Github user revans2 commented on the pull request:
https://github.com/apache/storm/pull/692#issuecomment-145868091
@priyank5485 You are correct that the name-node needs to be configured to
explicitly allow super users and/or groups and optionally restrict those to
specific hosts. My issue is not with the code but with how it is intended to
be used which is why I am -0. I will not block this going in, but I will not
support it either. From the description of STORM-997
> In a non-secure environment, Storm HDFS component that provides
interaction with HDFS from storm currently does that as the user storm with
which the worker process had been started. We want to allow the component to
interact with hdfs as the user provided instead of user running the worker
process.
To me that sounds like I have an "guest" account on my computer that
everyone logs in to. Some of the users don't want to be "guest" so instead of
giving them all a separate login and password. I will grant "guest" sudo
privileges so they can become any user.
The issue is the chain of attach. If storm is "non-secure" anyone with
access to the nimbus thrift port can run arbitrary code on the storm cluster.
If you configure HDFS so the "storm" user can become anyone on HDFS anyone with
access to the nimbus thrift port now has complete access to all of HDFS. You
have effectively made HDFS as secure as your storm cluster which by definition
is "non-secure".
To really make this correct you either want to make storm secure (give each
user their own login and password to your computer, and have them stop using
"guest") or at a minimum severely restrict what the storm user can do on HDFS.
To do that I would think you could make AutoTGT work with an insecure storm
cluster. This would not be that hard, we just have to let it look someplace
else for the TGT, instead of relying on the StormClient section of the
jaas.conf. Or update AutoHDFS to work in insecure mode and have some
configuration to restrict which delegation tokens it will fetch for users of
this cluster. To be sure that works you have to be sure "nimbus" is a
different user from "storm", or at least HDFS will only allow super user access
from nimbus.
This is still not great because anyone with access to ZK could now steal
either the TGT or the delegation tokens, but you have only made some very
specific HDFS accounts "non-secure" instead of all of HDFS.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
