Support Questions
Find answers, ask questions, and share your expertise

Storm 007 - Who gets a "License to Kill"

Storm 007 - Who gets a "License to Kill"

Explorer

In a shared environment, is there a way to prevent users from killing/rebalancing/etc each other's topologies? If a topology is configured to run as the user who starts it, are other users able to see it? stop it?

Asked more broadly: What are some best practices for setting up Storm permissions/ACLs in a shared environment?

4 REPLIES 4

Re: Storm 007 - Who gets a "License to Kill"

Contributor

Re: Storm 007 - Who gets a "License to Kill"

Use Apache Ranger to setup policies for Storm topologies. Here is a great GitHub link by @Ali Bajwa on how to configure the Storm plugin for Ranger:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Re: Storm 007 - Who gets a "License to Kill"

Re: Storm 007 - Who gets a "License to Kill"

Explorer

I think @Eric Brosch's question is around multi-tenancy... I found the following link, but none of the answers really get to the details of running topologies in an enterprise multi-tenant environment:

https://community.hortonworks.com/questions/1705/storm-multi-tenancy-best-practices.html

The primary recommendations seem to be that one must 1. have a secure cluster and 2. set supervisor.worker.run.as.user to true.

In the docs I've seen, it's not clear whether there's a good way to have groups of users where they can manage topologies within the group, but not mess with topologies belonging to another group.