Storm UI topology administrative action buttons

["Jaydeep Karia (BLOOMBERG/ 919 3RD A)" <jk...@bloomberg.net>]

Hello Storm Community!

Currently any user that has access to the Storm UI can perform the topology administrative actions: Activate, Deactivate, Rebalance and Kill.

To add authentication for these actions the security documentation in the git repo (https://github.com/apache/storm/blob/master/SECURITY.md) suggests using java servlet filters. It gives an example of how to use AuthenticationFilter from hadoop-auth using kerberos. Can we use LDAP instead? Can someone point me to a sample config.

Thank you.

Re: Storm UI topology administrative action buttons

[Bobby Evans <ev...@yahoo-inc.com>]

The issue is that LDAP is not directly a web technology, so I know of no way to simply integrate LDAP with storm.  It would require not just a servlet filter but also a corresponding login page that would authenticate the user with LDAP and return a cookie that could be used in future requests for the servlet filter.
Most companies already have a Single Sign On solution, like active directory, which provides LDAP integration and a landing page.  Most single sign on solutions also provide a servlet filter because there are a lot of enterprise java applications.
If all you have is LDAP how are other java web applications in your company authenticating users?


- Bobby


On Tuesday, June 20, 2017, 5:34:10 PM CDT, Jaydeep Karia (BLOOMBERG/ 919 3RD A) <jk...@bloomberg.net> wrote:

Hello Storm Community!
Currently any user that has access to the Storm UI can perform the topology administrative actions: Activate, Deactivate, Rebalance and Kill.
To add authentication for these actions the security documentation in the git repo (https://github.com/apache/storm/blob/master/SECURITY.md) suggests using java servlet filters. It gives an example of how to use AuthenticationFilter from hadoop-auth using kerberos. Can we use LDAP instead? Can someone point me to a sample config.
Thank you.