You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "Sriharsha Chintalapani (JIRA)" <ji...@apache.org> on 2016/06/24 23:19:16 UTC
[jira] [Commented] (STORM-1096) UI tries to impersonate wrong user
when getting topology conf for authorization, impersonation is allowed by
default
[ https://issues.apache.org/jira/browse/STORM-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348854#comment-15348854 ]
Sriharsha Chintalapani commented on STORM-1096:
-----------------------------------------------
[~revans2] sorry not bringing this before we merged into the repo.
Few questions around the config,
1. we made nimbus.impersonation.authorizer as default but without any nimbus.impersonation.acl configs . This will immediately block anyone from submitting the topology except storm user.
2. configs right now requires username as key: hosts , groups as values. This is not easy to automate via deployment tools. Also every user who wants to submit should be listed in this config (correct me if I am wrong here).
3. I understand security should be closed by default . But here in this case we are just blocking everyone to submit a topology or look at topology metrics .
Ideally we should provide wildcard support and make it default or at least have that option to user.
Wildcard should be that a given user can impersonate user x . So I can just add config like any user can impersonate user x.
The problem I am seeing here in case of Ambari we've a storm view that will send requests through Ambari proxy server. In this case it will send user "harsha" is trying to impersonate user "ambari-server1" (user x in above example). With current implementation, any user who is trying to access their topology needs to be added to the nimbus.impersonation.acl along with hostname from which they might be querying etc.. in a hosted platform this going to be harder as we keep adding users to the config.
> UI tries to impersonate wrong user when getting topology conf for authorization, impersonation is allowed by default
> --------------------------------------------------------------------------------------------------------------------
>
> Key: STORM-1096
> URL: https://issues.apache.org/jira/browse/STORM-1096
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Fix For: 0.10.0
>
>
> We have started using 0.10.0 under load and found a few issues around the UI and impersonation.
> The UI when trying to connect to nimbus will impersonate other users. Nimbus, by default allows impersonation and just outputs a warning message that it is allowed. We really should default to not allowing impersonation. having the authorizer configured by default does not hurt when running insecure because impersonation is not possible, but when security is enabled if someone forgets to set this config we are now insecure by default.
> If you do set all of that up correctly the UI now can impersonate the wrong user when connecting to nimbus.
> The UI decides which user to impersonate by pulling it from the request context. The requestContext is populated from the HttpRequest when assert-authorized-user is called. assert-authorized-user takes a topology-conf as a parameter. The only way to get this topology conf is to talk to nimbus, which will get the wrong user because the request context has not been populated yet.
> This just because a huge pain for users who way too often will not be able to see pages on the UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)