[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14358985#comment-14358985 ] ASF GitHub Bot commented on STORM-446: -- Github user asfgit closed the pull request at: https://github.com/apache/storm/pull/448 secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14352224#comment-14352224 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on a diff in the pull request: https://github.com/apache/storm/pull/448#discussion_r26008403 --- Diff: STORM-UI-REST-API.md --- @@ -32,6 +32,11 @@ You can use a tool such as `curl` to talk to the REST API: # Note: We assume ui.port is configured to the default value of 8080. $ curl http://ui-host:8080/api/v1/cluster/configuration +##Impersonating a user in secure environment +In a secure environment an authenticated user can impersonate another user. To impersonate a user the caller must pass +`doAsUser` param or header with value set to the user that the request needs to be performed as. Please see SECURITY.MD +to learn more about how to setup impersonation ACLs and authorization. The rest API uses the same configs and acls that +are used by nimbus. --- End diff -- Added and upmerged. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14352249#comment-14352249 ] ASF GitHub Bot commented on STORM-446: -- Github user harshach commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-3604 @Parth-Brahmbhatt Overall code looks good to me. I am trying to run few tests in secure cluster but during mvn build the following unit test is failing testcase name=test-populate-req-context-on-null-user classname=backtype.storm.security.auth.DefaultHttpCredentialsPlugin-test failureexpected: (= 0 (-gt; handler (.populateContext context req) (.subject) (.getPrincipals) (.size))) actual: (not (= 0 1)) at: run-test2660255144893935715.clj:85/failure /testcase Can you please take a look. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14343356#comment-14343356 ] ASF GitHub Bot commented on STORM-446: -- Github user revans2 commented on a diff in the pull request: https://github.com/apache/storm/pull/448#discussion_r25613390 --- Diff: storm-core/src/clj/backtype/storm/ui/core.clj --- @@ -45,28 +45,46 @@ (def ^:dynamic *STORM-CONF* (read-storm-config)) (def ^:dynamic *UI-ACL-HANDLER* (mk-authorization-handler (*STORM-CONF* NIMBUS-AUTHORIZER) *STORM-CONF*)) +(def ^:dynamic *UI-IMPERSONATION-HANDLER* (mk-authorization-handler (*STORM-CONF* NIMBUS-IMPERSONATION-AUTHORIZER) *STORM-CONF*)) (def http-creds-handler (AuthUtils/GetUiHttpCredentialsPlugin *STORM-CONF*)) (defmacro with-nimbus [nimbus-sym body] - `(thrift/with-nimbus-connection - [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF* NIMBUS-THRIFT-PORT)] - ~@body)) + `(let [context# (ReqContext/context) + user# (if (.principal context#) (.getName (.principal context#)))] +(thrift/with-nimbus-connection-as-user + [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF* NIMBUS-THRIFT-PORT) user#] + ~@body))) (defn assert-authorized-user ([servlet-request op] (assert-authorized-user servlet-request op nil)) ([servlet-request op topology-conf] - (if http-creds-handler (.populateContext http-creds-handler (ReqContext/context) servlet-request)) - (if *UI-ACL-HANDLER* - (let [context (ReqContext/context)] - (if-not (.permit *UI-ACL-HANDLER* context op topology-conf) - (let [principal (.principal context) - user (if principal (.getName principal) unknown)] - (throw (AuthorizationException. - (str UI request ' op ' for ' - user ' user is not authorized) +(let [context (ReqContext/context)] + (if http-creds-handler (.populateContext http-creds-handler context servlet-request)) + + (if (.isImpersonating context) +(if *UI-IMPERSONATION-HANDLER* +(if-not (.permit *UI-IMPERSONATION-HANDLER* context op topology-conf) + (let [principal (.principal context) +real-principal (.realPrincipal context) +user (if principal (.getName principal) unknown) +real-user (if real-principal (.getName real-principal) unknown) +remote-address (.remoteAddress context)] +(throw (AuthorizationException. + (str user ' real-user ' is not authorized to impersonate user ' user ' from host ' remote-address '. Please + see SECURITY.MD to learn how to configure impersonation ACL.) + (log-warn principal (.realPrincipal context) is trying to impersonate (.principal context) but --- End diff -- Again do we want to fail open or fail closed? secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14343371#comment-14343371 ] ASF GitHub Bot commented on STORM-446: -- Github user revans2 commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76749638 For the most part it looks great. Just a little curious if we really want to fail open when no impersonation authorizer is configured? I am +1 either way. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14343491#comment-14343491 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76764354 We should fail close, however currently if the acl authorizer is no set we fail open. Not sure why did we make that choice but I did not want alternating behavior. My personal preference is to fail close on any potential security configuration mistake. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14341938#comment-14341938 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76574425 @revans2 I added the fixes. I also added the doAs support to REST API. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340382#comment-14340382 ] ASF GitHub Bot commented on STORM-446: -- Github user revans2 commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76430788 I haven't gone deeply into the code, but for the most part it looks good. Just one request that should hopefully not be too difficult to change. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340514#comment-14340514 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on a diff in the pull request: https://github.com/apache/storm/pull/448#discussion_r25526790 --- Diff: storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java --- @@ -50,6 +50,7 @@ protected SetString _supervisors; protected IPrincipalToLocal _ptol; protected IGroupMappingServiceProvider _groupMappingProvider; +protected ImpersonationAuthorizer _impersonationAuthorizer; --- End diff -- Ok, I am going to add this authorization as part of nimbus check-authorization! method. I will also add nimbus.impersonation.authorizer config to allow for overriding behavior. I will also add the logging changes there. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340518#comment-14340518 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76446301 @revans2 @harshach For supporting the actual jira issue ui server being able to impersonate users we probably need to support wildcards (allow userX to impersonate all users(*) from localhost) or allow the nimbus.admin users to impersonate all users from all hosts. Any preferences? secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340606#comment-14340606 ] ASF GitHub Bot commented on STORM-446: -- Github user revans2 commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76450968 Yes we would need something like that for this to work. I'm not sure I want all administrators to have that power though. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340616#comment-14340616 ] ASF GitHub Bot commented on STORM-446: -- Github user Parth-Brahmbhatt commented on the pull request: https://github.com/apache/storm/pull/448#issuecomment-76451646 @revans2 I agree. I can allow users to specify regex for matching but that seems like an overkill. For now I am just going to make * as special character for both groups and hosts. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14339543#comment-14339543 ] ASF GitHub Bot commented on STORM-446: -- GitHub user Parth-Brahmbhatt opened a pull request: https://github.com/apache/storm/pull/448 STORM-446: Allow superusers to impersonate other users in secure mode. You can merge this pull request into a Git repository by running: $ git pull https://github.com/Parth-Brahmbhatt/incubator-storm STORM-446 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/storm/pull/448.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #448 commit 086e9e588e46922198d56faafbc9d25f4a543f47 Author: Parth Brahmbhatt brahmbhatt.pa...@gmail.com Date: 2015-02-27T01:26:09Z STORM-446: Allow superusers to impersonate other users in secure mode. commit 32df28743781767059fc0360c2ef9d166a7af6fb Author: Parth Brahmbhatt brahmbhatt.pa...@gmail.com Date: 2015-02-27T01:27:02Z Merge remote-tracking branch 'upstream/master' into STORM-446 secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14337102#comment-14337102 ] Parth Brahmbhatt commented on STORM-446: [~revans2] Ok I will go ahead with the second approach but I am running into another SASL API detail. I only get the authenticatedId and authorizationId when the AuthrizationCallBack occurs, once the callback returns the server seem to only record authrizedId which is what it returns when we call *saslServer.getAuthorizationID()* and there is no *saslServer.getAuthenticationID()* API. I also considered doing the impersonation authorization as part of AuthorizationCallback itself, but there is no way to access client ip/hostName as the callback only gets authenticationId and authorizationId and no socket information and this information is not known at the time of Callback initialization. If you know the workaround on top of your head let me know. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14335387#comment-14335387 ] Robert Joseph Evans commented on STORM-446: --- OK :) so our resident expert was in a meeting so I traced down the code in openJDK myself. http://download.java.net/jdk7/archive/b123/docs/api/javax/security/sasl/SaslClientFactory.html#createSaslClient%28java.lang.String%5B%5D,%20java.lang.String,%20java.lang.String,%20java.lang.String,%20java.util.Map,%20javax.security.auth.callback.CallbackHandler%29 The second parameter authorizationId is the name of the principal that you are trying to impersonate. If it is null then it will just use the original user. So https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java#L127-133 We would change the second argument to TSaslClientTransport from being the principal, which turns out we don't need, to be the name of the user we which to impersonate. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14334970#comment-14334970 ] Robert Joseph Evans commented on STORM-446: --- I really would like to use the built in SASL mechanism for impersonation. Yes it is on a per-connection basis so it cannot be changed mid stream, but I think that is really OK. ZK is the only protocol that I know of that allows you to change who you are mid-connection. To avoid passing around a UGI object we do something very similar to the security context https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/ReqContext.java we store the principal in the ReqContext which has a thread specific user stored in there. https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/SimpleTransportPlugin.java https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/SaslTransportPlugin.java https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/IHttpCredentialsPlugin.java are where we do this for various transport mechanisms. We don't do it as a real principal in the security context to avoid situations where credentials might be mixed up between nimbus and the user we are acting on behalf of. If you need some examples to make the SASL impersonation code work, I know hadoop does some of this, and I can talk to our local expert for more examples if you like. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14335105#comment-14335105 ] Parth Brahmbhatt commented on STORM-446: Thanks [~revans2], that would be helpful. I knew about ReqContext and TransportPlugin. I actually tested the doAs behavior with API changes by adding a method addProxyUser to ReqContext which adds a ProxyUser principal to reqContext's subject , overriding the principal added during the topLevel process which is obtained by calling *saslServer.getAuthorizationID()* and returns that principal when reqContext.principal() is called. The missing part right now is how does the client send this principal to server in our thrift setup. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14335650#comment-14335650 ] Parth Brahmbhatt commented on STORM-446: [~revans2] Thanks a lot for the pointer I tried it and it works as expected. As far as authZ for impersonation go we have 2 options. We already have a list of admin users , so as part of impersonation I can check that the user trying to impersonate is in the admin user list. Alternatively I can follow hadoop/hbase config and add following 2 configs: storm.impersonation.userX.groups: [list of groups userX is allowed to impersonate] storm.impersonation.userX.hosts[list of hosts from which userX is allowed to impersonate] I like the second option as due to finer granularity it provides more security however it also requires extra configuration. Let me know what you guys think. secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14334218#comment-14334218 ] Sriharsha Chintalapani commented on STORM-446: -- [~parth.brahmbhatt] As you said saslServer.getAuthorizationID() will get the initial authID and don't think there is a way to submit other user credentials once the initial sasl connection setup. Is it possible to add a single thriftApi that takes in UGI and a operation i.e uploadTopology ,rebalance etc and on the server side does this as the UGI? secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[ https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14334441#comment-14334441 ] Parth Brahmbhatt commented on STORM-446: [~harsha_ch] I haven't thought this through but my initial impression is that will be a pretty fat API taking way too many optional params and will be hard to use. We don't really have to pass the credentials of the other user, just the principal name. The reason I was hoping to find a way to have another principal submitted was because I stumbled upon http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/AuthorizeCallback.html which seems to talk about authenticated and authrozied ids and also has a method isAuthorized() that determines if autheticatedId can act on behalf of authorizedId. I could not find any useful examples or any documentation other than java doc. If there is indeed no way to pass any additional info, I can add the API you suggested or add the optional doAs param to all APIs. [~revans2] [~ptgoetz] any thoughts? secure Impersonation in storm - Key: STORM-446 URL: https://issues.apache.org/jira/browse/STORM-446 Project: Apache Storm Issue Type: Improvement Reporter: Sriharsha Chintalapani Assignee: Parth Brahmbhatt Labels: Security Storm security adds features of authenticating with kerberos and than uses that principal and TGT as way to authorize user operations, topology operation. Currently Storm UI user needs to be part of nimbus.admins to get details on user submitted topologies. Ideally storm ui needs to take authenticated user principal to submit requests to nimbus which will than authorize the user rather than storm UI user. This feature will also benefit superusers to impersonate other users to submit topologies in a secured way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (STORM-446) secure Impersonation in storm
[
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14334154#comment-14334154
]
Parth Brahmbhatt commented on STORM-446:
[~revans2] [~harsha_ch] I wanted to check with you guys if the following
approach makes sense to support this feature I tried to do the following:
* Added an API in StormSubmitter , *submitTopologyAs* which takes all the usual
params + String doAsUser.
* Authenticate using the keytab in the jaas.conf.
* Create a new subject using the doAsUser as the principal, make the server
side call as a privileged action with this subject.
{code:java}
Nimbus.Client client = NimbusClient.getConfiguredClient(conf).getClient();
User proxyUser = new User(doAsUser);
Subject subject = new Subject();
subject.getPrincipals().add(proxyUser);
Subject.doAs(subject, new PrivilegedActionObject() {
@Override
public Object run() {
client.submitTopology(args);
}
})
{code}
I originally thought sasl would forward the principal from the current thread
context's subject to the server but on the server side *String authId =
saslServer.getAuthorizationID();* still returns the original authenticated Id
that was sent as part of connection establishment.
I dont want to modify all the APIs to include a UserGroupInfomration
look-a-like param but looking at the hadoop implementation it seems hadoop also
passes the UGI as part of the RPC call that they make. Do you guys have any
other alternative ideas that does not involve changing all the thrift APIS?
secure Impersonation in storm
-
Key: STORM-446
URL: https://issues.apache.org/jira/browse/STORM-446
Project: Apache Storm
Issue Type: Improvement
Reporter: Sriharsha Chintalapani
Assignee: Parth Brahmbhatt
Labels: Security
Storm security adds features of authenticating with kerberos and than uses
that principal and TGT as way to authorize user operations, topology
operation. Currently Storm UI user needs to be part of nimbus.admins to get
details on user submitted topologies. Ideally storm ui needs to take
authenticated user principal to submit requests to nimbus which will than
authorize the user rather than storm UI user. This feature will also benefit
superusers to impersonate other users to submit topologies in a secured way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
