This is all off the top of my head so it might not be 100% accurate, meaning I may have missed something in here. The location that you installed storm can be world readable, there is nothing secret here, but you should not allow anyone to write (simply to avoid unfortunate accidents when you are not upgrading the cluster/configs).
The logging directory should be writable by the headless user running your daemons. The storm-local directory also. If you are running with security it is a bit more complex. Make sure that the keytabs for the daemons are only readable by the headless user that is running storm. Similarly if you are using https for the UI and logviewer processes. Make sure again that keystore is only readable by the headless user running storm. If you are running with the supervisors launching the workers as the user that started them, first of all please make sure you are also running in secure mode because otherwise the entire world can launch things on your cluster as just about any user they want. The worker launcher executable needs to have setuid/setgid permissions on it. The owner needs to be root, and the group needs to be a group that only the headless user your topology is running as is in. It should not be world executable. This grants permission for the supervisor to do things as other users. The config for this file usually in /etc/storm but could be in other places as it is set at compile time. it should not be writable by anyone, and I think it needs to be owned by root. worker-launcher will tell you if you got it wrong and will refuse to run. You also want to make sure that the configs in there for min user id that it is willing to become is set properly for your system. You don't want to allow storm to launch things as root, or really any other system headless user. The subdirectory under the logging directory called workers-artifacts needs to have the sticky bit set on it, although you might not need to, I think storm will fix it up for you when it creates things. storm-local should be world executable. You can make it world readable too, but I don't think it matters. You should not make it writable by anyone but the headless storm user though. The supervisor should be able to fix up the rest of the sub directories under it itself. - Bobby On Monday, August 7, 2017, 12:45:21 PM CDT, I PVP <i...@hotmail.com> wrote: #yiv3472441949 body{font-family:Helvetica, Arial;font-size:13px;}What are the linux file access permission best practices for the $STORM_HOME and subfolders ? I am running Storm 1.1.1 under the storm:storm (user:group) on Centos . Thanks IPVP