Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to protect Storm nimbus without Kerberos

Labels:
avatar
author-rank wbu author-rank
Expert Contributor

Created ‎10-18-2016 01:32 PM

Hi,

What's the simplest solution to protect Storm Nimbus from random submit topologies?

I know kerberos can protect that, but my customer doesn't want to setup Kerberos and just want to protect Nimbus thrift port with either user/pass or ssl cert. I did think to use proxy, like Nginx. But there's no option in the storm cli to input user/pass. And can't find doc about Nimbus SSL.

Does anyone have this kind of experience?

Thanks in advance.

Wendell

1,946 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎10-29-2016 03:08 PM

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java

View solution in original post

1,696 Views
0 Kudos
4 REPLIES 4

avatar
author-rank aervits
Master Mentor

Created ‎10-19-2016 01:55 AM

Apache Ranger can provide an authorization model for your Storm topologies, http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/storm_policy.html

And here https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-Us...

1,696 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎10-26-2016 08:01 AM

@wbu securing access to the Nimbus UI is only with Kerberos and SPNEGO AUTH https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_secure-storm-ambari/content/ch_secure-st... so unless you just want to protect from submitting topologies with Apache Ranger, you have to enable Kerberos

1,696 Views
0 Kudos

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎10-26-2016 02:47 PM

Hi Artern,

Thanks for the confirm.

My current problem is the customer doesn't want to setup Kerberos, and it's a single tenant cluster. Our solution is to use SASL/DIGEST with Nimbus thrift server. Both server and client JAAS configure a admin user/pass. If they match, then allow the connection.

But need to fix a bug in Storm DigestSaslTransportPlugin.java

So very simple.

Regards,

Wendell

1,696 Views
0 Kudos

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎10-29-2016 03:08 PM

DigestSaslTransportPlugin.java has another bug. Have to use PlainSaslTransportPlugin.java

1,697 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements