CEM security overview

Cloudera Edge Management (CEM) is not secure by default. Cloudera recommends that you must always enable security for production environment. To secure CEM, you must secure both Edge Flow Manager (EFM) and MiNiFi agents.

By default, EFM runs in an unsecured mode where the web endpoints are accessible over HTTP on all network interfaces and clients are not authenticated. When unsecured, all clients are anonymous and have full access to the application. For this reason, insecure mode should only be used for test or development purposes and when EFM is not accessible through the public Internet.

Limiting the network interfaces that the web server binds to is configurable in the efm.properties file.
efm.web.host=localhost

For production environments, security should always be enabled by configuring a TLS context and method of user authentication.

Securing CEM involves securing both the EFM server and MiNiFi agents.

The EFM server provides centralized control of MiNiFi agents. Starting with version 1.3.0, EFM provides robust options for authentication and authorization.

The high-level steps for securing a CEM system are:
  1. Generating or obtaining keys and certificates for EFM, MiNiFi agents, and optionally service user accounts.
  2. Configuring the EFM TLS context.
  3. Configuring MiNiFi agent TLS contexts, which allows MiNiFi agents to authenticate to a secured EFM server.
  4. Configuring end-user authentication for the EFM web application UI, typically as an integration with a Single Sign On (SSO) identity provider.
  5. Assigning access control policies to users and groups in the EFM web application UI.

For more information about the security aspects of EFM, check out the video on the Cloudera Edge Management YouTube playlist: