You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by "Arun Mahadevan (JIRA)" <ji...@apache.org> on 2015/07/14 07:55:04 UTC

[jira] [Commented] (STORM-615) Add REST API to upload topology

    [ https://issues.apache.org/jira/browse/STORM-615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14625864#comment-14625864 ] 

Arun Mahadevan commented on STORM-615:
--------------------------------------

Since the earlier approach of invoking external shell command from ui server had security concerns, the code was reverted.

As an alternative, instead of REST api invoking external shell command, have the api load the uploaded topology jar via a URLClassloader and invoke the main method containing the topology build/submit code using reflection. 

For addressing the security issues of executing user submitted code (as ui server process user), 
(1) we could limit the permissions using java security policy files (https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html)
 similar to what is done by web-containers for restricting what can be done by servlets. 

(2) recommend that the ui/server be started by a user not having superuser privileges.


> Add REST API to upload topology
> -------------------------------
>
>                 Key: STORM-615
>                 URL: https://issues.apache.org/jira/browse/STORM-615
>             Project: Apache Storm
>          Issue Type: Bug
>            Reporter: Sriharsha Chintalapani
>            Assignee: Arun Mahadevan
>             Fix For: 0.10.0
>
>
> Add REST api /api/v1/submitTopology to upload topology jars and config using REST api.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)