Skip to content

STORM-4079: SSL Setup Doc #8072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rzo1 merged 2 commits into from
May 20, 2025
Merged

STORM-4079: SSL Setup Doc #8072

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4c78c24
STORM-4079: SSL Setup Doc
May 13, 2025
986d421
STORM-4079: SSL Setup Doc - review comments
May 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions docs/SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,113 @@ If users want to setup 2-way auth
9. logviewer.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided)
10. logviewer.https.need.client.auth (If this set to true server requires client to provide authentication)

## Mutual TLS (mTLS) Support

**Available since Storm 2.7.0 (STORM-4070)**

Storm now supports mutual TLS (mTLS) for internal Thrift RPC communication among Nimbus, Supervisors, and workers. Unlike one-way TLS, mTLS requires both parties to present and verify each other's certificates. This ensures full two-way certificate authentication and encryption.

### Example TLS Configuration

### 1. Nimbus Settings

```yaml
# Thrift TLS Listener
nimbus.thrift.tls.port: 6067
nimbus.thrift.access.log.enabled: true
nimbus.thrift.tls.server.only: true

# Server-side certificates & truststore
nimbus.thrift.tls.server.keystore.path: /etc/ssl/server.keystore.jks
nimbus.thrift.tls.server.keystore.password: password
nimbus.thrift.tls.server.truststore.path: /etc/ssl//server.truststore.jks
nimbus.thrift.tls.server.truststore.password: password

# Client-side certificates & transport plugin
nimbus.thrift.client.use.tls: true
nimbus.thrift.tls.client.keystore.path: /etc/ssl/client.keystore.jks
nimbus.thrift.tls.client.keystore.password: password
nimbus.thrift.tls.client.truststore.path: /etc/ssl/client.truststore.jks
nimbus.thrift.tls.client.truststore.password: password
nimbus.thrift.tls.transport: org.apache.storm.security.auth.tls.TlsTransportPlugin
```
### 2. Supervisor Settings

```yaml
# TLS transport plugin & client enable
supervisor.thrift.transport: org.apache.storm.security.auth.tls.TlsTransportPlugin
supervisor.thrift.client.use.tls: true

# Supervisor as Thrift TLS server
supervisor.thrift.tls.server.keystore.path: /etc/ssl/server.keystore.jks
supervisor.thrift.tls.server.keystore.password: password
supervisor.thrift.tls.server.truststore.path: /etc/ssl/server.truststore.jks
supervisor.thrift.tls.server.truststore.password: password

# Supervisor client settins
supervisor.thrift.tls.client.keystore.path: /etc/ssl/client.keystore.jks
supervisor.thrift.tls.client.keystore.password: password
supervisor.thrift.tls.client.truststore.path: /etc/ssl/client.truststore.jks
supervisor.thrift.tls.client.truststore.password: password
```

### 3. Worker Settings

```yaml
# Storm Netty messaging TLS (worker ↔ worker)
storm.messaging.netty.tls.enable: true
storm.messaging.netty.tls.require.open.ssl: true

# Inbound (server-side) credentials
storm.messaging.netty.tls.keystore.path: /etc/ssl/server.keystore.jks
storm.messaging.netty.tls.keystore.password: password
storm.messaging.netty.tls.truststore.path: /etc/ssl/server.truststore.jks
storm.messaging.netty.tls.truststore.password: password

# Outbound (client-side) credentials
storm.messaging.netty.tls.client.keystore.path: /etc/ssl/client.keystore.jks
storm.messaging.netty.tls.client.keystore.password: password
storm.messaging.netty.tls.client.truststore.path: /etc/ssl/client.truststore.jks
storm.messaging.netty.tls.client.truststore.password: password
```

### 4. Setting Descriptions

| Setting | Description |
|---------------------------------------------------|----------------------------------------------------------------------------------------------|
| `nimbus.thrift.tls.port` | Port on which Nimbus listens for TLS-encrypted Thrift connections (e.g., 6067) |
| `nimbus.thrift.tls.server.only` | Nimbus accepts only secure TLS connections |
| `nimbus.thrift.tls.server.keystore.path` | Path to Nimbus server keystore |
| `nimbus.thrift.tls.server.keystore.password` | Password for the Nimbus server keystore |
| `nimbus.thrift.tls.server.truststore.path` | Path to Nimbus server truststore |
| `nimbus.thrift.tls.server.truststore.password` | Password for the Nimbus truststore |
| `nimbus.thrift.client.use.tls` | Enable TLS on Nimbus outbound Thrift calls |
| `nimbus.thrift.tls.client.keystore.path` | Path to Nimbus client keystore (for outbound connections) |
| `nimbus.thrift.tls.client.keystore.password` | Password for the Nimbus client keystore |
| `nimbus.thrift.tls.client.truststore.path` | Path to Nimbus client truststore |
| `nimbus.thrift.tls.client.truststore.password` | Password for the Nimbus client truststore |
| `nimbus.thrift.tls.transport` | TLS transport plugin class for Nimbus |
| `storm.principal.tolocal` | Principal-to-local mapping class (for X.509 auth) |
| `supervisor.thrift.transport` | TLS transport plugin class for Supervisor Thrift |
| `supervisor.thrift.client.use.tls` | Enable TLS for Supervisor outbound Thrift calls |
| `supervisor.thrift.tls.server.keystore.path` | Path to Supervisor server keystore |
| `supervisor.thrift.tls.server.keystore.password` | Password for the Supervisor server keystore |
| `supervisor.thrift.tls.server.truststore.path` | Path to Supervisor server truststore |
| `supervisor.thrift.tls.server.truststore.password`| Password for the Supervisor truststore |
| `supervisor.thrift.tls.client.keystore.path` | Path to Supervisor client keystore |
| `supervisor.thrift.tls.client.keystore.password` | Password for the Supervisor client keystore |
| `supervisor.thrift.tls.client.truststore.path` | Path to Supervisor client truststore |
| `supervisor.thrift.tls.client.truststore.password`| Password for the Supervisor client truststore |
| `storm.messaging.netty.tls.enable` | Enable TLS for Storm Netty messaging (inter-worker) |
| `storm.messaging.netty.tls.require.open.ssl` | Require OpenSSL provider for Netty TLS |
| `storm.messaging.netty.tls.keystore.path` | Path to Netty server keystore |
| `storm.messaging.netty.tls.keystore.password` | Password for the Netty server keystore |
| `storm.messaging.netty.tls.truststore.path` | Path to Netty server truststore |
| `storm.messaging.netty.tls.truststore.password` | Password for the Netty server truststore |
| `storm.messaging.netty.tls.client.keystore.path` | Path to Netty client keystore |
| `storm.messaging.netty.tls.client.keystore.password`| Password for the Netty client keystore |
| `storm.messaging.netty.tls.client.truststore.path`| Path to Netty client truststore |
| `storm.messaging.netty.tls.client.truststore.password`| Password for the Netty client truststore |


## Authentication (Kerberos)
Expand Down