[
https://issues.apache.org/jira/browse/STORM-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14337102#comment-14337102
]
Parth Brahmbhatt commented on STORM-446:
----------------------------------------
[~revans2] Ok I will go ahead with the second approach but I am running into
another SASL API detail. I only get the authenticatedId and authorizationId
when the AuthrizationCallBack occurs, once the callback returns the server seem
to only record authrizedId which is what it returns when we call
*saslServer.getAuthorizationID()* and there is no
*saslServer.getAuthenticationID()* API.
I also considered doing the impersonation authorization as part of
AuthorizationCallback itself, but there is no way to access client ip/hostName
as the callback only gets authenticationId and authorizationId and no socket
information and this information is not known at the time of Callback
initialization.
If you know the workaround on top of your head let me know.
> secure Impersonation in storm
> -----------------------------
>
> Key: STORM-446
> URL: https://issues.apache.org/jira/browse/STORM-446
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Sriharsha Chintalapani
> Assignee: Parth Brahmbhatt
> Labels: Security
>
> Storm security adds features of authenticating with kerberos and than uses
> that principal and TGT as way to authorize user operations, topology
> operation. Currently Storm UI user needs to be part of nimbus.admins to get
> details on user submitted topologies. Ideally storm ui needs to take
> authenticated user principal to submit requests to nimbus which will than
> authorize the user rather than storm UI user. This feature will also benefit
> superusers to impersonate other users to submit topologies in a secured way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
