Repository: storm
Updated Branches:
  refs/heads/1.0.x-branch c1a1c10dd -> 59e2539fa


Merge branch 'STORM-3027-1.x' of https://github.com/revans2/incubator-storm 
into 1.x-branch

STORM-3027: Make impersonation optional


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/59e2539f
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/59e2539f
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/59e2539f

Branch: refs/heads/1.0.x-branch
Commit: 59e2539fa23bde8c81b287ae26d6297cd331d5ea
Parents: c1a1c10
Author: Robert Evans <ev...@yahoo-inc.com>
Authored: Wed Apr 11 10:05:35 2018 -0500
Committer: Robert Evans <ev...@yahoo-inc.com>
Committed: Wed Apr 11 10:36:17 2018 -0500

----------------------------------------------------------------------
 .../auth/AbstractSaslServerCallbackHandler.java |  8 +++++++
 .../security/auth/SaslTransportPlugin.java      |  5 +++--
 .../security/auth/ThriftConnectionType.java     | 18 ++++++++++++----
 .../auth/digest/DigestSaslTransportPlugin.java  |  4 ++--
 .../auth/digest/ServerCallbackHandler.java      | 22 ++++++--------------
 .../kerberos/KerberosSaslTransportPlugin.java   |  6 +++---
 .../auth/kerberos/ServerCallbackHandler.java    | 11 +++++++---
 .../auth/plain/PlainSaslTransportPlugin.java    |  4 ++--
 .../auth/plain/PlainServerCallbackHandler.java  | 19 ++++-------------
 9 files changed, 50 insertions(+), 47 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java
index ebbe2ea..25112a4 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java
@@ -34,6 +34,11 @@ public abstract class AbstractSaslServerCallbackHandler 
implements CallbackHandl
     private static final Logger LOG = 
LoggerFactory.getLogger(AbstractSaslServerCallbackHandler.class);
     protected final Map<String,String> credentials = new HashMap<>();
     protected String userName;
+    protected final boolean impersonationAllowed;
+
+    protected AbstractSaslServerCallbackHandler(boolean impersonationAllowed) {
+        this.impersonationAllowed = impersonationAllowed;
+    }
 
     public void handle(Callback[] callbacks) throws 
UnsupportedCallbackException {
         for (Callback callback : callbacks) {
@@ -82,6 +87,9 @@ public abstract class AbstractSaslServerCallbackHandler 
implements CallbackHandl
         //When authNid and authZid are not equal , authNId is attempting to 
impersonate authZid, We
         //add the authNid as the real user in reqContext's subject which will 
be used during authorization.
         if(!authenticationID.equals(ac.getAuthorizationID())) {
+            if (!impersonationAllowed) {
+                throw new IllegalArgumentException("Impersonation is not 
allowed for this server");
+            }
             LOG.info("Impersonation attempt  authenticationID = {} 
authorizationID = {}",
                 ac.getAuthenticationID(),  ac.getAuthorizationID());
             ReqContext.context().setRealPrincipal(new 
SaslTransportPlugin.User(ac.getAuthenticationID()));

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java 
b/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java
index cc840dd..1fbceca 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java
@@ -64,7 +64,7 @@ public abstract class SaslTransportPlugin implements 
ITransportPlugin {
     @Override
     public TServer getServer(TProcessor processor) throws IOException, 
TTransportException {
         int port = type.getPort(storm_conf);
-        TTransportFactory serverTransportFactory = getServerTransportFactory();
+        TTransportFactory serverTransportFactory = 
getServerTransportFactory(type.isImpersonationAllowed());
         TServerSocket serverTransport = new TServerSocket(port);
         int numWorkerThreads = type.getNumThreads(storm_conf);
         Integer queueSize = type.getQueueSize(storm_conf);
@@ -90,10 +90,11 @@ public abstract class SaslTransportPlugin implements 
ITransportPlugin {
 
     /**
      * All subclass must implement this method
+     * @param impersonationAllowed true if SASL impersonation should be 
allowed, else false.
      * @return server transport factory
      * @throws IOException
      */
-    protected abstract TTransportFactory getServerTransportFactory() throws 
IOException;
+    protected abstract TTransportFactory getServerTransportFactory(boolean 
impersonationAllowed) throws IOException;
 
 
     /**                                                                        
                                                                                
                     

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java 
b/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java
index f627956..e140762 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java
@@ -27,25 +27,27 @@ import java.util.Map;
  */
 public enum ThriftConnectionType {
     NIMBUS(Config.NIMBUS_THRIFT_TRANSPORT_PLUGIN, Config.NIMBUS_THRIFT_PORT, 
Config.NIMBUS_QUEUE_SIZE,
-         Config.NIMBUS_THRIFT_THREADS, Config.NIMBUS_THRIFT_MAX_BUFFER_SIZE),
+         Config.NIMBUS_THRIFT_THREADS, Config.NIMBUS_THRIFT_MAX_BUFFER_SIZE, 
true),
     DRPC(Config.DRPC_THRIFT_TRANSPORT_PLUGIN, Config.DRPC_PORT, 
Config.DRPC_QUEUE_SIZE,
-         Config.DRPC_WORKER_THREADS, Config.DRPC_MAX_BUFFER_SIZE),
+         Config.DRPC_WORKER_THREADS, Config.DRPC_MAX_BUFFER_SIZE, false),
     DRPC_INVOCATIONS(Config.DRPC_INVOCATIONS_THRIFT_TRANSPORT_PLUGIN, 
Config.DRPC_INVOCATIONS_PORT, null,
-         Config.DRPC_INVOCATIONS_THREADS, Config.DRPC_MAX_BUFFER_SIZE);
+         Config.DRPC_INVOCATIONS_THREADS, Config.DRPC_MAX_BUFFER_SIZE, false);
 
     private final String _transConf;
     private final String _portConf;
     private final String _qConf;
     private final String _threadsConf;
     private final String _buffConf;
+    private final boolean impersonationAllowed;
 
     ThriftConnectionType(String transConf, String portConf, String qConf,
-                         String threadsConf, String buffConf) {
+                         String threadsConf, String buffConf, boolean 
impersonationAllowed) {
         _transConf = transConf;
         _portConf = portConf;
         _qConf = qConf;
         _threadsConf = threadsConf;
         _buffConf = buffConf;
+        this.impersonationAllowed = impersonationAllowed;
     }
 
     public String getTransportPlugin(Map conf) {
@@ -80,4 +82,12 @@ public enum ThriftConnectionType {
     public int getMaxBufferSize(Map conf) {
         return Utils.getInt(conf.get(_buffConf));
     }
+
+    /**
+     * Check if SASL impersonation is allowed for this transport type.
+     * @return true if it is else false.
+     */
+    public boolean isImpersonationAllowed() {
+        return impersonationAllowed;
+    }
 }

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java
index 4d123aa..b2b2f33 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java
@@ -36,9 +36,9 @@ public class DigestSaslTransportPlugin extends 
SaslTransportPlugin {
     public static final String DIGEST = "DIGEST-MD5";
     private static final Logger LOG = 
LoggerFactory.getLogger(DigestSaslTransportPlugin.class);
 
-    protected TTransportFactory getServerTransportFactory() throws IOException 
{        
+    protected TTransportFactory getServerTransportFactory(boolean 
impersonationAllowed) throws IOException {
         //create an authentication callback handler
-        CallbackHandler serer_callback_handler = new 
ServerCallbackHandler(login_conf);
+        CallbackHandler serer_callback_handler = new 
ServerCallbackHandler(login_conf, impersonationAllowed);
 
         //create a transport factory that will invoke our auth callback for 
digest
         TSaslServerTransport.Factory factory = new 
TSaslServerTransport.Factory();

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java
index 7c4414f..d688e46 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java
@@ -15,29 +15,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.apache.storm.security.auth.digest;
 
 import java.io.IOException;
-import java.util.HashMap;
 import java.util.Map;
-
-import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler;
-import org.apache.storm.security.auth.ReqContext;
-import org.apache.storm.security.auth.SaslTransportPlugin;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
-import javax.security.sasl.AuthorizeCallback;
-import javax.security.sasl.RealmCallback;
-
+import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler;
 import org.apache.storm.security.auth.AuthUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * SASL server side callback handler
@@ -47,7 +36,8 @@ public class ServerCallbackHandler extends 
AbstractSaslServerCallbackHandler {
     private static final String USER_PREFIX = "user_";
     public static final String SYSPROP_SUPER_PASSWORD = 
"storm.SASLAuthenticationProvider.superPassword";
 
-    public ServerCallbackHandler(Configuration configuration) throws 
IOException {
+    public ServerCallbackHandler(Configuration configuration, boolean 
impersonationAllowed) throws IOException {
+        super(impersonationAllowed);
         if (configuration==null) return;
 
         AppConfigurationEntry configurationEntries[] = 
configuration.getAppConfigurationEntry(AuthUtils.LOGIN_CONTEXT_SERVER);

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java
index 6f1c346..6db99bc 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java
@@ -28,7 +28,6 @@ import java.util.TreeMap;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginException;
 import javax.security.sasl.Sasl;
@@ -51,9 +50,10 @@ public class KerberosSaslTransportPlugin extends 
SaslTransportPlugin {
     public static final String KERBEROS = "GSSAPI"; 
     private static final Logger LOG = 
LoggerFactory.getLogger(KerberosSaslTransportPlugin.class);
 
-    public TTransportFactory getServerTransportFactory() throws IOException {
+    @Override
+    public TTransportFactory getServerTransportFactory(boolean 
impersonationAllowed) throws IOException {
         //create an authentication callback handler
-        CallbackHandler server_callback_handler = new 
ServerCallbackHandler(login_conf, storm_conf);
+        CallbackHandler server_callback_handler = new 
ServerCallbackHandler(login_conf, storm_conf, impersonationAllowed);
         
         //login our principal
         Subject subject = null;

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java
index ba2f4af..de23368 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java
@@ -24,7 +24,6 @@ import org.apache.storm.security.auth.SaslTransportPlugin;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.security.auth.Subject;
 import javax.security.auth.callback.*;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
@@ -39,8 +38,10 @@ public class ServerCallbackHandler implements 
CallbackHandler {
     private static final Logger LOG = 
LoggerFactory.getLogger(ServerCallbackHandler.class);
 
     private String userName;
+    private final boolean impersonationAllowed;
 
-    public ServerCallbackHandler(Configuration configuration, Map stormConf) 
throws IOException {
+    public ServerCallbackHandler(Configuration configuration, Map stormConf, 
boolean impersonationAllowed) throws IOException {
+        this.impersonationAllowed = impersonationAllowed;
         if (configuration==null) return;
 
         AppConfigurationEntry configurationEntries[] = 
configuration.getAppConfigurationEntry(AuthUtils.LOGIN_CONTEXT_SERVER);
@@ -52,7 +53,7 @@ public class ServerCallbackHandler implements CallbackHandler 
{
 
     }
 
-    public void handle(Callback[] callbacks) throws 
UnsupportedCallbackException {
+    public void handle(Callback[] callbacks) {
         for (Callback callback : callbacks) {
             if (callback instanceof NameCallback) {
                 handleNameCallback((NameCallback) callback);
@@ -86,6 +87,10 @@ public class ServerCallbackHandler implements 
CallbackHandler {
         //When authNid and authZid are not equal , authNId is attempting to 
impersonate authZid, We
         //add the authNid as the real user in reqContext's subject which will 
be used during authorization.
         if(!ac.getAuthenticationID().equals(ac.getAuthorizationID())) {
+            if (!impersonationAllowed) {
+                throw new IllegalArgumentException(ac.getAuthenticationID() + 
" attempting to impersonate " + ac.getAuthorizationID()
+                    + ".  This is not allowed by this server");
+            }
             ReqContext.context().setRealPrincipal(new 
SaslTransportPlugin.User(ac.getAuthenticationID()));
         } else {
             ReqContext.context().setRealPrincipal(null);

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java
index eaef91a..18cb79e 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java
@@ -36,9 +36,9 @@ public class PlainSaslTransportPlugin extends 
SaslTransportPlugin {
     private static final Logger LOG = 
LoggerFactory.getLogger(PlainSaslTransportPlugin.class);
 
     @Override
-    protected TTransportFactory getServerTransportFactory() throws IOException 
{
+    protected TTransportFactory getServerTransportFactory(boolean 
impersonationAllowed) throws IOException {
         //create an authentication callback handler
-        CallbackHandler serverCallbackHandler = new 
PlainServerCallbackHandler();
+        CallbackHandler serverCallbackHandler = new 
PlainServerCallbackHandler(impersonationAllowed);
         if 
(Security.getProvider(SaslPlainServer.SecurityProvider.SASL_PLAIN_SERVER) == 
null) {
             Security.addProvider(new SaslPlainServer.SecurityProvider());
         }

http://git-wip-us.apache.org/repos/asf/storm/blob/59e2539f/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java
----------------------------------------------------------------------
diff --git 
a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java
 
b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java
index c646fc9..bad6653 100644
--- 
a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java
+++ 
b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java
@@ -15,26 +15,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.storm.security.auth.plain;
 
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+package org.apache.storm.security.auth.plain;
 
+import javax.security.auth.callback.PasswordCallback;
 import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler;
-import org.apache.storm.security.auth.ReqContext;
-import org.apache.storm.security.auth.SaslTransportPlugin;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.sasl.AuthorizeCallback;
-import javax.security.sasl.RealmCallback;
-
 /**
  * SASL server side callback handler
  */
@@ -42,7 +30,8 @@ public class PlainServerCallbackHandler extends 
AbstractSaslServerCallbackHandle
     private static final Logger LOG = 
LoggerFactory.getLogger(PlainServerCallbackHandler.class);
     public static final String PASSWORD = "password";
 
-    public PlainServerCallbackHandler() throws IOException {
+    public PlainServerCallbackHandler(boolean impersonationAllowed) {
+        super(impersonationAllowed);
         userName=null;
     }
 

Reply via email to