purushah commented on code in PR #8072: URL: https://github.com/apache/storm/pull/8072#discussion_r2098586376
########## docs/SECURITY.md: ########## @@ -187,7 +187,113 @@ If users want to setup 2-way auth 9. logviewer.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided) 10. logviewer.https.need.client.auth (If this set to true server requires client to provide authentication) +## Mutual TLS (mTLS) Support +**Available since Storm 2.7.0 (STORM-4070)** + +Storm now supports mutual TLS for its internal Thrift RPC between Nimbus, Supervisors, and workers. mTLS goes beyond one-way TLS by requiring **both** sides to present and verify certificates, giving full two-way certificate authentication *and* encryption. + +### Example TLS Configuration + +### 1. Nimbus Settings + +```yaml +# Thrift TLS Listener +nimbus.thrift.tls.port: 6067 +nimbus.thrift.access.log.enabled: true +nimbus.thrift.tls.server.only: true + +# Server-side certificates & truststore +nimbus.thrift.tls.server.keystore.path: ~/tmp/ssl/server.keystore.jks +nimbus.thrift.tls.server.keystore.password: password +nimbus.thrift.tls.server.truststore.path: ~/tmp/ssl/server.truststore.jks Review Comment: I can add some documentation on how to set this up for testing purposes. But for production, each company usually has its own process for generating and managing certificates. For example, at Yahoo, we use an internal system that automatically generates certificates and bootstraps the hosts with them—We never had to generate them manually. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
