[jira] [Comment Edited] (STORM-446) secure Impersonation in storm

Tue, 24 Feb 2015 09:23:56 -0800 

    [ 
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14335105#comment-14335105
 ] 

Parth Brahmbhatt edited comment on STORM-446 at 2/24/15 5:16 PM:
-----------------------------------------------------------------

Thanks [~revans2], that would be helpful. I knew about ReqContext and 
TransportPlugin. I actually tested the doAs behavior with API changes by adding 
a method addProxyUser to ReqContext which adds a ProxyUser principal to 
reqContext's subject and returns that principal when reqContext.principal() is 
called. The missing part right now is how does the client send this principal 
to server in our thrift setup. 




was (Author: parth.brahmbhatt):
Thanks [~revans2], that would be helpful. I knew about ReqContext and 
TransportPlugin. I actually tested the doAs behavior with API changes by adding 
a method addProxyUser to ReqContext which adds a ProxyUser principal to 
reqContext's subject , overriding the principal added during the topLevel 
process which is obtained by calling *saslServer.getAuthorizationID()* and 
returns that principal when reqContext.principal() is called. The missing part 
right now is how does the client send this principal to server in our thrift 
setup. 



> secure Impersonation in storm
> -----------------------------
>
>                 Key: STORM-446
>                 URL: https://issues.apache.org/jira/browse/STORM-446
>             Project: Apache Storm
>          Issue Type: Improvement
>            Reporter: Sriharsha Chintalapani
>            Assignee: Parth Brahmbhatt
>              Labels: Security
>
> Storm security adds features of authenticating with kerberos and than uses 
> that principal and TGT as way to authorize user operations, topology 
> operation. Currently Storm UI user needs to be part of nimbus.admins to get 
> details on user submitted topologies. Ideally storm ui needs to take 
> authenticated user  principal to submit requests to nimbus which will than 
> authorize the user rather than storm UI user. This feature will also benefit 
> superusers to impersonate other users to submit topologies in a secured way.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to