You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Steve Miller (JIRA)" <ji...@apache.org> on 2017/09/15 13:44:00 UTC

[jira] [Created] (STORM-2739) Storm UI fails to bind to ui.host when using https

Steve Miller created STORM-2739:
-----------------------------------

             Summary: Storm UI fails to bind to ui.host when using https
                 Key: STORM-2739
                 URL: https://issues.apache.org/jira/browse/STORM-2739
             Project: Apache Storm
          Issue Type: Bug
          Components: storm-ui
    Affects Versions: 1.1.1
         Environment: all
            Reporter: Steve Miller


When using https with the Storm UI, it ignores the value of ui.host, and binds to 0.0.0.0.

Starting with this config:


{code:yaml}
storm.local.dir: "/opt/storm"
storm.zookeeper.servers:
    - "bigstorm.porcupineracing.com"
nimbus.seeds: ["bigstorm.porcupineracing.com"]
nimbus.childopts: "-Xmx1024m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
ui.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
supervisor.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
storm.thrift.transport: "org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin"
java.security.auth.login.config: "/keytabs/jaas.conf"
storm.zookeeper.superACL: "sasl:storm@PORCUPINERACING.COM"

ui.host: 127.0.0.1

nimbus.authorizer: "org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer"
nimbus.admins:
  - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM"
  - "storm@PORCUPINERACING.COM"
  - "storm"
nimbus.supervisor.users:
  - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM"
  - "storm@PORCUPINERACING.COM"
  - "storm"
nimbus.users:
   - "steven.miller"
   - "steven.miller@PORCUPINERACING.COM"
{code}

I can start the UI and verify using lsof that it's only listening on localhost:


{code}
[root@bigstorm bin]# ps axuww | grep ui.core
root      5080  0.1  5.6 2850232 217688 pts/1  Sl   Sep14   1:31 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
root     19913  0.0  0.0 112648   972 pts/1    R+   09:26   0:00 grep --color=auto ui.core

[root@bigstorm bin]# lsof -p 5080 -P | grep LISTEN
java    5080 root   27u     IPv6             597116       0t0      TCP localhost:8080 (LISTEN)
{code}


Now if I add the https config:

{code}
ui.https.host: "localhost"
ui.https.port: 8443
ui.https.keystore.type: "jks"
ui.https.keystore.path: "/keytabs/keystore.jks"
ui.https.keystore.password: "sooper-sekrit"
ui.https.key.password: "sooper-sekrit"
{code}

and I restart the UI, I can see that it's listening on *:8443:

{code}
[root@bigstorm bin]# ps axuww | grep ui.core
root     19921 17.2  5.4 2849188 210896 pts/1  Sl   09:26   0:04 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
root     20018  0.0  0.0 112648   968 pts/1    R+   09:27   0:00 grep --color=auto ui.core
[root@bigstorm bin]# lsof -p 19921 -P | grep LISTEN
java    19921 root   38u  IPv6             677914       0t0      TCP *:8443 (LISTEN)
{code}

I have a situation in which I'm trying to limit access to the UI on a per-user basis.  The UI seems, as far as I can tell, only to support limiting access to users with valid Kerberos tickets (which is everyone here :) ), so I was trying to put a proxy in front of the UI and run it just on localhost, and rely on the proxy to do the authentication.

This bug means that if I was to do that, I'd have to run the UI without https, which means that people's credentials would be bouncing around in the clear (again, as far as I can tell; I tcpdumped that and I could see, say, storm@PORCUPINERACING.COM in the base64 decode of the Authorization: HTTP header, at least, which I figure was a bad sign).

I looked at the code and didn't see anything obvious but since I don't know Clojure or Netty it was probably staring me in the face. :) . But if you could fix this that'd be awesome, and it'd let me secure this in a way that I'd find much more reassuring.  Thanks!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)