[
https://issues.apache.org/jira/browse/STORM-885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018688#comment-15018688
]
ASF GitHub Bot commented on STORM-885:
--------------------------------------
Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/838#discussion_r45512326
--- Diff:
storm-core/src/jvm/backtype/storm/messaging/netty/KerberosSaslNettyServer.java
---
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package backtype.storm.messaging.netty;
+
+import backtype.storm.Config;
+import backtype.storm.security.auth.AuthUtils;
+import backtype.storm.security.auth.KerberosPrincipalToLocal;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginException;
+import javax.security.sasl.AuthorizeCallback;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+import org.apache.zookeeper.Login;
+import org.apache.zookeeper.server.auth.KerberosName;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+class KerberosSaslNettyServer {
+
+ private static final Logger LOG = LoggerFactory
+ .getLogger(KerberosSaslNettyServer.class);
+
+ private SaslServer saslServer;
+ private Subject subject;
+ private String jaas_section;
+ private List<String> authorizedUsers;
+
+ KerberosSaslNettyServer(Map storm_conf, String jaas_section,
List<String> authorizedUsers) {
+ this.authorizedUsers = authorizedUsers;
+ LOG.debug("Getting Configuration.");
+ Configuration login_conf;
+ try {
+ login_conf = AuthUtils.GetConfiguration(storm_conf);
+ }
+ catch (Throwable t) {
+ LOG.error("Failed to get login_conf: ", t);
+ throw t;
+ }
+
+ LOG.debug("KerberosSaslNettyServer: authmethod {}",
SaslUtils.KERBEROS);
+
+ KerberosSaslCallbackHandler ch = new
KerberosSaslNettyServer.KerberosSaslCallbackHandler(storm_conf,
authorizedUsers);
+
+ //login our principal
+ subject = null;
+ try {
+ LOG.debug("Setting Configuration to login_config: {}",
login_conf);
+ //specify a configuration object to be used
+ Configuration.setConfiguration(login_conf);
+ //now login
+ LOG.debug("Trying to login.");
+ Login login = new Login(jaas_section, ch);
+ subject = login.getSubject();
+ LOG.debug("Got Subject: {}", subject.toString());
+ } catch (LoginException ex) {
+ LOG.error("Server failed to login in principal:", ex);
+ throw new RuntimeException(ex);
+ }
+
+ //check the credential of our principal
+ if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty())
{
+ LOG.error("Failed to verifyuser principal.");
+ throw new RuntimeException("Fail to verify user principal with
section \""
+ + jaas_section
+ + "\" in login configuration file "
+ + login_conf);
+ }
+
+ try {
+ LOG.info("Creating Kerberos Server.");
+ final CallbackHandler fch = ch;
+ Principal p = (Principal)subject.getPrincipals().toArray()[0];
+ KerberosName kName = new KerberosName(p.getName());
+ final String fHost = kName.getHostName();
+ final String fServiceName = kName.getServiceName();
+ LOG.debug("Server with host: {}", fHost);
+ saslServer =
+ Subject.doAs(subject, new
PrivilegedExceptionAction<SaslServer>() {
+ public SaslServer run() {
+ try {
+ Map<String, String> props = new
TreeMap<String,String>();
+ props.put(Sasl.QOP, "auth");
+ props.put(Sasl.SERVER_AUTH, "false");
+ return
Sasl.createSaslServer(SaslUtils.KERBEROS,
+ fServiceName,
+ fHost, props,
fch);
+ }
+ catch (Exception e) {
+ LOG.error("Subject failed to create sasl
server.", e);
+ return null;
+ }
+ }
+ });
+ LOG.info("Got Server: {}", saslServer);
+
+ } catch (PrivilegedActionException e) {
+ LOG.error("KerberosSaslNettyServer: Could not create
SaslServer: ", e);
+ throw new RuntimeException(e);
+ }
+ }
+
+ public boolean isComplete() {
+ return saslServer.isComplete();
+ }
+
+ public String getUserName() {
+ return saslServer.getAuthorizationID();
+ }
+
+ private String getPrincipal(Subject subject) {
+ Set<Principal> principals =
(Set<Principal>)subject.getPrincipals();
+ if (principals==null || principals.size()<1) {
+ LOG.info("No principal found in login subject");
+ return null;
+ }
+ return ((Principal)(principals.toArray()[0])).getName();
+ }
+
+ /** CallbackHandler for SASL DIGEST-MD5 mechanism */
+ public static class KerberosSaslCallbackHandler implements
CallbackHandler {
+
+ /** Used to authenticate the clients */
+ private Map config;
--- End diff --
unused?
> Heartbeat Server (Pacemaker)
> ----------------------------
>
> Key: STORM-885
> URL: https://issues.apache.org/jira/browse/STORM-885
> Project: Apache Storm
> Issue Type: Improvement
> Components: storm-core
> Reporter: Robert Joseph Evans
> Assignee: Kyle Nusbaum
>
> Large highly connected topologies and large clusters write a lot of data into
> ZooKeeper. The heartbeats, that make up the majority of this data, do not
> need to be persisted to disk. Pacemaker is intended to be a secure
> replacement for storing the heartbeats without changing anything within the
> heartbeats. In the future as more metrics are added in, we may want to look
> into switching it over to look more like Heron, where a metrics server is
> running for each node/topology. And can be used to aggregate/per-aggregate
> them in a more scalable manor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
