https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136556#M43816 <P>Hi Artern,</P><P>Thanks for the confirm.</P><P>My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.</P><P>But need to fix a bug in Storm DigestSaslTransportPlugin.java</P><P>So very simple.</P><P>Regards,</P><P>Wendell</P> Wed, 26 Oct 2016 21:47:34 GMT wbu 2016-10-26T21:47:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136553#M43813 <P>Hi,</P><P>What's the simplest solution to protect Storm Nimbus from random submit topologies?</P><P>I know kerberos can protect that, but my customer doesn't want to setup Kerberos and just want to protect Nimbus thrift port with either user/pass or ssl cert. I did think to use proxy, like Nginx. But there's no option in the storm cli to input user/pass. And can't find doc about Nimbus SSL.</P><P>Does anyone have this kind of experience?</P><P>Thanks in advance.</P><P>Wendell</P> Tue, 18 Oct 2016 20:32:07 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136553#M43813 wbu 2016-10-18T20:32:07Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136554#M43814 <P>Apache Ranger can provide an authorization model for your Storm topologies, <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/storm_policy.html" target="_blank">http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/storm_policy.html</A></P><P>And here <A href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-AddingSTORMPolicies" target="_blank">https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-AddingSTORMPolicies</A></P> Wed, 19 Oct 2016 08:55:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136554#M43814 aervits 2016-10-19T08:55:31Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136555#M43815 <P><A href="https://community.hortonworks.com/questions/62114/how-to-protect-storm-nimbus-without-kerberos.html#">@wbu</A> securing access to the Nimbus UI is only with Kerberos and SPNEGO AUTH <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-storm-ui.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-storm-ui.html</A> so unless you just want to protect from submitting topologies with Apache Ranger, you have to enable Kerberos</P> Wed, 26 Oct 2016 15:01:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136555#M43815 aervits 2016-10-26T15:01:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136556#M43816 <P>Hi Artern,</P><P>Thanks for the confirm.</P><P>My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.</P><P>But need to fix a bug in Storm DigestSaslTransportPlugin.java</P><P>So very simple.</P><P>Regards,</P><P>Wendell</P> Wed, 26 Oct 2016 21:47:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136556#M43816 wbu 2016-10-26T21:47:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136557#M43817 <P>DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java</P> Sat, 29 Oct 2016 22:08:36 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-protect-Storm-nimbus-without-Kerberos/m-p/136557#M43817 wbu 2016-10-29T22:08:36Z