You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by liu-zhaokun <gi...@git.apache.org> on 2017/07/25 02:41:53 UTC

[GitHub] storm pull request #2240: [STORM-2657] Update SECURITY.MD

GitHub user liu-zhaokun opened a pull request:

    https://github.com/apache/storm/pull/2240

    [STORM-2657] Update SECURITY.MD

    [https://issues.apache.org/jira/browse/STORM-2657](https://issues.apache.org/jira/browse/STORM-2657)
    
    There are several PRs about storm acl merged into master,so I update SECURITY.md.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/liu-zhaokun/storm master07250849

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/storm/pull/2240.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2240
    
----
commit b604ea0abcef950105d4bec9315b6eb211b98c95
Author: liuzhaokun <li...@zte.com.cn>
Date:   2017-07-25T02:38:56Z

    [STORM-2657] Update SECURITY.MD

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm issue #2240: [STORM-2657] Update SECURITY.MD

Posted by liu-zhaokun <gi...@git.apache.org>.
Github user liu-zhaokun commented on the issue:

    https://github.com/apache/storm/pull/2240
  
    @revans2 
    Hello,I have updated SECURITY.MD,review it,please.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm pull request #2240: [STORM-2657] Update SECURITY.MD

Posted by revans2 <gi...@git.apache.org>.
Github user revans2 commented on a diff in the pull request:

    https://github.com/apache/storm/pull/2240#discussion_r130436600
  
    --- Diff: docs/SECURITY.md ---
    @@ -478,6 +478,35 @@ nimbus.groups:
      
     
     ### DRPC
    -Hopefully more on this soon
    + 
    + Storm provides the Access Control List for the DRPC Authorizer.Users can see org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer for more details.
    --- End diff --
    
    It would be great if we could turn this into a link.
    
    ```
    [org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer](javadocs/org/apache/storm/security/auth/authorizer/DRPCSimpleACLAuthorizer.html)
    ```
    
    Should work.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm pull request #2240: [STORM-2657] Update SECURITY.MD

Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:

    https://github.com/apache/storm/pull/2240


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm issue #2240: [STORM-2657] Update SECURITY.MD

Posted by liu-zhaokun <gi...@git.apache.org>.
Github user liu-zhaokun commented on the issue:

    https://github.com/apache/storm/pull/2240
  
    Can one of the admins verify this patch?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm pull request #2240: [STORM-2657] Update SECURITY.MD

Posted by revans2 <gi...@git.apache.org>.
Github user revans2 commented on a diff in the pull request:

    https://github.com/apache/storm/pull/2240#discussion_r130439781
  
    --- Diff: docs/SECURITY.md ---
    @@ -478,6 +478,35 @@ nimbus.groups:
      
     
     ### DRPC
    -Hopefully more on this soon
    + 
    + Storm provides the Access Control List for the DRPC Authorizer.Users can see org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer for more details.
    + 
    + There are several DRPC ACL related configurations.
    + 
    + | YAML Setting | Description |
    + |------------|----------------------|
    + | drpc.authorizer.acl | The class for DRPC ACL. |
    + | drpc.authorizer.acl.filename | File name of the DRPC Authorizer ACL.It should be set to "drpc-auth-acl.yaml",users can see drpc-auth-acl.yaml.example for more details. |
    + | drpc.authorizer.acl.strict| Whether the DRPCSimpleAclAuthorizer should deny requests for operations involving functions that have no explicit ACL entry. |
    --- End diff --
    
    This is kind of confusing, and that is because the config is kind of confusing.  Some configs go in the main storm.yaml
    
    | YAML Setting | Description |
    |------------|----------------------|
    | drpc.authorizer | A class that will perform authorization for DRPC operations.  Set this to `org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer` when using security. |
    | drpc.authorizer.acl.strict | Whether the DRPCSimpleAclAuthorizer should deny requests for operations involving functions that have no explicit ACL entry. It is useful to set this to false for staging where users may want to experiment, but true for production where you want users to be secure. Defaults to false. |
    | drpc.authorizer.acl.filename | This is the name of a file that the ACLs will be loaded from.  It is separate from storm.yaml to allow the file to be updated without bringing down a DRPC server. Defaults to drpc-auth-acl.yaml |
    
    The file pointed to by `drpc.authorizer.acl.filename` will have only one config in it `drpc.authorizer.acl` this should be of the form 
    
    ```yaml
    drpc.authorizer.acl:
      "functionName1":
        "client.users":
          - "alice"
          - "bob"
        "invocation.user": "bob"
    ```
    
    In this the users `bob` and `alice` as `client.users` are allowed to run DRPC requests against functionName1, but only `bob` as the `invocation.user` is allowed to run the topology that actually processes those requests. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] storm issue #2240: [STORM-2657] Update SECURITY.MD

Posted by liu-zhaokun <gi...@git.apache.org>.
Github user liu-zhaokun commented on the issue:

    https://github.com/apache/storm/pull/2240
  
    @revans2 
    Hello,I have modified this PR followed your suggestion.Thanks again for your hard work.Review it,Please.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---