Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to protect Storm nimbus without Kerberos

Solved Go to solution

How to protect Storm nimbus without Kerberos

Contributor

Hi,

What's the simplest solution to protect Storm Nimbus from random submit topologies?

I know kerberos can protect that, but my customer doesn't want to setup Kerberos and just want to protect Nimbus thrift port with either user/pass or ssl cert. I did think to use proxy, like Nginx. But there's no option in the storm cli to input user/pass. And can't find doc about Nimbus SSL.

Does anyone have this kind of experience?

Thanks in advance.

Wendell

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: How to protect Storm nimbus without Kerberos

Contributor

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java

View solution in original post

4 REPLIES 4
Highlighted

Re: How to protect Storm nimbus without Kerberos

Mentor
Highlighted

Re: How to protect Storm nimbus without Kerberos

Mentor

@wbu securing access to the Nimbus UI is only with Kerberos and SPNEGO AUTH https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-st... so unless you just want to protect from submitting topologies with Apache Ranger, you have to enable Kerberos

Highlighted

Re: How to protect Storm nimbus without Kerberos

Contributor

Hi Artern,

Thanks for the confirm.

My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.

But need to fix a bug in Storm DigestSaslTransportPlugin.java

So very simple.

Regards,

Wendell

Highlighted

Re: How to protect Storm nimbus without Kerberos

Contributor

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here