diff --git a/docs/SECURITY.md b/docs/SECURITY.md index aacbff7ded4..1b9ea8cbbd0 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -128,9 +128,11 @@ UI,DRPC and LOGVIEWER allows users to configure ssl . ### UI +These configurations enable HTTPS for the Storm UI, allowing secure communication between users and the cluster. + For UI users needs to set following config in storm.yaml. Generating keystores with proper keys and certs should be taken care by the user before this step. -1. ui.https.port +1. ui.https.port (Port for HTTPS UI access) 2. ui.https.keystore.type (example "jks") 3. ui.https.keystore.path (example "/etc/ssl/storm_keystore.jks") 4. ui.https.keystore.password (keystore password) @@ -193,6 +195,14 @@ If users want to setup 2-way auth Storm now supports mutual TLS (mTLS) for internal Thrift RPC communication among Nimbus, Supervisors, and workers. Unlike one-way TLS, mTLS requires both parties to present and verify each other's certificates. This ensures full two-way certificate authentication and encryption. +### Overview of TLS Configuration + +Storm provides TLS support for securing internal communication between Nimbus, Supervisors, and workers. This is achieved using existing configuration properties for Thrift-based RPC communication and Netty-based messaging. + +The TLS setup requires configuring keystore and truststore paths along with enabling TLS flags for each component. Nimbus and Supervisors use Thrift TLS settings, while workers use Netty TLS settings. + +The following sections provide example configurations for each component. + ### Example TLS Configuration ### 1. Nimbus Settings @@ -682,3 +692,5 @@ Also, there are several configurations for topology Zookeeper authentication: | storm.zookeeper.topology.auth.payload | A string representing the payload for topology Zookeeper authentication. | Note: If storm.zookeeper.topology.auth.payload isn't set, Storm will generate a ZooKeeper secret payload for MD5-digest with generateZookeeperDigestSecretPayload() method. + +