[
https://issues.apache.org/jira/browse/STORM-2898?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16335469#comment-16335469
]
Jungtaek Lim commented on STORM-2898:
-------------------------------------
[~revans2]
I'm not expert on security, but the description and answer of [~danny0405]'s
questions make sense to me. The concept looks great, and I agree we may be
better to avoid pulling Hadoop whenever possible. I have seen other streaming
frameworks coupled with Hadoop, and they're providing various distributions
because of Hadoop versions which is not ideal.
> Storm should support auth through delegation tokens for workers
> ---------------------------------------------------------------
>
> Key: STORM-2898
> URL: https://issues.apache.org/jira/browse/STORM-2898
> Project: Apache Storm
> Issue Type: New Feature
> Components: storm-client, storm-server
> Affects Versions: 2.0.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Major
>
> There are a lot of cases where it would be great for a worker to be able to
> communicate directly to nimbus, supervisors, or drpc servers in a secure way
> out of the box.
> This is currently a pain to make work. The user has to ship a TGT with their
> topology, and continually keep it up to date with credentials-push. They
> also need a kind of hacked up jaas.conf to grab the TGT from AutoTGT and put
> it in the place that he client wants it.
> We should just generate a signed data structure (aka delegation token from
> hadoop) that we can had off to the topologies to use when talking to nimbus,
> a supervisor, or drpc servers.
> We may want to split up the different services from each other to make an
> attack against one not hit all of them, but that is something we can think
> about with the design of this.
> I will try to come up with a design shortly.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
