Fork me on GitHub
#datomic
<
2020-01-22
>
augustl10:01:06

<DB-NAME>? is meant to be replaced with the actual name of your db 🙂

Lukas10:01:47

hey ty for ur reply, i did that (see 3. box) but than i got a SQLException

(d/create-database "datomic:")
=> Execution error (SQLException) at java.sql.DriverManager/getDriver (DriverManager.java:298).
No suitable driver
(d/create-database "datomic:sql://?jdbc:")
Execution error (SQLException) at java.sql.DriverManager/getDriver (DriverManager.java:298).
No suitable driver

Lukas10:01:02

but i was able to start the console this way

bin/console -p 8088 datomic "datomic:sql://?jdbc:"

augustl10:01:17

yeah ,you need to add a dependency to the driver itself, I guess? Doesn't seem like Datomic provides one

Lukas11:01:28

:thinking_face: could u point out how i would do that? I'm kinda lost here :face_with_rolling_eyes:

augustl11:01:02

add the dependency in project.clj, if you use leiningen. For example: [org.postgresql/postgresql "42.2.6"]

Lukas11:01:39

seems fairly easy 😄

augustl11:01:55

:thumbsup:

mgrbyte10:01:58

I'd like to check my understanding on datomic security (on-prem, AWS, DDB). Any machine can read + write to the datomic database if: • A peer/client has the datomic-pro library • The URI to your database is known • An IAM instance role controls whether the application has permission to read/write to DDB.

mgrbyte11:01:52

My concern is: what's to stop anybody with datomic-pro who knows the URI of a datomic DB writing to it (When it's on-perm/AWS/DDB)?

augustl11:01:56

just like any DB I would assume - firewall it. The URI of most DBs contain username/password etc

mgrbyte11:01:17

With DDB there is no host and port tho (AFAICT). so you can't for example use EC2 security-groups to control inbound access.

augustl11:01:57

I'm definitely not an expert on DDB and AWS, but it seems odd to me that all DDBs are accessible to the public internet?

mgrbyte12:01:58

you can use DDB endpoints to restrict access to clients within a VPC. It's not "open" per-say, you need to grant IAM privileges (via roles) to read and write from DDB. And the transactor process is given those when it is set up. What I'm failing to remember/see is the problem of securing peer access - that is, if the DB URI is known, how to prevent access from any arbitrary datomic-pro client/peer.

marshall12:01:20

IAM handles read and write to ddb

marshall12:01:33

Peers need to be able to read ddb

marshall12:01:45

Transactor need both

marshall12:01:07

You definitely shouldn't have global read allowed on your ddb table.

marshall12:01:04

Depending on whether your peers are aws instances or not, you should use IAM instance roles and or profiles/environment credentials

mgrbyte12:01:21

Thanks @U05120CBV - this is true of the transactor processes I've deployed (they are controlled by IAM roles). What I'm seeing is that a process in an environment with no AWS creds set can still connect to the transactor and transact datoms without needing any AWS environemnt variables set. We now have peers that run as ElasticBeanStalk apps (that use IAM roles), but also command line applications that use datomic-pro directly to talk to the database. It's the latter case (or just using a repl with datomic pro library) that I'm struggling with to see how to secure access.

marshall14:01:43

where is that environment

marshall14:01:56

if it’s on an EC2 instance, it likely has an instance role assigned

mgrbyte14:01:50

to set the record straight, my creds were set in my ~/.aws directory and I hadn't realised the datomic-pro peer library uses those. so a red herring.

mgrbyte14:01:07

big thanks to @U05120CBV for setting me straight.

👍 4
jaret14:01:39

FYI, despite that preview’s text eu-north-1 was not added as AWS lacks the ability currently to support Cloud in that region. It was a late scratch from the release and we’re hoping to add it as soon as AWS is able to support Cloud in that region.

Joe Lane14:01:37

Haha, shoot. I just upgraded to 8835 2 hours ago.

marshall14:01:33

then you’re all warmed up and ready to do it again

mrmcc300:01:00

FYI when I click on the production compute template. It actually returns a storage template

marshall00:01:54

We will look into it

jaret00:01:25

@U050CQFT1 Sorry! I believe I’ve corrected the link.

jaret00:01:33

It should now pull the production compute template

jaret00:01:44

Thank you for reporting.

mrmcc300:01:08

No worries

mrmcc301:01:48

The link itself seems to indicate production compute template https://s3.amazonaws.com/datomic-cloud-1/cft/589-8846/datomic-production-compute-589-8846.json But the json has "Description": "Creates storage resources needed to run Datomic." at least for me

jaret01:01:42

hmm let me look again

jaret01:01:23

> “AWSTemplateFormatVersion”: “2010-09-09", > “Description”: “Creates compute resources needed to run Datomic.“,

jaret01:01:36

I am wondering if the cache needs to be busted on the hosted S3

jaret01:01:45

let me see if I can do that

mrmcc301:01:00

Seems to be working now. :thumbsup:

jaret01:01:24

ok great. Again sorry about that!

Jacob O'Bryant03:01:48

Thanks for the d/with bugfix -- really appreciate it :)

Luke Schubert15:01:18

does transact-async not work with an in mem database?

matthavener15:01:59

it should work

Luke Schubert15:01:13

yeah it does, turned out to be a bug somewhere else that threw me off