You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "Sriharsha Chintalapani (JIRA)" <ji...@apache.org> on 2014/09/25 16:13:33 UTC
[jira] [Commented] (STORM-509) (Security) Make groups checkign
specific for SimpleACLAuthorizer.
[ https://issues.apache.org/jira/browse/STORM-509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14147780#comment-14147780 ]
Sriharsha Chintalapani commented on STORM-509:
----------------------------------------------
[~revans2] "We really should have a separate set of configs for the explicit groups that we want to grant permissions to" so should w e drive this by config. If two users belong configured set of groups than grant permissions otherwise don't. Either we should use config which feels restrictive in terms of granting permissions to others on a running topology not sure how often this would be the case or provide a way for the user who is owner of the topology to add group permissions which will be written into topology config.
> (Security) Make groups checkign specific for SimpleACLAuthorizer.
> -----------------------------------------------------------------
>
> Key: STORM-509
> URL: https://issues.apache.org/jira/browse/STORM-509
> Project: Apache Storm
> Issue Type: Bug
> Affects Versions: feature-security
> Reporter: Robert Joseph Evans
> Priority: Critical
>
> SimpleACLAuthorizer has groups support right now, but it only validates that the user performing an action and the user running the topology have at least one group in common. This is far from ideal, because unix groups are often used to denote OS System permissions and there is typically a users group that everyone belongs to. We really should have a separate set of configs for the explicit groups that we want to grant permissions to, instead of the groups the user is a part of.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)