[jira] [Commented] (STORM-678) Storm UI Spengo filter should provide a configurable token.validity

Wed, 18 Feb 2015 21:57:07 -0800 

    [ 
https://issues.apache.org/jira/browse/STORM-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14327025#comment-14327025
 ] 

Sriharsha Chintalapani commented on STORM-678:
----------------------------------------------

[~manishknema] Storm UI kerberos delegation works as expected. The issue here 
is we are using Hadoop Authentication filter for SPNEGO. This filter has a 
default value 10hours for the cookie which sets the "token.validity" .So if a 
user authenticated and grabbed the ticket its valid for 10hrs. Changing kinit 
from command line doesn't affect this. 
You can add "token.validity" : "4"  this sets token valitiy to 4 seconds and 
you can see the change in the UI as switch between users as you change login 
with kinit. In general this is not a regular practice as users log in with one 
single principal. 

Here is the example config
ui.filter.params:
   "type": "kerberos"
   "kerberos.principal": "HTTP/[email protected]"
   "kerberos.keytab": "/vagrant/keytabs/http.keytab"
   "kerberos.name.rules": 
"RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ 
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"
   "token.validity": "4"


>  Storm UI Spengo filter should provide a configurable token.validity
> --------------------------------------------------------------------
>
>                 Key: STORM-678
>                 URL: https://issues.apache.org/jira/browse/STORM-678
>             Project: Apache Storm
>          Issue Type: Bug
>    Affects Versions: 0.9.3
>         Environment: CentOS 6.6 64bit
> Java jdk1.7.0_67
> Kerberos enabled
>            Reporter: Manish Nema
>              Labels: Security, Storm, storm-security
>
> I am using HDP 2.2 which includes fixes of  
> https://issues.apache.org/jira/browse/STORM-216. 
> Install STORM with Nagios and Ganglia, there is no HDFS, Hadoop installed on 
> the cluster, cluster is made of three nodes. 
> Enable security as guided by Ambari, kerberize the cluster this covers 
> everything as specified in the 
> https://github.com/apache/storm/blob/security/SECURITY.md . 
> Now submit job from 'test' user principal from the gateway node. Open Storm 
> UI in firefox or google-chrome it shows the topology running as 'test' user. 
> Now kinit with another user 'test2' refresh the UI. It still says the 'test' 
> user . Even closing and re-opening firefox /chrome doesnt help. It lets 
> 'test2' user kill topology of 'test' user.
> This behaviour is not observed when using storm kill command in command line



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to