[
https://issues.apache.org/jira/browse/STORM-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14327025#comment-14327025
]
Sriharsha Chintalapani edited comment on STORM-678 at 2/19/15 5:56 AM:
-----------------------------------------------------------------------
[~manishknema] Storm UI kerberos delegation works as expected. The issue here
is we are using Hadoop Authentication filter for SPNEGO. This filter has a
default value 10hours for the cookie which sets the "token.validity" .So if a
user authenticated and grabbed the ticket its valid for 10hrs. Changing kinit
from command line doesn't affect this.
You can add "token.validity" : "4" this sets token validity to 4 seconds and
you can see the change in the UI as switch between users as you change login
with kinit. In general this is not a regular practice as users log in with one
single principal.
Here is the example config
ui.filter.params:
"type": "kerberos"
"kerberos.principal": "HTTP/[email protected]"
"kerberos.keytab": "/vagrant/keytabs/http.keytab"
"kerberos.name.rules":
"RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"
"token.validity": "4"
was (Author: sriharsha):
[~manishknema] Storm UI kerberos delegation works as expected. The issue here
is we are using Hadoop Authentication filter for SPNEGO. This filter has a
default value 10hours for the cookie which sets the "token.validity" .So if a
user authenticated and grabbed the ticket its valid for 10hrs. Changing kinit
from command line doesn't affect this.
You can add "token.validity" : "4" this sets token valitiy to 4 seconds and
you can see the change in the UI as switch between users as you change login
with kinit. In general this is not a regular practice as users log in with one
single principal.
Here is the example config
ui.filter.params:
"type": "kerberos"
"kerberos.principal": "HTTP/[email protected]"
"kerberos.keytab": "/vagrant/keytabs/http.keytab"
"kerberos.name.rules":
"RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"
"token.validity": "4"
> Storm UI Spengo filter doesn't invalidate user session immediately upon
> kinit as a different user
> --------------------------------------------------------------------------------------------------
>
> Key: STORM-678
> URL: https://issues.apache.org/jira/browse/STORM-678
> Project: Apache Storm
> Issue Type: Bug
> Affects Versions: 0.9.3
> Environment: CentOS 6.6 64bit
> Java jdk1.7.0_67
> Kerberos enabled
> Reporter: Manish Nema
> Assignee: Sriharsha Chintalapani
> Labels: Security, Storm, storm-security
>
> I am using HDP 2.2 which includes fixes of
> https://issues.apache.org/jira/browse/STORM-216.
> Install STORM with Nagios and Ganglia, there is no HDFS, Hadoop installed on
> the cluster, cluster is made of three nodes.
> Enable security as guided by Ambari, kerberize the cluster this covers
> everything as specified in the
> https://github.com/apache/storm/blob/security/SECURITY.md .
> Now submit job from 'test' user principal from the gateway node. Open Storm
> UI in firefox or google-chrome it shows the topology running as 'test' user.
> Now kinit with another user 'test2' refresh the UI. It still says the 'test'
> user . Even closing and re-opening firefox /chrome doesnt help. It lets
> 'test2' user kill topology of 'test' user.
> This behaviour is not observed when using storm kill command in command line
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
