[jira] [Commented] (STORM-349) (Security) ui actions should have nimbus like authroization

Fri, 22 Jan 2016 08:09:13 -0800 

    [ 
https://issues.apache.org/jira/browse/STORM-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15112591#comment-15112591
 ] 

ASF GitHub Bot commented on STORM-349:
--------------------------------------

Github user d2r commented on a diff in the pull request:

    https://github.com/apache/storm/pull/215#discussion_r50554555
  
    --- Diff: storm-core/src/clj/backtype/storm/ui/core.clj ---
    @@ -47,33 +52,19 @@
          [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF* 
NIMBUS-THRIFT-PORT)]
          ~@body))
     
    -(defn authorized-ui-user?
    -  [user conf topology-conf]
    -  (let [ui-users (concat (conf UI-USERS)
    -                         (conf NIMBUS-ADMINS)
    -                         (topology-conf UI-USERS)
    -                         (topology-conf TOPOLOGY-USERS))]
    -    (or (blank? (conf UI-FILTER))
    -        (and (not (blank? user))
    -          (some #(= % user) ui-users)))))
    -
    -(defn assert-authorized-ui-user
    -  [user conf topology-conf]
    -  (if (not (authorized-ui-user? user conf topology-conf))
    -    ;;TODO need a better exception here so the UI can appear better
    -    (throw (RuntimeException. (str "User " user " is not authorized.")))))
    -
    -(defn- ui-actions-enabled?
    -  []
    -  (= "true" (lower-case (*STORM-CONF* UI-ACTIONS-ENABLED))))
    --- End diff --
    
    Agreed, good find.


> (Security) ui actions should have nimbus like authroization
> -----------------------------------------------------------
>
>                 Key: STORM-349
>                 URL: https://issues.apache.org/jira/browse/STORM-349
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-core
>            Reporter: Robert Joseph Evans
>            Assignee: Sriharsha Chintalapani
>              Labels: security
>             Fix For: 0.10.0
>
>
> The UI provides APIs to kill, rebalance, ... a topology.  For security we 
> originally took the route to optionally disable these, but ideally the UI 
> server would load an IAuthorizer instance like nimbus, and check if the user 
> is allowed to perform that operation before doing it on behalf of the user.
> This should be fairly straight forward but may require some glue code like is 
> being used in the drpc server for its web interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to