[
https://issues.apache.org/jira/browse/STORM-615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14625864#comment-14625864
]
Arun Mahadevan commented on STORM-615:
--------------------------------------
Since the earlier approach of invoking external shell command from ui server
had security concerns, the code was reverted.
As an alternative, instead of REST api invoking external shell command, have
the api load the uploaded topology jar via a URLClassloader and invoke the main
method containing the topology build/submit code using reflection.
For addressing the security issues of executing user submitted code (as ui
server process user),
(1) we could limit the permissions using java security policy files
(https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html)
similar to what is done by web-containers for restricting what can be done by
servlets.
(2) recommend that the ui/server be started by a user not having superuser
privileges.
> Add REST API to upload topology
> -------------------------------
>
> Key: STORM-615
> URL: https://issues.apache.org/jira/browse/STORM-615
> Project: Apache Storm
> Issue Type: Bug
> Reporter: Sriharsha Chintalapani
> Assignee: Arun Mahadevan
> Fix For: 0.10.0
>
>
> Add REST api /api/v1/submitTopology to upload topology jars and config using
> REST api.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
