Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/2886#discussion_r226363931
--- Diff: docs/SECURITY.md ---
@@ -50,17 +50,33 @@ The UI and logviewer processes provide a way to not
only see what a cluster is
doing, but also manipulate running topologies. In general these processes
should
not be exposed except to users of the cluster.
-Some form of Authentication is typically required, with using java servlet
filters
+Some form of Authentication is typically required, and can be done using a
java servlet filter
```yaml
ui.filter: "filter.class"
ui.filter.params: "param1":"value1"
logviewer.filter: "filter.class"
logviewer.filter.params: "param1":"value1"
```
-or by restricting the UI/log viewers ports to only accept connections from
local
-hosts, and then front them with another web server, like Apache httpd,
that can
-authenticate/authorize incoming connections and
+
+The `ui.filter` is an instance of `javax.servlet.Filter` that is intended
to
+filter all incomming requests to the UI and authenticate the request
mapping
+it to a "user". Typically this is done by modifying or wrapping the
+`HttpServletRequest` to return the user principal through the
+`getUserPrincipal()` method or returning the user name through the
+`getRemoteUser()` method. If your filter authenticates in a differnt way
you
+can look at setting `ui.http.creds.plugin` to point to an instance of
`IHttpCredentialsPlugin`
+that can take the `HttpServletRequest` and return a user name and populate
the needed fields
+in the current `ReqContext`. These are advanced features and you may want
to look at the
+`DefaultHttpCredentialsPlugin` as an example of how to do this.
+
+These same settings apply to the logviewer too. If you want to have
separate controle
--- End diff --
`control`
---
