[
https://issues.apache.org/jira/browse/STORM-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368287#comment-15368287
]
Robert Joseph Evans commented on STORM-1096:
--------------------------------------------
[~sriharsha]
Sorry I have been out a lot lately and I am now just catching up.
There were a few things that went into this one pull request.
1) {{nimbus.impersonation.authorizer}} was set to
{{"backtype.storm.security.auth.authorizer.ImpersonationAuthorizer"}} by
default. This was done so when security is enabled it is one less config that
needs to be changed when enabling security to get it to work, and to fail
closed (like you mentioned)
2) {{populate-context!}} was added to make sure that the user we impersonate is
always the one from the UI.
3) In the servlet callback handler we null out the "user" to try and avoid
these sort of leaks again in the future.
First of all to clarify a few things. Having impersonation locked down should
not prevent someone from submitting a topology. It prevents someone from
submitting a topology as someone else (which is the entire point of this JIRA).
They can still submit a topology as themselves, without impersonation. If that
does not work then we need to file a separate JIRA and fix that, because I
should always be able to submit something as myself no ACL required.
I am confused about what behavior is the opposite of what we want.
>From what I see if you want ambari and the UI to both work, you would set
>{{nimbus.impersonation.acl}} to something like
{code}
nimbus.impersonation.acl:
ambari-server-storm: // super user
users: [*]
hosts: [*]
ui-storm: //super user
users: [*]
hosts: ["my.nimbus.host"]
{code}
I don't really see why this is hard to automate. If you have a cleaner way to
do it I am all in favor of it, but we cannot default to allowing anyone to
impersonate anyone else by default. It is too easy for someone to shoot
themselves in the foot and be completely insecure when they think thy are OK.
> UI tries to impersonate wrong user when getting topology conf for
> authorization, impersonation is allowed by default
> --------------------------------------------------------------------------------------------------------------------
>
> Key: STORM-1096
> URL: https://issues.apache.org/jira/browse/STORM-1096
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Fix For: 0.10.0
>
>
> We have started using 0.10.0 under load and found a few issues around the UI
> and impersonation.
> The UI when trying to connect to nimbus will impersonate other users.
> Nimbus, by default allows impersonation and just outputs a warning message
> that it is allowed. We really should default to not allowing impersonation.
> having the authorizer configured by default does not hurt when running
> insecure because impersonation is not possible, but when security is enabled
> if someone forgets to set this config we are now insecure by default.
> If you do set all of that up correctly the UI now can impersonate the wrong
> user when connecting to nimbus.
> The UI decides which user to impersonate by pulling it from the request
> context. The requestContext is populated from the HttpRequest when
> assert-authorized-user is called. assert-authorized-user takes a
> topology-conf as a parameter. The only way to get this topology conf is to
> talk to nimbus, which will get the wrong user because the request context has
> not been populated yet.
> This just because a huge pain for users who way too often will not be able to
> see pages on the UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
