You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by bo...@apache.org on 2014/10/27 21:13:42 UTC
[2/4] git commit: STORM-509. Make groups checking specific for
SimpleACLAuthorizer.
STORM-509. Make groups checking specific for SimpleACLAuthorizer.
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/11e6fc98
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/11e6fc98
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/11e6fc98
Branch: refs/heads/security
Commit: 11e6fc9821d7d7e676d573836c08272ce18385f2
Parents: 8400217
Author: Sriharsha Chintalapani <ma...@harsha.io>
Authored: Mon Sep 29 13:57:07 2014 -0700
Committer: Sriharsha Chintalapani <ma...@harsha.io>
Committed: Mon Sep 29 13:57:07 2014 -0700
----------------------------------------------------------------------
storm-core/src/jvm/backtype/storm/Config.java | 13 +++++++++---
.../auth/authorizer/SimpleACLAuthorizer.java | 21 +++++++++++++-------
.../backtype/storm/security/auth/auth_test.clj | 4 ++--
3 files changed, 26 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/src/jvm/backtype/storm/Config.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/Config.java b/storm-core/src/jvm/backtype/storm/Config.java
index a38b51e..48e1822 100644
--- a/storm-core/src/jvm/backtype/storm/Config.java
+++ b/storm-core/src/jvm/backtype/storm/Config.java
@@ -115,7 +115,7 @@ public class Config extends HashMap<String, Object> {
*/
public static final String STORM_META_SERIALIZATION_DELEGATE = "storm.meta.serialization.delegate";
public static final Object STORM_META_SERIALIZATION_DELEGATE_SCHEMA = String.class;
-
+
/**
* A list of hosts of ZooKeeper servers used to manage the cluster.
*/
@@ -769,7 +769,7 @@ public class Config extends HashMap<String, Object> {
* The jvm opts provided to workers launched by this supervisor. All "%ID%", "%WORKER-ID%", "%TOPOLOGY-ID%"
* and "%WORKER-PORT%" substrings are replaced with:
* %ID% -> port (for backward compatibility),
- * %WORKER-ID% -> worker-id,
+ * %WORKER-ID% -> worker-id,
* %TOPOLOGY-ID% -> topology-id,
* %WORKER-PORT% -> port.
*/
@@ -829,6 +829,13 @@ public class Config extends HashMap<String, Object> {
public static final Object TOPOLOGY_USERS_SCHEMA = ConfigValidation.StringsValidator;
/**
+ * A list of groups that are allowed to interact with the topology. To use this set
+ * nimbus.authorizer to backtype.storm.security.auth.authorizer.SimpleACLAuthorizer
+ */
+ public static final String TOPOLOGY_GROUPS = "topology.groups";
+ public static final Object TOPOLOGY_GROUPS_SCHEMA = ConfigValidation.StringsValidator;
+
+ /**
* True if Storm should timeout messages or not. Defaults to true. This is meant to be used
* in unit tests to prevent tuples from being accidentally timed out during the test.
*/
@@ -1304,7 +1311,7 @@ public class Config extends HashMap<String, Object> {
public void registerSerialization(Class klass, Class<? extends Serializer> serializerClass) {
registerSerialization(this, klass, serializerClass);
}
-
+
public static void registerMetricsConsumer(Map conf, Class klass, Object argument, long parallelismHint) {
HashMap m = new HashMap();
m.put("class", klass.getCanonicalName());
http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
index 0b867e8..daef956 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
@@ -49,7 +49,7 @@ public class SimpleACLAuthorizer implements IAuthorizer {
protected Set<String> _admins;
protected Set<String> _supervisors;
protected IPrincipalToLocal _ptol;
- protected IGroupMappingServiceProvider _groups;
+ protected IGroupMappingServiceProvider _groupMappingProvider;
/**
* Invoked once immediately after construction
* @param conf Storm configuration
@@ -65,8 +65,9 @@ public class SimpleACLAuthorizer implements IAuthorizer {
if (conf.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
_supervisors.addAll((Collection<String>)conf.get(Config.NIMBUS_SUPERVISOR_USERS));
}
+
_ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
- _groups = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
+ _groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
}
/**
@@ -107,12 +108,18 @@ public class SimpleACLAuthorizer implements IAuthorizer {
if (topoUsers.contains(principal) || topoUsers.contains(user)) {
return true;
}
- if(_groups != null) {
+
+ Set<String> topoGroups = new HashSet<String>();
+ if (topology_conf.containsKey(Config.TOPOLOGY_GROUPS)) {
+ topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS));
+ }
+
+ if(_groupMappingProvider != null && topoGroups.size() > 0) {
+ System.out.println("hello in if");
try {
- String topologySubmitterUser = (String) topology_conf.get(Config.TOPOLOGY_SUBMITTER_USER);
- Set<String> userGroups = _groups.getGroups(user);
- Set<String> topoUserGroups = _groups.getGroups(topologySubmitterUser);
- for (String tgroup : topoUserGroups) {
+ Set<String> userGroups = _groupMappingProvider.getGroups(user);
+ for (String tgroup : topoGroups) {
+ System.out.println("tgroup "+tgroup);
if(userGroups.contains(tgroup))
return true;
}
http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
----------------------------------------------------------------------
diff --git a/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj b/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
index 12411e7..a01cac3 100644
--- a/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
+++ b/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
@@ -284,8 +284,8 @@
user-name (System/getProperty "user.name")]
(.prepare groups cluster-conf)
(>= 0 (.size (.getGroups groups user-name)))
- (>= 0 (.size (.getGroups groups "userDoesNotExist")))
- (>= 0 (.size (.getGroups groups nil)))))
+ (= 0 (.size (.getGroups groups "userDoesNotExist")))
+ (= 0 (.size (.getGroups groups nil)))))
(deftest simple-acl-same-user-auth-test
(let [cluster-conf (merge (read-storm-config)