You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by Liang Zhao <al...@gmail.com> on 2020/06/26 12:06:08 UTC
DigestSaslTransportPlugin hardcode "localhost" server
Hi,
Due to not being able to use Kerberos, we are exploring
the DigestSaslTransportPlugin/PlainSaslTransportPlugin as an alternative.
However, when we try to set up a storm cluster with
DigestSaslTransportPlugin on kubernetes, we came across errors that
SaslException, that digest response format violation, Mismatched URI,
storm_thrift_server/nimbus; expecting storm_thrift_server/localhost.
A close look at the code indicates there is a hardcode "localhost" in the
plugin, and this code has been there for many years.
https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java#L53
I'm a bit puzzled as if this is intentional and can be walked around in
configuration or it's a bug that should be fixed?
Thanks,
Liang
Re: DigestSaslTransportPlugin hardcode "localhost" server
Posted by Derek Dagit <da...@apache.org>.
Yes, it probably could be considered a bug.
As we were adding authentication and authorization to the project, we
did so for Thrift servers via these plugins. Our team was soon after
required to use Kerberos/SASL because of production environment and
security constraints. So we moved on using the Kerberos plugin
exclusively.
I imagine—but I do not specifically recall—that Andy did test
successfully at the time using a non-production environment—possibly
even with the client and server both on the same 'localhost'. The
intention with these plugins was always that they could be configured in
a production environment, and so it seems to me that this value could be
made configurable rather than hard-coded.
--
Derek
On Tue, Jun 30, 2020 at 04:56:22PM -0500, Ethan Li wrote:
>
> This looks like a bug. But I have never used this plugin so I am not sure at this moment. Do you have a stack trace that I can take a look?
>
> > On Jun 26, 2020, at 7:06 AM, Liang Zhao <al...@gmail.com> wrote:
> >
> > Hi,
> >
> > Due to not being able to use Kerberos, we are exploring
> > the DigestSaslTransportPlugin/PlainSaslTransportPlugin as an alternative.
> > However, when we try to set up a storm cluster with
> > DigestSaslTransportPlugin on kubernetes, we came across errors that
> > SaslException, that digest response format violation, Mismatched URI,
> > storm_thrift_server/nimbus; expecting storm_thrift_server/localhost.
> >
> > A close look at the code indicates there is a hardcode "localhost" in the
> > plugin, and this code has been there for many years.
> >
> > https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java#L53
> >
> > I'm a bit puzzled as if this is intentional and can be walked around in
> > configuration or it's a bug that should be fixed?
> >
> > Thanks,
> > Liang
>
Re: DigestSaslTransportPlugin hardcode "localhost" server
Posted by Ethan Li <et...@gmail.com>.
This looks like a bug. But I have never used this plugin so I am not sure at this moment. Do you have a stack trace that I can take a look?
> On Jun 26, 2020, at 7:06 AM, Liang Zhao <al...@gmail.com> wrote:
>
> Hi,
>
> Due to not being able to use Kerberos, we are exploring
> the DigestSaslTransportPlugin/PlainSaslTransportPlugin as an alternative.
> However, when we try to set up a storm cluster with
> DigestSaslTransportPlugin on kubernetes, we came across errors that
> SaslException, that digest response format violation, Mismatched URI,
> storm_thrift_server/nimbus; expecting storm_thrift_server/localhost.
>
> A close look at the code indicates there is a hardcode "localhost" in the
> plugin, and this code has been there for many years.
>
> https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java#L53
>
> I'm a bit puzzled as if this is intentional and can be walked around in
> configuration or it's a bug that should be fixed?
>
> Thanks,
> Liang