have any kind of ACLs that can be set in Nimbus for a specific
users/groups?
For ACLs, I found the information from SimpleACLAuthorizer.java. and
working on it.
Currently, anyone in the trust domain (e.g., who has a valid kerberos TGT) can
launch a topology.
There are several configs( that manage who can do what groups of actions.
logs.users(storm.yaml) : list of users who can view logs in the logviewer
logs.users(topo conf) : appends to above
ui.users(storm.yaml): list of users who can drill down on a topology in the ui
(anyone can view the cluster page)
ui.users(topo conf): appends just like logs.users
nimbus.supervisor.users(storm.yaml): list of users that can download from
nimbus, usually this is set to the cluster admin, but could be different
nimbus.admins(storm.yaml): list of users who have all permissions
topology.users(topo conf): list of users who manipulate the topo + (includes ui and logs
privileges); this appends to nimbus admins and to whomever submitted the topology. This
one is very useful since most of our customers run "headless" accounts to
launch topologies, but have a team that needs access.
A lot of these cases should be demonstrated in auth_test.clj.
users/groups?
Groups are not currently supported, but we would like to have group support in
the future. It can be a pain to add individual users to a config.
You could also provide your own IAuthorizer and configure storm to use that
instead.
--
Derek
On 7/15/14, 11:52, Raghavendra Nandagopal wrote:
Harsha,
Thanks, I will open JIRA for the issue.
For ACLs, I found the information from SimpleACLAuthorizer.java. and
working on it.
Thanks,
Raghavendra Nandagopal
On Tue, Jul 15, 2014 at 8:39 AM, Harsha <[email protected]> wrote:
Raghav,
EXEC_CONF_DIR is a issue as we have to manually pass it while
building.
I think it should be part of storm.yaml and passed to worker-launcher as
an argument.
-Harsha
On Mon, Jul 14, 2014, at 11:20 AM, Raghavendra Nandagopal wrote:
Hi Bobby,
I have couple of questions on Storm security configurations.
1) For providing the path to the file "worker-launcher.cfg", I modified
the
file worker-launcher.c and added the below line.
EXEC_CONF_DIR = /etc
Do we need to do this manually for setting storm security or is it done
through any configuration parameter?
2) We have a set of users who will be authenticated through Kerberos and
obtain the TGT. Although the user obtained the TGT, the user should not
be
authorized to submit/manage the topologies within the storm cluster. Do
we
have any kind of ACLs that can be set in Nimbus for a specific
users/groups?
Thanks,
Raghavendra Nandagopal
On Wed, Jul 9, 2014 at 8:42 AM, Bobby Evans <[email protected]
wrote:
Great to hear, if you do have any more issue please feel free to reach
out
and I will do my best to answer them.
- Bobby
On 7/9/14, 6:03 AM, "Raghavendra Nandagopal" <[email protected]>
wrote:
Please ignore the above issue. I have resolved the issues with the
storm
security setup. It is working fine.
Thanks,
Raghav
On Tue, Jul 8, 2014 at 8:53 PM, Raghavendra Nandagopal <
[email protected]> wrote:
Hi,
I am trying to setup storm security branch code. All the
services
(zookeeper, nimbus, supervisor, ui) are getting authenticated from
Kerberos. I did get into some issues with "worker-launcher"
executable
with permissions and set the binary permission to *4470. *Once the
permissions where set it didn't add any issues with the
worker-launcher
permissions.
I am facing a new problem while submitting a topology, below is the
exception that is occurring in nimbus. The nimbus is getting
halted.
The
exception is thrown by zookeeper but couldn't figure out any trace
of
it.
Please let me know if you have come across the problem and any
configurations that needs to be taken care in Storm security branch.
*java.lang.RuntimeException:
org.apache.zookeeper.KeeperException$NoAuthException:
KeeperErrorCode =
NoAuth for
/workerbeats/exclamation-topology-1-1404876382/db219ca4-da85-4c68-87c0-84
734c9e89da-6703*
Thanks,
Raghav
