Github user revans2 commented on a diff in the pull request:
https://github.com/apache/storm/pull/448#discussion_r25613289
--- Diff: storm-core/src/clj/backtype/storm/daemon/nimbus.clj ---
@@ -778,9 +779,22 @@
(defn check-authorization!
([nimbus storm-name storm-conf operation context]
(let [aclHandler (:authorization-handler nimbus)
+ impersonation-authorizer (:impersonation-authorization-handler
nimbus)
ctx (or context (ReqContext/context))
check-conf (if storm-conf storm-conf (if storm-name
{TOPOLOGY-NAME storm-name}))]
(log-message "[req " (.requestID ctx) "] Access from: "
(.remoteAddress ctx) " principal:" (.principal ctx) " op:" operation)
+
+ (if (.isImpersonating ctx)
+ (do
+ (log-warn "principal: " (.realPrincipal ctx) " is trying to
impersonate principal: " (.principal ctx))
+ (if impersonation-authorizer
+ (if-not (.permit impersonation-authorizer ctx operation
check-conf)
+ (throw (AuthorizationException. (str "principal "
(.realPrincipal ctx) " is not authorized to impersonate
+ principal " (.principal ctx) " from host "
(.remoteAddress ctx) " Please see SECURITY.MD to learn
+ how to configure impersonation acls."))))
+ (log-warn "impersonation attempt but "
NIMBUS-IMPERSONATION-AUTHORIZER " has no authorizer configured. potential
--- End diff --
Do we want to fail open or fail closed in this case. For me if someone
tries to do impersonation and we have not configured anything for this I would
rather fail closed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
