Cloudera Edge Management security overview

Cloudera Edge Management is not secure by default. Cloudera recommends that you must always enable security for production environment. To secure Cloudera Edge Management, you must secure both Edge Flow Manager and MiNiFi agents.

By default, Edge Flow Manager runs in an unsecured mode where the web endpoints are accessible over HTTP on all network interfaces and clients are not authenticated. When unsecured, all clients are anonymous and have full access to the application. For this reason, insecure mode should only be used for test or development purposes and when Edge Flow Manager is not accessible through the public Internet.

Limiting the network interfaces that the web server binds to is configurable in the efm.properties file.
efm.web.host=localhost

For production environments, security should always be enabled by configuring a TLS context and method of user authentication.

Securing Cloudera Edge Management involves securing both the Edge Flow Manager server and MiNiFi agents.

The Edge Flow Manager server provides centralized control of MiNiFi agents. Starting with version 1.3.0, Edge Flow Manager provides robust options for authentication and authorization.

The high-level steps for securing a Cloudera Edge Management system are:
  1. Generating or obtaining keys and certificates for Edge Flow Manager, MiNiFi agents, and optionally service user accounts.
  2. Configuring the Edge Flow Manager TLS context.
  3. Configuring MiNiFi agent TLS contexts, which allows MiNiFi agents to authenticate to a secured Edge Flow Manager server.
  4. Configuring end-user authentication for the Edge Flow Manager web application UI, typically as an integration with a Single Sign On (SSO) identity provider.
  5. Assigning access control policies to users and groups in the Edge Flow Manager web application UI.

For more information about the security aspects of Edge Flow Manager, check out the video on the Cloudera Edge Management YouTube playlist: