[GitHub] storm pull request #2240: [STORM-2657] Update SECURITY.MD

[revans2]

Github user revans2 commented on a diff in the pull request:

    https://github.com/apache/storm/pull/2240#discussion_r130439781
  
    --- Diff: docs/SECURITY.md ---
    @@ -478,6 +478,35 @@ nimbus.groups:
      
     
     ### DRPC
    -Hopefully more on this soon
    + 
    + Storm provides the Access Control List for the DRPC Authorizer.Users can 
see org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer for more 
details.
    + 
    + There are several DRPC ACL related configurations.
    + 
    + | YAML Setting | Description |
    + |------------|----------------------|
    + | drpc.authorizer.acl | The class for DRPC ACL. |
    + | drpc.authorizer.acl.filename | File name of the DRPC Authorizer ACL.It 
should be set to "drpc-auth-acl.yaml",users can see drpc-auth-acl.yaml.example 
for more details. |
    + | drpc.authorizer.acl.strict| Whether the DRPCSimpleAclAuthorizer should 
deny requests for operations involving functions that have no explicit ACL 
entry. |
    --- End diff --
    
    This is kind of confusing, and that is because the config is kind of 
confusing.  Some configs go in the main storm.yaml
    
    | YAML Setting | Description |
    |------------|----------------------|
    | drpc.authorizer | A class that will perform authorization for DRPC 
operations.  Set this to 
`org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer` when using 
security. |
    | drpc.authorizer.acl.strict | Whether the DRPCSimpleAclAuthorizer should 
deny requests for operations involving functions that have no explicit ACL 
entry. It is useful to set this to false for staging where users may want to 
experiment, but true for production where you want users to be secure. Defaults 
to false. |
    | drpc.authorizer.acl.filename | This is the name of a file that the ACLs 
will be loaded from.  It is separate from storm.yaml to allow the file to be 
updated without bringing down a DRPC server. Defaults to drpc-auth-acl.yaml |
    
    The file pointed to by `drpc.authorizer.acl.filename` will have only one 
config in it `drpc.authorizer.acl` this should be of the form 
    
    ```yaml
    drpc.authorizer.acl:
      "functionName1":
        "client.users":
          - "alice"
          - "bob"
        "invocation.user": "bob"
    ```
    
    In this the users `bob` and `alice` as `client.users` are allowed to run 
DRPC requests against functionName1, but only `bob` as the `invocation.user` is 
allowed to run the topology that actually processes those requests. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---