rzo1 commented on code in PR #8072: URL: https://github.com/apache/storm/pull/8072#discussion_r2098649194
########## docs/SECURITY.md: ########## @@ -187,7 +187,113 @@ If users want to setup 2-way auth 9. logviewer.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided) 10. logviewer.https.need.client.auth (If this set to true server requires client to provide authentication) +## Mutual TLS (mTLS) Support +**Available since Storm 2.7.0 (STORM-4070)** + +Storm now supports mutual TLS for its internal Thrift RPC between Nimbus, Supervisors, and workers. mTLS goes beyond one-way TLS by requiring **both** sides to present and verify certificates, giving full two-way certificate authentication *and* encryption. + +### Example TLS Configuration + +### 1. Nimbus Settings + +```yaml +# Thrift TLS Listener +nimbus.thrift.tls.port: 6067 +nimbus.thrift.access.log.enabled: true +nimbus.thrift.tls.server.only: true + +# Server-side certificates & truststore +nimbus.thrift.tls.server.keystore.path: ~/tmp/ssl/server.keystore.jks +nimbus.thrift.tls.server.keystore.password: password +nimbus.thrift.tls.server.truststore.path: ~/tmp/ssl/server.truststore.jks Review Comment: Yep - might be also out of scope. People, who want it, can just google or ask a LLM. So let it be. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
