You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by bo...@apache.org on 2014/10/27 21:13:42 UTC

[2/4] git commit: STORM-509. Make groups checking specific for SimpleACLAuthorizer.

STORM-509. Make groups checking specific for SimpleACLAuthorizer.


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/11e6fc98
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/11e6fc98
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/11e6fc98

Branch: refs/heads/security
Commit: 11e6fc9821d7d7e676d573836c08272ce18385f2
Parents: 8400217
Author: Sriharsha Chintalapani <ma...@harsha.io>
Authored: Mon Sep 29 13:57:07 2014 -0700
Committer: Sriharsha Chintalapani <ma...@harsha.io>
Committed: Mon Sep 29 13:57:07 2014 -0700

----------------------------------------------------------------------
 storm-core/src/jvm/backtype/storm/Config.java   | 13 +++++++++---
 .../auth/authorizer/SimpleACLAuthorizer.java    | 21 +++++++++++++-------
 .../backtype/storm/security/auth/auth_test.clj  |  4 ++--
 3 files changed, 26 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/src/jvm/backtype/storm/Config.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/Config.java b/storm-core/src/jvm/backtype/storm/Config.java
index a38b51e..48e1822 100644
--- a/storm-core/src/jvm/backtype/storm/Config.java
+++ b/storm-core/src/jvm/backtype/storm/Config.java
@@ -115,7 +115,7 @@ public class Config extends HashMap<String, Object> {
      */
     public static final String STORM_META_SERIALIZATION_DELEGATE = "storm.meta.serialization.delegate";
     public static final Object STORM_META_SERIALIZATION_DELEGATE_SCHEMA = String.class;
-    
+
     /**
      * A list of hosts of ZooKeeper servers used to manage the cluster.
      */
@@ -769,7 +769,7 @@ public class Config extends HashMap<String, Object> {
      * The jvm opts provided to workers launched by this supervisor. All "%ID%", "%WORKER-ID%", "%TOPOLOGY-ID%"
      * and "%WORKER-PORT%" substrings are replaced with:
      * %ID%          -> port (for backward compatibility),
-     * %WORKER-ID%   -> worker-id, 
+     * %WORKER-ID%   -> worker-id,
      * %TOPOLOGY-ID%    -> topology-id,
      * %WORKER-PORT% -> port.
      */
@@ -829,6 +829,13 @@ public class Config extends HashMap<String, Object> {
     public static final Object TOPOLOGY_USERS_SCHEMA = ConfigValidation.StringsValidator;
 
     /**
+     * A list of groups that are allowed to interact with the topology.  To use this set
+     * nimbus.authorizer to backtype.storm.security.auth.authorizer.SimpleACLAuthorizer
+     */
+    public static final String TOPOLOGY_GROUPS = "topology.groups";
+    public static final Object TOPOLOGY_GROUPS_SCHEMA = ConfigValidation.StringsValidator;
+
+    /**
      * True if Storm should timeout messages or not. Defaults to true. This is meant to be used
      * in unit tests to prevent tuples from being accidentally timed out during the test.
      */
@@ -1304,7 +1311,7 @@ public class Config extends HashMap<String, Object> {
     public void registerSerialization(Class klass, Class<? extends Serializer> serializerClass) {
         registerSerialization(this, klass, serializerClass);
     }
-    
+
     public static void registerMetricsConsumer(Map conf, Class klass, Object argument, long parallelismHint) {
         HashMap m = new HashMap();
         m.put("class", klass.getCanonicalName());

http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
index 0b867e8..daef956 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
@@ -49,7 +49,7 @@ public class SimpleACLAuthorizer implements IAuthorizer {
     protected Set<String> _admins;
     protected Set<String> _supervisors;
     protected IPrincipalToLocal _ptol;
-    protected IGroupMappingServiceProvider _groups;
+    protected IGroupMappingServiceProvider _groupMappingProvider;
     /**
      * Invoked once immediately after construction
      * @param conf Storm configuration
@@ -65,8 +65,9 @@ public class SimpleACLAuthorizer implements IAuthorizer {
         if (conf.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
             _supervisors.addAll((Collection<String>)conf.get(Config.NIMBUS_SUPERVISOR_USERS));
         }
+
         _ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
-        _groups = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
+        _groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
     }
 
     /**
@@ -107,12 +108,18 @@ public class SimpleACLAuthorizer implements IAuthorizer {
             if (topoUsers.contains(principal) || topoUsers.contains(user)) {
                 return true;
             }
-            if(_groups != null) {
+
+            Set<String> topoGroups = new HashSet<String>();
+            if (topology_conf.containsKey(Config.TOPOLOGY_GROUPS)) {
+                topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS));
+            }
+
+            if(_groupMappingProvider != null && topoGroups.size() > 0) {
+                System.out.println("hello in if");
                 try {
-                    String topologySubmitterUser = (String) topology_conf.get(Config.TOPOLOGY_SUBMITTER_USER);
-                    Set<String> userGroups = _groups.getGroups(user);
-                    Set<String> topoUserGroups = _groups.getGroups(topologySubmitterUser);
-                    for (String tgroup : topoUserGroups) {
+                    Set<String> userGroups = _groupMappingProvider.getGroups(user);
+                    for (String tgroup : topoGroups) {
+                        System.out.println("tgroup "+tgroup);
                         if(userGroups.contains(tgroup))
                             return true;
                     }

http://git-wip-us.apache.org/repos/asf/storm/blob/11e6fc98/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
----------------------------------------------------------------------
diff --git a/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj b/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
index 12411e7..a01cac3 100644
--- a/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
+++ b/storm-core/test/clj/backtype/storm/security/auth/auth_test.clj
@@ -284,8 +284,8 @@
         user-name (System/getProperty "user.name")]
     (.prepare groups cluster-conf)
     (>= 0 (.size (.getGroups groups user-name)))
-    (>= 0 (.size (.getGroups groups "userDoesNotExist")))
-    (>= 0 (.size (.getGroups groups nil)))))
+    (= 0 (.size (.getGroups groups "userDoesNotExist")))
+    (= 0 (.size (.getGroups groups nil)))))
 
 (deftest simple-acl-same-user-auth-test
   (let [cluster-conf (merge (read-storm-config)