Spell Check
Project: http://git-wip-us.apache.org/repos/asf/storm/repo Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/05f8adcd Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/05f8adcd Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/05f8adcd Branch: refs/heads/master Commit: 05f8adcdaa457e1b5880b803cc304f199688b945 Parents: ebb41d7 Author: Robert (Bobby) Evans <[email protected]> Authored: Thu Oct 18 11:03:58 2018 -0500 Committer: Robert (Bobby) Evans <[email protected]> Committed: Thu Oct 18 11:03:58 2018 -0500 ---------------------------------------------------------------------- docs/SECURITY.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/storm/blob/05f8adcd/docs/SECURITY.md ---------------------------------------------------------------------- diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 9363d71..6abe9c0 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -60,17 +60,17 @@ logviewer.filter.params: "param1":"value1" ``` The `ui.filter` is an instance of `javax.servlet.Filter` that is intended to -filter all incomming requests to the UI and authenticate the request mapping +filter all incoming requests to the UI and authenticate the request mapping it to a "user". Typically this is done by modifying or wrapping the `HttpServletRequest` to return the user principal through the `getUserPrincipal()` method or returning the user name through the -`getRemoteUser()` method. If your filter authenticates in a differnt way you +`getRemoteUser()` method. If your filter authenticates in a different way you can look at setting `ui.http.creds.plugin` to point to an instance of `IHttpCredentialsPlugin` that can take the `HttpServletRequest` and return a user name and populate the needed fields in the current `ReqContext`. These are advanced features and you may want to look at the `DefaultHttpCredentialsPlugin` as an example of how to do this. -These same settings apply to the logviewer too. If you want to have separate controle +These same settings apply to the logviewer too. If you want to have separate control over how authentication works in the logviewer you may optionally set `logviewer.filter` instead and it will override any `ui.filter` settings for the logviewer process. @@ -82,7 +82,7 @@ logviewer.port set to the port of the proxy in its storm.yaml, while the logview must have it set to the actual port that they are going to bind to. The servlet filters are preferred because it allows individual topologies to -specificy who is and who is not allowed to access the pages associated with +specify who is and who is not allowed to access the pages associated with them. Storm UI (or logviewer) can be configured to use AuthenticationFilter from hadoop-auth. @@ -118,7 +118,7 @@ on that endpoint similar to the ui/logviewer. The `drpc.http.filter` and `drpc.http.filter.params` configs can be used to setup a `Filter` for the DRPC server. Unlike the logviewer it does not fall back to the UI configs as the DRPC server is intended to be REST only and often will be hit by headless users. -The `drpc.http.creds.plugin` confg can be used in cases where the default plugin is not good enough because of how authentication happens. +The `drpc.http.creds.plugin` config can be used in cases where the default plugin is not good enough because of how authentication happens. ## UI / DRPC / LOGVIEWER SSL @@ -141,7 +141,7 @@ optional config 8. ui.https.truststore.type (example "jks") If users want to setup 2-way auth -9. ui.https.want.client.auth (If this set to true server requests for client certifcate authentication, but keeps the connection if no authentication provided) +9. ui.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided) 10. ui.https.need.client.auth (If this set to true server requires client to provide authentication) @@ -162,7 +162,7 @@ optional config 8. drpc.https.truststore.type (example "jks") If users want to setup 2-way auth -9. drpc.https.want.client.auth (If this set to true server requests for client certifcate authentication, but keeps the connection if no authentication provided) +9. drpc.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided) 10. drpc.https.need.client.auth (If this set to true server requires client to provide authentication) @@ -183,7 +183,7 @@ optional config 8. logviewer.https.truststore.type (example "jks") If users want to setup 2-way auth -9. logviewer.https.want.client.auth (If this set to true server requests for client certifcate authentication, but keeps the connection if no authentication provided) +9. logviewer.https.want.client.auth (If this set to true server requests for client certificate authentication, but keeps the connection if no authentication provided) 10. logviewer.https.need.client.auth (If this set to true server requires client to provide authentication) @@ -207,7 +207,7 @@ details may vary depending on your KDC and OS. ```bash -# Zookeeper (Will need one of these for each box in teh Zk ensamble) +# Zookeeper (Will need one of these for each box in the Zk ensemble) sudo kadmin.local -q 'addprinc zookeeper/[email protected]' sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/[email protected]" # Nimbus and DRPC @@ -430,7 +430,7 @@ supervisor.run.worker.as.user: true There are several files that go along with this that are needed to be configured properly to make storm secure. -The worker-launcher executable is a special program that allows the supervisor to launch workers as different users. For this to work it needs to be owned by root, but with the group set to be a group that only teh supervisor headless user is a part of. +The worker-launcher executable is a special program that allows the supervisor to launch workers as different users. For this to work it needs to be owned by root, but with the group set to be a group that only the supervisor headless user is a part of. It also needs to have 6550 permissions. There is also a worker-launcher.cfg file, usually located under /etc/ that should look something like the following
