Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-2898

Storm should support auth through delegation tokens for workers

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      There are a lot of cases where it would be great for a worker to be able to communicate directly to nimbus, supervisors, or drpc servers in a secure way out of the box.

      This is currently a pain to make work. The user has to ship a TGT with their topology, and continually keep it up to date with credentials-push. They also need a kind of hacked up jaas.conf to grab the TGT from AutoTGT and put it in the place that he client wants it.

      We should just generate a signed data structure (aka delegation token from hadoop) that we can had off to the topologies to use when talking to nimbus, a supervisor, or drpc servers.

      We may want to split up the different services from each other to make an attack against one not hit all of them, but that is something we can think about with the design of this.

      I will try to come up with a design shortly.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            revans2 Robert Joseph Evans
            revans2 Robert Joseph Evans
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 6h 10m
                6h 10m

                Slack

                  Issue deployment