2
votes

Researching PHP/Gearman. I'm trying to get an understanding of how the Gearman Server/Process determines what constitutes a "valid" client.

In the docs that I've seen, the docs show a number of clients connecting to the the Gearman Server. However, I've not found anything that describes how the server "validates" the workers, or restricts the workers/clients from accessing/getting work from the Server.

As an example, I create a Gearman Server, and I have a network with 5 child machines, each of which has a "worker". My evil friend Steve adds another machine to the network, with it's own worker..

How do I stop Steve's worker from getting work from my Server!

Is there a way to have the client/worker register itself, so I can essentially allocate IDs to the clients/workers???

I'm fairly certain that there's a way to do this, but I haven't come across it yet.

I'm testing on a Linux env, using PHP/MySQL/Gearman.

Thanks

3

3 Answers

2
votes

Like memcached, gearman has no access control or authentication whatsoever.

Your best solution is to rely on your OS, e.g firewall rules.

Namely iptables should block all incoming traffic to port 4730 (standard gearman port), like this

iptables -A INPUT -p tcp --dport 4730 -s server1 -j ACCEPT

...

iptables -A INPUT -p tcp --dport 4730 -s server5 -j ACCEPT

iptables -A INPUT -p tcp --dport 4730 -j DROP

That way, you still can use Gearman from localhost.

Disclaimer : this rule is on top of my head, please double check these rules before running it on production server.

Hope this helps !

0
votes

By listening (1) either only on localhost or (2) settings up proper firewall rules if you need outside access. Gearman is created with the intention of having as little overhead as possible, there is no authentication protocol. If this is not enough, only listening on localhost & using SSH tunnels to that machine is a possibility. Also a possibility is using the HTTP protocol (see here), and putting a validating proxy in front of it.

0
votes

Gearman servers should only be accessible on your internal network. The network your application lives on should not have unauthorized devices on it. Your application servers shouldn't be sharing a network with your wireless router. Gearman will only send jobs to servers registered to that particular server with the same task name. If one of the employees at your company registers a task with the same name to your production Gearman master as a joke, you have bigger problems.