[
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14335650#comment-14335650
]
Parth Brahmbhatt commented on STORM-446:
----------------------------------------
[~revans2] Thanks a lot for the pointer I tried it and it works as expected.
As far as authZ for impersonation go we have 2 options. We already have a list
of admin users , so as part of impersonation I can check that the user trying
to impersonate is in the admin user list. Alternatively I can follow
hadoop/hbase config and add following 2 configs:
storm.impersonation.userX.groups: [list of groups userX is allowed to
impersonate]
storm.impersonation.userX.hosts[list of hosts from which userX is allowed to
impersonate]
I like the second option as due to finer granularity it provides more security
however it also requires extra configuration. Let me know what you guys think.
> secure Impersonation in storm
> -----------------------------
>
> Key: STORM-446
> URL: https://issues.apache.org/jira/browse/STORM-446
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Sriharsha Chintalapani
> Assignee: Parth Brahmbhatt
> Labels: Security
>
> Storm security adds features of authenticating with kerberos and than uses
> that principal and TGT as way to authorize user operations, topology
> operation. Currently Storm UI user needs to be part of nimbus.admins to get
> details on user submitted topologies. Ideally storm ui needs to take
> authenticated user principal to submit requests to nimbus which will than
> authorize the user rather than storm UI user. This feature will also benefit
> superusers to impersonate other users to submit topologies in a secured way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
