[STORM-2898] Storm should support auth through delegation tokens for workers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: storm-client, storm-server
Labels:
- pull-request-available

Epic Link:
Release Apache Storm 2.0.0

Description

There are a lot of cases where it would be great for a worker to be able to communicate directly to nimbus, supervisors, or drpc servers in a secure way out of the box.

This is currently a pain to make work. The user has to ship a TGT with their topology, and continually keep it up to date with credentials-push. They also need a kind of hacked up jaas.conf to grab the TGT from AutoTGT and put it in the place that he client wants it.

We should just generate a signed data structure (aka delegation token from hadoop) that we can had off to the topologies to use when talking to nimbus, a supervisor, or drpc servers.

We may want to split up the different services from each other to make an attack against one not hit all of them, but that is something we can think about with the design of this.

I will try to come up with a design shortly.

Attachments

Issue Links

links to

GitHub Pull Request #2531

Activity

People

Assignee:: Robert Joseph Evans

Reporter:: Robert Joseph Evans

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 11/Jan/18 16:54

Updated:: 09/Feb/18 02:39

Resolved:: 09/Feb/18 02:39

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

6h 10m