What's the simplest solution to protect Storm Nimbus from random submit topologies?
I know kerberos can protect that, but my customer doesn't want to setup Kerberos and just want to protect Nimbus thrift port with either user/pass or ssl cert. I did think to use proxy, like Nginx. But there's no option in the storm cli to input user/pass. And can't find doc about Nimbus SSL.
Does anyone have this kind of experience?
Thanks in advance.
Apache Ranger can provide an authorization model for your Storm topologies, http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/storm_policy.html
@wbu securing access to the Nimbus UI is only with Kerberos and SPNEGO AUTH https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-st... so unless you just want to protect from submitting topologies with Apache Ranger, you have to enable Kerberos
Thanks for the confirm.
My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.
But need to fix a bug in Storm DigestSaslTransportPlugin.java
So very simple.