[
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14335387#comment-14335387
]
Robert Joseph Evans commented on STORM-446:
-------------------------------------------
OK :) so our resident expert was in a meeting so I traced down the code in
openJDK myself.
http://download.java.net/jdk7/archive/b123/docs/api/javax/security/sasl/SaslClientFactory.html#createSaslClient%28java.lang.String%5B%5D,%20java.lang.String,%20java.lang.String,%20java.lang.String,%20java.util.Map,%20javax.security.auth.callback.CallbackHandler%29
The second parameter authorizationId is the name of the principal that you are
trying to impersonate. If it is null then it will just use the original user.
So
https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java#L127-133
We would change the second argument to TSaslClientTransport from being the
principal, which turns out we don't need, to be the name of the user we which
to impersonate.
> secure Impersonation in storm
> -----------------------------
>
> Key: STORM-446
> URL: https://issues.apache.org/jira/browse/STORM-446
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Sriharsha Chintalapani
> Assignee: Parth Brahmbhatt
> Labels: Security
>
> Storm security adds features of authenticating with kerberos and than uses
> that principal and TGT as way to authorize user operations, topology
> operation. Currently Storm UI user needs to be part of nimbus.admins to get
> details on user submitted topologies. Ideally storm ui needs to take
> authenticated user principal to submit requests to nimbus which will than
> authorize the user rather than storm UI user. This feature will also benefit
> superusers to impersonate other users to submit topologies in a secured way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
