[
https://issues.apache.org/jira/browse/STORM-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15370789#comment-15370789
]
Robert Joseph Evans commented on STORM-1096:
--------------------------------------------
[~sriharsha],
If we want to support doAsUser on the REST API then we have to have REST/UI
also validate that it is OK, otherwise I can add that parameter in and pretend
to be anyone through the REST API.
It is a chain of trust. userB is pretending to be userA to the UI, so the UI
in turn pretends to be userA to nimbus. The thrift connection to nimbus from
the UI loses the fact that userB is the real user and as such will never be
able to properly validate that userB is allowed to impersonate userA. If we
change how the impersonation code works so that the UI can say to nimbus I am
the UI but I am pretending to be userB who is pretending to be userA we could
make it work. But this would be a non-standard change as SASL does not really
support that. We could hack it in, but I prefer the way it is.
We cannot have impersonation fail open. I will -1 anything that tries to do
that.
https://github.com/apache/storm/blob/master/storm-core/src/clj/org/apache/storm/ui/core.clj#L92-L105
and
https://github.com/apache/storm/blob/master/storm-core/src/clj/org/apache/storm/daemon/nimbus.clj#L1017-L1038
{code}
(log-warn " principal " (.realPrincipal context) " is trying to impersonate "
(.principal context) " but " NIMBUS-IMPERSONATION-AUTHORIZER " has no
authorizer configured. This is a potential security hole. Please see
SECURITY.MD to learn how to configure an impersonation authorizer.")
{code}
{code}
(log-warn "impersonation attempt but " NIMBUS-IMPERSONATION-AUTHORIZER " has no
authorizer configured. potential security risk, please see SECURITY.MD to learn
how to configure impersonation authorizer.")
{code}
Some warning messages appearing in a log somewhere saying you configured
security incorrectly and by the way we are printing this out because someone
may have just pawned you is not enough. What is more your complaints about it
being difficult to configure correctly and wanting to disable it tell me that
we cannot have it off because there will be lots and lots of people who will
leave it off and think that they are secure when they are not.
> UI tries to impersonate wrong user when getting topology conf for
> authorization, impersonation is allowed by default
> --------------------------------------------------------------------------------------------------------------------
>
> Key: STORM-1096
> URL: https://issues.apache.org/jira/browse/STORM-1096
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Fix For: 0.10.0
>
>
> We have started using 0.10.0 under load and found a few issues around the UI
> and impersonation.
> The UI when trying to connect to nimbus will impersonate other users.
> Nimbus, by default allows impersonation and just outputs a warning message
> that it is allowed. We really should default to not allowing impersonation.
> having the authorizer configured by default does not hurt when running
> insecure because impersonation is not possible, but when security is enabled
> if someone forgets to set this config we are now insecure by default.
> If you do set all of that up correctly the UI now can impersonate the wrong
> user when connecting to nimbus.
> The UI decides which user to impersonate by pulling it from the request
> context. The requestContext is populated from the HttpRequest when
> assert-authorized-user is called. assert-authorized-user takes a
> topology-conf as a parameter. The only way to get this topology conf is to
> talk to nimbus, which will get the wrong user because the request context has
> not been populated yet.
> This just because a huge pain for users who way too often will not be able to
> see pages on the UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
