[
https://issues.apache.org/jira/browse/STORM-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368476#comment-15368476
]
Sriharsha Chintalapani commented on STORM-1096:
-----------------------------------------------
[~revans2] Thanks for the reply.
so in your above example for the config .Current implementation does't work
like that.
Example:
Lets I say Kinit with storm user and deployed word count topology.
now I am making call to storm ui to get topology details
{code}
http://ui-daemon-host-name:8080/api/v1/topology/wordcount-1-1425844354\?doAsUser=testUSer1
{code}
In this case we need to have the following ACL in place for it to work
{code}
nimbus.impersonation.acl:
storm: // super user
users: [*]
hosts: [*]
{code}
We are checking in ImpersonationAuthorizer if the ctx.realPrincipal() is in the
nimbus.impersonation.acl list. So lets say if I kinitted as another user
"topology-user1" . Than this user needs to be added to the list. Basically we
need all the topology users to be in the list here. Otherwise the
realPrincipal() ( where the topology owner's principal will be) won't be found
in the ACLs
What I was asking exactly what you showed in the example above. Instead of
listing the users in the ACL we should've proxy-user there and it should've
list of users, hosts, groups who can impersonate that user.
It doesn't throw any issues in uploading the topology. Only issues is getting
the information about topology using REST Apis. If you pass doAs even if we
have the nimbus.impersonation.acl set and it passes through that authorizer it
will get authorization exception through simpleACLAuthorizer because actual
user(storm) is in ctx.realPrincipal and ctx.principal() contains
ambari-server-storm and this user doesn't have permissions on the topology.
Either we make this principal a super user than we might be getting into
another issue where one user can see other users topology information if they
both are in impersonation acl or we should modify the simpleACLAuthorizer to
check the realPrincipal and if happens to be a owner of the topology.
I've a patch ready I'll post one in another JIRA. That probably makes it easier
to discuss what I am suggesting.
> UI tries to impersonate wrong user when getting topology conf for
> authorization, impersonation is allowed by default
> --------------------------------------------------------------------------------------------------------------------
>
> Key: STORM-1096
> URL: https://issues.apache.org/jira/browse/STORM-1096
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Fix For: 0.10.0
>
>
> We have started using 0.10.0 under load and found a few issues around the UI
> and impersonation.
> The UI when trying to connect to nimbus will impersonate other users.
> Nimbus, by default allows impersonation and just outputs a warning message
> that it is allowed. We really should default to not allowing impersonation.
> having the authorizer configured by default does not hurt when running
> insecure because impersonation is not possible, but when security is enabled
> if someone forgets to set this config we are now insecure by default.
> If you do set all of that up correctly the UI now can impersonate the wrong
> user when connecting to nimbus.
> The UI decides which user to impersonate by pulling it from the request
> context. The requestContext is populated from the HttpRequest when
> assert-authorized-user is called. assert-authorized-user takes a
> topology-conf as a parameter. The only way to get this topology conf is to
> talk to nimbus, which will get the wrong user because the request context has
> not been populated yet.
> This just because a huge pain for users who way too often will not be able to
> see pages on the UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
