metron-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dima Kovalyov <>
Subject Re: How to secure Apache Metron cluster
Date Sat, 18 Apr 2020 02:15:56 GMT
Exactly, without Single Sign-on (SSO) system you will end up with all
components in default security configuration.

Which is in Nifi for example means none like in Elasticsearch and Storm.
While there is still some decentralized security on the Ambari, Grafana and
Metron UI side.

There are obviously a lot more components with a variety of authentication
mechanisms, but just as an example.

So, yeah, go for Kerberos/Active directory. Take a look at FreeIPA which is
completely free and open source identity management system (Active
Directory for Linux).

- Dima

On Fri, Apr 17, 2020, 16:49 ThuyT <> wrote:

> Thank you Tom for your response. I've been doing some reading about those
> you suggested; however if I'm not using Kerberos and Active Directory; I'm
> only using single user account then the multiple layers of security will
> not work for our environment correct?
> Thanks,
> ~ Thuy
> On Thu, Apr 9, 2020 at 12:23 PM Yerex, Tom <> wrote:
>> Good morning Thuy,
>> We are focused on multiple layers of security, beginning with the
>> firewall but also local access control and monitoring down to individual
>> processes running in the environment.
>> Kerberos is a mechanism that is discussed as a security mechansim and I
>> have had it working with Active Directory and a UNIX-based Kerberos
>> provider (Ldap as well). Ranger provides a lot of auditing and insight.
>> In our environment, we have a moat around the cluster with strictly
>> controlled and monitored access points.
>> Cheers,
>> Tom.
>> On 2020-04-08 14:16:13-07:00 ThuyT wrote:
>> Hello all,
>> Has anyone try to secure Apache Metron cluster? I scanned for open ports
>> and there are about 30-50 open ports on each node of my 4-node cluster. I
>> know Storm uses majority of these ports for workers. I've enabled SSL on a
>> few component services, but don't know how to secure all open ports. Any
>> thoughts or ideas are welcome and appreciated.
>> thanks,
>> ~ Thuy

View raw message