Hi devs, I just had this idea in mind a long time since I'm not sure it'll work without security issue, but decide to share since upload topology via REST API is still a great feature to have.
Assuming that no one uses Storm 0.10.0 beta, upload topology via REST API is removed due to security reason. If my understanding is right, main security issue is that client class (which will configure the topology and submit) will be executed from the UI server with same account. What if we just submit pre-defined topology which just submits topology with given topology jar? It may be similar with cluster mode of driver of Spark but pre-defined topology will be shutdown immediately after submitting actual topology. Arbitrary codes can be run on worker node, but it would be running on one of worker, which it can be protected with security features. (I might be wrong since I might not have clear understanding of security feature, especially submitting new topology from the worker.) We don't need to mention about non-secured cluster, since it's just non-secured. Even without this API, anyone can include arbitrary code in Spout or Bolt and submit that topology. Can this idea address security issue on upload topology REST API? Thanks in advance, Jungtaek Lim (HeartSaVioR)
