[
https://issues.apache.org/jira/browse/STORM-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368572#comment-15368572
]
Robert Joseph Evans commented on STORM-1096:
--------------------------------------------
realPrincipal is the actual user making the thrift call. In the case of a
normal UI interaction/REST call this is the UI user.
principal is the user being impersonated by the thrift call. In the case of a
normal UI interaction/REST call this is the user that authenticated with the UI
("topology-user1").
>From the ImpersonationAuthorizer code we see that the key is the super user.
https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/authorizer/ImpersonationAuthorizer.java#L65-66
https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/authorizer/ImpersonationAuthorizer.java#L76
Now the next question is what happens if I try to double impersonate. If I
want to do a REST call to the UI impersonating another user.
{{?doAsUser=testUSer1}}
The DefaultHttpCredentailsPlugin will set up the impersonation
https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/DefaultHttpCredentialsPlugin.java#L74-L84
inside core we are checking it with ImpersonationAuthorizer, and then we pull
the user out (not the real user but the user being impersonated, and pass it on
to be used when the UI tries to impersonate a user)
https://github.com/apache/storm/blob/master/storm-core/src/clj/org/apache/storm/ui/core.clj#L87-L112
https://github.com/apache/storm/blob/master/storm-core/src/clj/org/apache/storm/ui/core.clj#L1063-L1065
https://github.com/apache/storm/blob/master/storm-clojure/src/clj/org/apache/storm/thrift.clj#L94
To me it looks like everything is already written how you want it to be. There
could be some bugs in there because I honestly don't use the double
impersonation, but it should be working how you want it to.
> UI tries to impersonate wrong user when getting topology conf for
> authorization, impersonation is allowed by default
> --------------------------------------------------------------------------------------------------------------------
>
> Key: STORM-1096
> URL: https://issues.apache.org/jira/browse/STORM-1096
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Fix For: 0.10.0
>
>
> We have started using 0.10.0 under load and found a few issues around the UI
> and impersonation.
> The UI when trying to connect to nimbus will impersonate other users.
> Nimbus, by default allows impersonation and just outputs a warning message
> that it is allowed. We really should default to not allowing impersonation.
> having the authorizer configured by default does not hurt when running
> insecure because impersonation is not possible, but when security is enabled
> if someone forgets to set this config we are now insecure by default.
> If you do set all of that up correctly the UI now can impersonate the wrong
> user when connecting to nimbus.
> The UI decides which user to impersonate by pulling it from the request
> context. The requestContext is populated from the HttpRequest when
> assert-authorized-user is called. assert-authorized-user takes a
> topology-conf as a parameter. The only way to get this topology conf is to
> talk to nimbus, which will get the wrong user because the request context has
> not been populated yet.
> This just because a huge pain for users who way too often will not be able to
> see pages on the UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
