Support Questions

Find answers, ask questions, and share your expertise

How to protect Storm nimbus without Kerberos

avatar
Expert Contributor

Hi,

What's the simplest solution to protect Storm Nimbus from random submit topologies?

I know kerberos can protect that, but my customer doesn't want to setup Kerberos and just want to protect Nimbus thrift port with either user/pass or ssl cert. I did think to use proxy, like Nginx. But there's no option in the storm cli to input user/pass. And can't find doc about Nimbus SSL.

Does anyone have this kind of experience?

Thanks in advance.

Wendell

1 ACCEPTED SOLUTION

avatar
Expert Contributor

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java

View solution in original post

4 REPLIES 4

avatar
Master Mentor

avatar
Master Mentor

@wbu securing access to the Nimbus UI is only with Kerberos and SPNEGO AUTH https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-st... so unless you just want to protect from submitting topologies with Apache Ranger, you have to enable Kerberos

avatar
Expert Contributor

Hi Artern,

Thanks for the confirm.

My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.

But need to fix a bug in Storm DigestSaslTransportPlugin.java

So very simple.

Regards,

Wendell

avatar
Expert Contributor

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java