[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14335105#comment-14335105 ]
Parth Brahmbhatt commented on STORM-446: ---------------------------------------- Thanks [~revans2], that would be helpful. I knew about ReqContext and TransportPlugin. I actually tested the doAs behavior with API changes by adding a method addProxyUser to ReqContext which adds a ProxyUser principal to reqContext's subject , overriding the principal added during the topLevel process which is obtained by calling *saslServer.getAuthorizationID()* and returns that principal when reqContext.principal() is called. The missing part right now is how does the client send this principal to server in our thrift setup. > secure Impersonation in storm > ----------------------------- > > Key: STORM-446 > URL: https://issues.apache.org/jira/browse/STORM-446 > Project: Apache Storm > Issue Type: Improvement > Reporter: Sriharsha Chintalapani > Assignee: Parth Brahmbhatt > Labels: Security > > Storm security adds features of authenticating with kerberos and than uses > that principal and TGT as way to authorize user operations, topology > operation. Currently Storm UI user needs to be part of nimbus.admins to get > details on user submitted topologies. Ideally storm ui needs to take > authenticated user principal to submit requests to nimbus which will than > authorize the user rather than storm UI user. This feature will also benefit > superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)