Google Git
Sign in
apache / storm / 88735c7a92aa5089dcf9a195a90b72d16b88bc99^1..88735c7a92aa5089dcf9a195a90b72d16b88bc99 / .
commit88735c7a92aa5089dcf9a195a90b72d16b88bc99[log] [tgz]
authorXin Wang <xinwang@apache.org>Mon May 22 19:34:38 2023 +0800
committerGitHub <noreply@github.com>Mon May 22 19:34:38 2023 +0800
treeb3af19b87347f6d6390ca066156b5c1d86e8afa9
parenta8aaf9f5e105fafa2a5c7a4700dc1f84123258c3 [diff]
parent185724d47b33ae12f3985d68ed94b5f3b34bd196 [diff]
Merge pull request #3543 from snikhil5/STORM-3920

STORM-3920 Update security document
diff --git a/SECURITY.md b/SECURITY.md
index e41c31a..1d1bb52 100644
--- a/SECURITY.md
+++ b/SECURITY.md

@@ -414,6 +414,17 @@
 where `worker_launcher_group` is the same group the supervisor user is a part of, and `min.user.id` is set to the first real user id on the system.
 This config file also needs to be owned by root and *not* have world nor group write permissions.
 
+
+### Storm‐Netty Authentication
+
+The authentication for Netty connections between workers by default is disabled. 
+It can either be set for your cluster or on a per topology basis. This setting will prevent any 
+unauthorized messages from getting processed. The config for enabling the
+Storm‐Netty authentication is as follows:
+```yaml
+storm.messaging.netty.authentication: true
+```
+
 ### Impersonating a user
 A storm client may submit requests on behalf of another user. For example, if a `userX` submits an oozie workflow and as part of workflow execution if user `oozie` wants to submit a topology on behalf of `userX`
 it can do so by leveraging the impersonation feature. In order to submit a topology as some other user, you can use the `StormSubmitter.submitTopologyAs` API. Alternatively you can use `NimbusClient.getConfiguredClientAs`
@@ -498,5 +509,3 @@
 
 ### DRPC
 Hopefully more on this soon
-
-

diff --git a/conf/defaults.yaml b/conf/defaults.yaml
index da4bc16..8b7d87b 100644
--- a/conf/defaults.yaml
+++ b/conf/defaults.yaml

@@ -242,6 +242,7 @@
 storm.messaging.netty.socket.backlog: 500
 
 # By default, the Netty SASL authentication is set to false.  Users can override and set it true for a specific topology.
+# see https://issues.apache.org/jira/browse/STORM-348 for more details
 storm.messaging.netty.authentication: false
 
 # Default plugin to use for automatic network topology discovery

diff --git a/storm-client/src/jvm/org/apache/storm/Config.java b/storm-client/src/jvm/org/apache/storm/Config.java
index 0720df2..2974985 100644
--- a/storm-client/src/jvm/org/apache/storm/Config.java
+++ b/storm-client/src/jvm/org/apache/storm/Config.java

@@ -1443,6 +1443,7 @@
     public static final String STORM_MESSAGING_TRANSPORT = "storm.messaging.transport";
     /**
      * Netty based messaging: Is authentication required for Netty messaging from client worker process to server worker process.
+     * See https://issues.apache.org/jira/browse/STORM-348 for more details
      */
     @IsBoolean
     public static final String STORM_MESSAGING_NETTY_AUTHENTICATION = "storm.messaging.netty.authentication";