Jaydeep, take a look at Apache Ranger, it provides LDAP integration and offers authorization requirements for topologies you seek https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/storm_policy.html
On Jun 21, 2017 4:56 PM, "Jaydeep Karia (BLOOMBERG/ 919 3RD A)" < [email protected]> wrote: > Hey Bobby, > > Most of them go through the httpd web server in between which connects to > the central ldap server. I missed that the login page & cookie logic for > such apps is provided by the httpd webserver and a servlet filter doesn't > do it. > > Thanks, > Jaydeep > > > From: [email protected] At: 06/21/17 10:05:03 > To: Jaydeep Karia (BLOOMBERG/ 919 3RD A), [email protected] > Subject: Re: Storm UI topology administrative action buttons > > The issue is that LDAP is not directly a web technology, so I know of no > way to simply integrate LDAP with storm. It would require not just a > servlet filter but also a corresponding login page that would authenticate > the user with LDAP and return a cookie that could be used in future > requests for the servlet filter. > > Most companies already have a Single Sign On solution, like active > directory, which provides LDAP integration and a landing page. Most single > sign on solutions also provide a servlet filter because there are a lot of > enterprise java applications. > > If all you have is LDAP how are other java web applications in your > company authenticating users? > > > - Bobby > > > > On Tuesday, June 20, 2017, 5:34:10 PM CDT, Jaydeep Karia (BLOOMBERG/ 919 > 3RD A) <[email protected]> wrote: > > > Hello Storm Community! > > Currently any user that has access to the Storm UI can perform the > topology administrative actions: Activate, Deactivate, Rebalance and Kill. > > To add authentication for these actions the security documentation in the > git repo (https://github.com/apache/storm/blob/master/SECURITY.md) > suggests using java servlet filters. It gives an example of how to use > AuthenticationFilter from hadoop-auth using kerberos. Can we use LDAP > instead? Can someone point me to a sample config. > > Thank you. > >
