comment out the entire HTTP API and HTTPS API sections.
Restart RioDB process. Now there is no way to submit statements to RioDB.
Make sure access to the files in /sql directory is restricted to riodb admninistrators only.

Enabling the HTTPS API

RioDB supports HTTP (non-HTTPS), in case you have SSL-termination by a proxy or load balancer. Otherwise, HTTPS is the recommended mode for the RioDB API. The downloadable RioDB software comes with a generic keystore pre-installed. You MUST re-generate the keystore if you are concerned with security.

Create a new keystore

The riodb file archive has a hidden directory .ssl
Read instructions in .ssh/README.txt to setup a keystore.

Note: For production use, delete the provided keystore and follow instructions in .ssl/README.txt to make your own, secret keystore.

Change default ‘admin’ password.

Authenticating as user “admin”, default password “RioDB!”, post the following statement to modify your ADMIN password:RESETPWD '<your new password>';Example:

RESETPWD 'Te11M3When!';

But using your own password, of course!

Recovering ‘admin’ password.

If the admin password is forgotten, there is a simple fix. In the RioDB root directory, there’s a hidden directory called .access.
This password file contains a password hash and access level for all users.
In the row for user ADMIN, replace the password hash with one of your choice. The value should be your desired password encoded in SHA256 hash.
This tool https://emn178.github.io/online-tools/sha256.html can help you generate one.

OS permissions

As a best practice, programs like RioDB should not be run as root.
If taking security seriously, create a new user and user group for executing RioDB and accessing its locked-down files.
RioDB configuration files and SQL files can contain sensitive information such as passwords to connect to other systems. You must ensure these files are only readable and writable by riodb user group.

Follow instructions on managing RioDB users and roles

Access Levels
RioDB compiles user queries into Java programs at runtime. This is potentially dangerous if you allow untrusted users access to interact with the RioDB API.
As a rule-of-thumb, RioDB is not like a traditional database that clients query data from. Only RioDB administrators should have access to the RioDB API.

Table of Contents
Scroll to Top