[
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14343356#comment-14343356
]
ASF GitHub Bot commented on STORM-446:
--------------------------------------
Github user revans2 commented on a diff in the pull request:
https://github.com/apache/storm/pull/448#discussion_r25613390
--- Diff: storm-core/src/clj/backtype/storm/ui/core.clj ---
@@ -45,28 +45,46 @@
(def ^:dynamic *STORM-CONF* (read-storm-config))
(def ^:dynamic *UI-ACL-HANDLER* (mk-authorization-handler (*STORM-CONF*
NIMBUS-AUTHORIZER) *STORM-CONF*))
+(def ^:dynamic *UI-IMPERSONATION-HANDLER* (mk-authorization-handler
(*STORM-CONF* NIMBUS-IMPERSONATION-AUTHORIZER) *STORM-CONF*))
(def http-creds-handler (AuthUtils/GetUiHttpCredentialsPlugin
*STORM-CONF*))
(defmacro with-nimbus
[nimbus-sym & body]
- `(thrift/with-nimbus-connection
- [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF*
NIMBUS-THRIFT-PORT)]
- ~@body))
+ `(let [context# (ReqContext/context)
+ user# (if (.principal context#) (.getName (.principal context#)))]
+ (thrift/with-nimbus-connection-as-user
+ [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF*
NIMBUS-THRIFT-PORT) user#]
+ ~@body)))
(defn assert-authorized-user
([servlet-request op]
(assert-authorized-user servlet-request op nil))
([servlet-request op topology-conf]
- (if http-creds-handler (.populateContext http-creds-handler
(ReqContext/context) servlet-request))
- (if *UI-ACL-HANDLER*
- (let [context (ReqContext/context)]
- (if-not (.permit *UI-ACL-HANDLER* context op topology-conf)
- (let [principal (.principal context)
- user (if principal (.getName principal) "unknown")]
- (throw (AuthorizationException.
- (str "UI request '" op "' for '"
- user "' user is not authorized")))))))))
+ (let [context (ReqContext/context)]
+ (if http-creds-handler (.populateContext http-creds-handler context
servlet-request))
+
+ (if (.isImpersonating context)
+ (if *UI-IMPERSONATION-HANDLER*
+ (if-not (.permit *UI-IMPERSONATION-HANDLER* context op
topology-conf)
+ (let [principal (.principal context)
+ real-principal (.realPrincipal context)
+ user (if principal (.getName principal) "unknown")
+ real-user (if real-principal (.getName real-principal)
"unknown")
+ remote-address (.remoteAddress context)]
+ (throw (AuthorizationException.
+ (str "user '" real-user "' is not authorized to
impersonate user '" user "' from host '" remote-address "'. Please
+ see SECURITY.MD to learn how to configure
impersonation ACL.")))))
+ (log-warn " principal " (.realPrincipal context) " is trying to
impersonate " (.principal context) " but "
--- End diff --
Again do we want to fail open or fail closed?
> secure Impersonation in storm
> -----------------------------
>
> Key: STORM-446
> URL: https://issues.apache.org/jira/browse/STORM-446
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Sriharsha Chintalapani
> Assignee: Parth Brahmbhatt
> Labels: Security
>
> Storm security adds features of authenticating with kerberos and than uses
> that principal and TGT as way to authorize user operations, topology
> operation. Currently Storm UI user needs to be part of nimbus.admins to get
> details on user submitted topologies. Ideally storm ui needs to take
> authenticated user principal to submit requests to nimbus which will than
> authorize the user rather than storm UI user. This feature will also benefit
> superusers to impersonate other users to submit topologies in a secured way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
