Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Storm 007 - Who gets a "License to Kill"

Highlighted

Storm 007 - Who gets a "License to Kill"

Explorer

In a shared environment, is there a way to prevent users from killing/rebalancing/etc each other's topologies? If a topology is configured to run as the user who starts it, are other users able to see it? stop it?

Asked more broadly: What are some best practices for setting up Storm permissions/ACLs in a shared environment?

4 REPLIES 4

Re: Storm 007 - Who gets a "License to Kill"

Contributor
Highlighted

Re: Storm 007 - Who gets a "License to Kill"

Use Apache Ranger to setup policies for Storm topologies. Here is a great GitHub link by @Ali Bajwa on how to configure the Storm plugin for Ranger:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Highlighted

Re: Storm 007 - Who gets a "License to Kill"

Highlighted

Re: Storm 007 - Who gets a "License to Kill"

Explorer

I think @Eric Brosch's question is around multi-tenancy... I found the following link, but none of the answers really get to the details of running topologies in an enterprise multi-tenant environment:

https://community.hortonworks.com/questions/1705/storm-multi-tenancy-best-practices.html

The primary recommendations seem to be that one must 1. have a secure cluster and 2. set supervisor.worker.run.as.user to true.

In the docs I've seen, it's not clear whether there's a good way to have groups of users where they can manage topologies within the group, but not mess with topologies belonging to another group.

Don't have an account?
Coming from Hortonworks? Activate your account here