You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by revans2 <gi...@git.apache.org> on 2018/10/18 15:47:37 UTC
[GitHub] storm pull request #2886: Improve the security docs on how to configure some...
GitHub user revans2 opened a pull request:
https://github.com/apache/storm/pull/2886
Improve the security docs on how to configure something like SSO for UI
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/revans2/incubator-storm UI_SECURITY_DOCS
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/storm/pull/2886.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2886
----
----
---
[GitHub] storm pull request #2886: Improve the security docs on how to configure some...
Posted by d2r <gi...@git.apache.org>.
Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/2886#discussion_r226363931
--- Diff: docs/SECURITY.md ---
@@ -50,17 +50,33 @@ The UI and logviewer processes provide a way to not only see what a cluster is
doing, but also manipulate running topologies. In general these processes should
not be exposed except to users of the cluster.
-Some form of Authentication is typically required, with using java servlet filters
+Some form of Authentication is typically required, and can be done using a java servlet filter
```yaml
ui.filter: "filter.class"
ui.filter.params: "param1":"value1"
logviewer.filter: "filter.class"
logviewer.filter.params: "param1":"value1"
```
-or by restricting the UI/log viewers ports to only accept connections from local
-hosts, and then front them with another web server, like Apache httpd, that can
-authenticate/authorize incoming connections and
+
+The `ui.filter` is an instance of `javax.servlet.Filter` that is intended to
+filter all incomming requests to the UI and authenticate the request mapping
+it to a "user". Typically this is done by modifying or wrapping the
+`HttpServletRequest` to return the user principal through the
+`getUserPrincipal()` method or returning the user name through the
+`getRemoteUser()` method. If your filter authenticates in a differnt way you
+can look at setting `ui.http.creds.plugin` to point to an instance of `IHttpCredentialsPlugin`
+that can take the `HttpServletRequest` and return a user name and populate the needed fields
+in the current `ReqContext`. These are advanced features and you may want to look at the
+`DefaultHttpCredentialsPlugin` as an example of how to do this.
+
+These same settings apply to the logviewer too. If you want to have separate controle
--- End diff --
`control`
---
[GitHub] storm pull request #2886: Improve the security docs on how to configure some...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/storm/pull/2886
---
[GitHub] storm pull request #2886: Improve the security docs on how to configure some...
Posted by d2r <gi...@git.apache.org>.
Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/2886#discussion_r226364665
--- Diff: docs/SECURITY.md ---
@@ -94,6 +110,17 @@ curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt http://s
**Caution**: In AD MIT Keberos setup the key size is bigger than the default UI jetty server request header size. Make sure you set ui.header.buffer.bytes to 65536 in storm.yaml. More details are on [STORM-633](https://issues.apache.org/jira/browse/STORM-633)
+## DRPC HTTP
+
+The DRPC server optionally supports a REST endpoint as well, and you can configure authentication
+on that endpoint similar to the ui/logviewer.
+
+The `drpc.http.filter` and `drpc.http.filter.params` configs can be used to setup a `Filter` for the DRPC server. Unlike the logviewer
+it does not fall back to the UI configs as the DRPC server is intended to be REST only and often will be hit by headless users.
+
+The `drpc.http.creds.plugin` confg can be used in cases where the default plugin is not good enough because of how authentication happens.
--- End diff --
`config`
---
[GitHub] storm pull request #2886: Improve the security docs on how to configure some...
Posted by d2r <gi...@git.apache.org>.
Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/2886#discussion_r226363943
--- Diff: docs/SECURITY.md ---
@@ -50,17 +50,33 @@ The UI and logviewer processes provide a way to not only see what a cluster is
doing, but also manipulate running topologies. In general these processes should
not be exposed except to users of the cluster.
-Some form of Authentication is typically required, with using java servlet filters
+Some form of Authentication is typically required, and can be done using a java servlet filter
```yaml
ui.filter: "filter.class"
ui.filter.params: "param1":"value1"
logviewer.filter: "filter.class"
logviewer.filter.params: "param1":"value1"
```
-or by restricting the UI/log viewers ports to only accept connections from local
-hosts, and then front them with another web server, like Apache httpd, that can
-authenticate/authorize incoming connections and
+
+The `ui.filter` is an instance of `javax.servlet.Filter` that is intended to
+filter all incomming requests to the UI and authenticate the request mapping
--- End diff --
`incoming`
---
[GitHub] storm issue #2886: Improve the security docs on how to configure something l...
Posted by revans2 <gi...@git.apache.org>.
Github user revans2 commented on the issue:
https://github.com/apache/storm/pull/2886
Thanks @d2r I spell checked the whole file and I think I got all of the typos.
---