Derek,
for group support I've a patch available.
https://issues.apache.org/jira/browse/STORM-347.
I would like to get a review on that.
Thanks,
Harsha
On Tue, Jul 15, 2014, at 10:26 AM, Derek Dagit wrote:
> >>> have any kind of ACLs that can be set in Nimbus for a specific
> >>> users/groups?
>
> > For ACLs, I found the information from SimpleACLAuthorizer.java. and
> > working on it.
>
> Currently, anyone in the trust domain (e.g., who has a valid kerberos
> TGT) can launch a topology.
>
>
> There are several configs( that manage who can do what groups of actions.
>
> logs.users(storm.yaml) : list of users who can view logs in the logviewer
> logs.users(topo conf) : appends to above
>
> ui.users(storm.yaml): list of users who can drill down on a topology in
> the ui (anyone can view the cluster page)
> ui.users(topo conf): appends just like logs.users
>
> nimbus.supervisor.users(storm.yaml): list of users that can download from
> nimbus, usually this is set to the cluster admin, but could be different
>
> nimbus.admins(storm.yaml): list of users who have all permissions
>
> topology.users(topo conf): list of users who manipulate the topo +
> (includes ui and logs privileges); this appends to nimbus admins and to
> whomever submitted the topology. This one is very useful since most of
> our customers run "headless" accounts to launch topologies, but have a
> team that needs access.
>
> A lot of these cases should be demonstrated in auth_test.clj.
>
>
>
> >>> users/groups?
>
> Groups are not currently supported, but we would like to have group
> support in the future. It can be a pain to add individual users to a
> config.
>
>
> You could also provide your own IAuthorizer and configure storm to use
> that instead.
> --
> Derek
>
> On 7/15/14, 11:52, Raghavendra Nandagopal wrote:
> > Harsha,
> > Thanks, I will open JIRA for the issue.
> >
> > For ACLs, I found the information from SimpleACLAuthorizer.java. and
> > working on it.
> >
> > Thanks,
> > Raghavendra Nandagopal
> >
> >
> > On Tue, Jul 15, 2014 at 8:39 AM, Harsha <[email protected]> wrote:
> >
> >> Raghav,
> >> EXEC_CONF_DIR is a issue as we have to manually pass it while
> >> building.
> >> I think it should be part of storm.yaml and passed to worker-launcher as
> >> an argument.
> >> -Harsha
> >>
> >> On Mon, Jul 14, 2014, at 11:20 AM, Raghavendra Nandagopal wrote:
> >>> Hi Bobby,
> >>> I have couple of questions on Storm security configurations.
> >>>
> >>> 1) For providing the path to the file "worker-launcher.cfg", I modified
> >>> the
> >>> file worker-launcher.c and added the below line.
> >>>
> >>> EXEC_CONF_DIR = /etc
> >>>
> >>> Do we need to do this manually for setting storm security or is it done
> >>> through any configuration parameter?
> >>>
> >>> 2) We have a set of users who will be authenticated through Kerberos and
> >>> obtain the TGT. Although the user obtained the TGT, the user should not
> >>> be
> >>> authorized to submit/manage the topologies within the storm cluster. Do
> >>> we
> >>> have any kind of ACLs that can be set in Nimbus for a specific
> >>> users/groups?
> >>>
> >>> Thanks,
> >>>
> >>> Raghavendra Nandagopal
> >>>
> >>>
> >>>
> >>> On Wed, Jul 9, 2014 at 8:42 AM, Bobby Evans <[email protected]
> >>>
> >>> wrote:
> >>>
> >>>> Great to hear, if you do have any more issue please feel free to reach
> >> out
> >>>> and I will do my best to answer them.
> >>>>
> >>>> - Bobby
> >>>>
> >>>> On 7/9/14, 6:03 AM, "Raghavendra Nandagopal" <[email protected]>
> >>>> wrote:
> >>>>
> >>>>> Please ignore the above issue. I have resolved the issues with the
> >> storm
> >>>>> security setup. It is working fine.
> >>>>>
> >>>>> Thanks,
> >>>>> Raghav
> >>>>>
> >>>>>
> >>>>> On Tue, Jul 8, 2014 at 8:53 PM, Raghavendra Nandagopal <
> >>>>> [email protected]> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>> I am trying to setup storm security branch code. All the
> >> services
> >>>>>> (zookeeper, nimbus, supervisor, ui) are getting authenticated from
> >>>>>> Kerberos. I did get into some issues with "worker-launcher"
> >> executable
> >>>>>> with permissions and set the binary permission to *4470. *Once the
> >>>>>> permissions where set it didn't add any issues with the
> >> worker-launcher
> >>>>>> permissions.
> >>>>>>
> >>>>>> I am facing a new problem while submitting a topology, below is the
> >>>>>> exception that is occurring in nimbus. The nimbus is getting
> >> halted.
> >>>>>> The
> >>>>>> exception is thrown by zookeeper but couldn't figure out any trace
> >> of
> >>>>>> it.
> >>>>>> Please let me know if you have come across the problem and any
> >>>>>> configurations that needs to be taken care in Storm security branch.
> >>>>>>
> >>>>>> *java.lang.RuntimeException:
> >>>>>> org.apache.zookeeper.KeeperException$NoAuthException:
> >> KeeperErrorCode =
> >>>>>> NoAuth for
> >>>>>>
> >>>>
> >>>> /workerbeats/exclamation-topology-1-1404876382/db219ca4-da85-4c68-87c0-84
> >>>>>> 734c9e89da-6703*
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Raghav
> >>>>>>
> >>>>
> >>>>
> >>
> >
