Repository: ambari Updated Branches: refs/heads/branch-2.4 7f697effa -> 5103939ab
AMBARI-17641. Add storm impersonation authorized along with default ACL. (Sriharsha via Jaimin) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/5103939a Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/5103939a Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/5103939a Branch: refs/heads/branch-2.4 Commit: 5103939ab8cb0b242db6641ba08ef3e40a7536dd Parents: 7f697ef Author: Jaimin Jetly <[email protected]> Authored: Mon Jul 18 13:40:43 2016 -0700 Committer: Jaimin Jetly <[email protected]> Committed: Mon Jul 18 13:40:43 2016 -0700 ---------------------------------------------------------------------- .../STORM/1.0.1/configuration/storm-site.xml | 26 ++++++++++++++++++++ .../common-services/STORM/1.0.1/kerberos.json | 2 ++ .../stacks/HDP/2.5/services/stack_advisor.py | 15 ++++++++++- 3 files changed, 42 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/5103939a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml index 19f984b..31daf75 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml @@ -83,4 +83,30 @@ <value>org.apache.storm.hack.StormShadeTransformer</value> <on-ambari-upgrade add="true"/> </property> + <property> + <name>nimbus.impersonation.authorizer</name> + <value/> + <description> + To ensure only authorized users can perform impersonation you should start nimbus with nimbus.impersonation.authorizer set to org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer. + A storm client may submit requests on behalf of another user. For example, if a userX submits an oozie workflow and as part of workflow execution if user oozie wants to submit a topology on behalf of userX it can do so by leveraging the impersonation feature.In order to submit topology as some other user , you can use StormSubmitter.submitTopologyAs API. Alternatively you can use NimbusClient.getConfiguredClientAs to get a nimbus client as some other user and perform any nimbus action(i.e. kill/rebalance/activate/deactivate) using this client. + </description> + </property> + <property> + <name>nimbus.impersonation.acl</name> + <value/> + <description> + The ImpersonationAuthorizer uses nimbus.impersonation.acl as the acl to authorize users. Following is a sample nimbus config for supporting impersonation: + nimbus.impersonation.acl: + impersonating_user1: + hosts: + [comma separated list of hosts from which impersonating_user1 is allowed to impersonate other users] + groups: + [comma separated list of groups whose users impersonating_user1 is allowed to impersonate] + impersonating_user2: + hosts: + [comma separated list of hosts from which impersonating_user2 is allowed to impersonate other users] + groups: + [comma separated list of groups whose users impersonating_user2 is allowed to impersonate] + </description> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/5103939a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json index b88dd44..5a9f24c 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json @@ -40,6 +40,8 @@ "supervisor.enable": "true", "storm.zookeeper.superACL": "sasl:{{storm_bare_jaas_principal}}", "java.security.auth.login.config": "{{conf_dir}}/storm_jaas.conf", + "nimbus.impersonation.authorizer": "org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer", + "nimbus.impersonation.acl": "{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}", "nimbus.admins": "['{{storm_bare_jaas_principal}}']", "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']", "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}" http://git-wip-us.apache.org/repos/asf/ambari/blob/5103939a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py index 0d12ffc..65c21fc 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py @@ -22,6 +22,7 @@ import traceback from resource_management.core.logger import Logger from resource_management.core.exceptions import Fail +from resource_management.libraries.functions.get_bare_principal import get_bare_principal class HDP25StackAdvisor(HDP24StackAdvisor): @@ -310,11 +311,23 @@ class HDP25StackAdvisor(HDP24StackAdvisor): "HBASE": self.recommendHBASEConfigurations, "HIVE": self.recommendHIVEConfigurations, "ATLAS": self.recommendAtlasConfigurations, - "RANGER_KMS": self.recommendRangerKMSConfigurations + "RANGER_KMS": self.recommendRangerKMSConfigurations, + "STORM": self.recommendStormConfigurations } parentRecommendConfDict.update(childRecommendConfDict) return parentRecommendConfDict + def recommendStormConfigurations(self, configurations, clusterData, services, hosts): + storm_site = getServicesSiteProperties(services, "storm-site") + putStormSiteProperty = self.putProperty(configurations, "storm-site", services) + security_enabled = (storm_site is not None and "storm.zookeeper.superACL" in storm_site) + if security_enabled: + _storm_principal_name = services['configurations']['storm-env']['properties']['storm_principal_name'] + storm_bare_jaas_principal = get_bare_principal(_storm_principal_name) + storm_nimbus_impersonation_acl = storm_site["nimbus.impersonation.acl"] + storm_nimbus_impersonation_acl.replace('{{storm_bare_jaas_principal}}', storm_bare_jaas_principal) + putStormSiteProperty('nimbus.impersonation.acl', storm_nimbus_impersonation_acl) + def recommendAtlasConfigurations(self, configurations, clusterData, services, hosts): putAtlasApplicationProperty = self.putProperty(configurations, "application-properties", services) putAtlasRangerPluginProperty = self.putProperty(configurations, "ranger-atlas-plugin-properties", services)
