Yes, That is why I picked a default of /etc/storm. It tends to be a fairly standard place for most POSIX distributions. Switching it to /etc/ would be fine too. For Hadoop they came to a compromise on hardcoding the path, and they have a default config of ../etc/hadoop so that the config file is in a hard coded location relative to the location of the binary. I am not sure if the code I grabbed was new enough to support that. It would be worth a try though.
- Bobby On 7/17/14, 11:19 AM, "Harsha" <[email protected]> wrote: >Bobby, > How do we handle this as part of a release. If we release > binaries for worker-launcher we expect the worker-launcher.cfg to > exist in a set location?. >Thanks, >Harsha > >On Thu, Jul 17, 2014, at 08:44 AM, Bobby Evans wrote: >> mvn -Pnative -Dworker-launcher.conf.dir=${EXEC_CONF_DIR} >> >> Will build it with whatever directory you set. It defaults to >>/etc/storm >> but that can be modified in storm-core/pom.xml. If /etc would be better >> in >> general we can file a JIRA for that change. >> >> I took the core of the code from Hadoop so there is definitely room for >> improvement in better integrating it with storm. I think it should be >>OK >> to let the location of the config be set by storm.yaml. There was >> discussion about a similar feature in Hadoop, the biggest issue here is >> that if the path is not hardcoded an attacher could pick any root owned >> file to use. To exploit this a compatible file with more lax or >> incorrect >> group settings would have to exist on the box and be owned by root and >> not >> be group or world writable. This seems fairly secure, but in the case >>of >> NFS you could compromise one box setup the config on an NFS server as >> root >> and then use that to compromise other systems. This is why NFS mounting >> has options for disabling setuid/setgid support on files. >> >> I know it is a bit far fetched, but so much of security ends up being >> that >> way. >> >> - Bobby >> >> On 7/15/14, 10:39 AM, "Harsha" <[email protected]> wrote: >> >> >Raghav, >> > EXEC_CONF_DIR is a issue as we have to manually pass it while >> > building. >> >I think it should be part of storm.yaml and passed to worker-launcher >>as >> >an argument. >> >-Harsha >> > >> >On Mon, Jul 14, 2014, at 11:20 AM, Raghavendra Nandagopal wrote: >> >> Hi Bobby, >> >> I have couple of questions on Storm security configurations. >> >> >> >> 1) For providing the path to the file "worker-launcher.cfg", I >>modified >> >> the >> >> file worker-launcher.c and added the below line. >> >> >> >> EXEC_CONF_DIR = /etc >> >> >> >> Do we need to do this manually for setting storm security or is it >>done >> >> through any configuration parameter? >> >> >> >> 2) We have a set of users who will be authenticated through Kerberos >>and >> >> obtain the TGT. Although the user obtained the TGT, the user should >>not >> >> be >> >> authorized to submit/manage the topologies within the storm cluster. >> Do >> >> we >> >> have any kind of ACLs that can be set in Nimbus for a specific >> >> users/groups? >> >> >> >> Thanks, >> >> >> >> Raghavendra Nandagopal >> >> >> >> >> >> >> >> On Wed, Jul 9, 2014 at 8:42 AM, Bobby Evans >> >><[email protected]> >> >> wrote: >> >> >> >> > Great to hear, if you do have any more issue please feel free to >> >>reach out >> >> > and I will do my best to answer them. >> >> > >> >> > - Bobby >> >> > >> >> > On 7/9/14, 6:03 AM, "Raghavendra Nandagopal" >><[email protected]> >> >> > wrote: >> >> > >> >> > >Please ignore the above issue. I have resolved the issues with >>the >> >>storm >> >> > >security setup. It is working fine. >> >> > > >> >> > >Thanks, >> >> > >Raghav >> >> > > >> >> > > >> >> > >On Tue, Jul 8, 2014 at 8:53 PM, Raghavendra Nandagopal < >> >> > >[email protected]> wrote: >> >> > > >> >> > >> Hi, >> >> > >> I am trying to setup storm security branch code. All the >> >>services >> >> > >> (zookeeper, nimbus, supervisor, ui) are getting authenticated >>from >> >> > >> Kerberos. I did get into some issues with "worker-launcher" >> >>executable >> >> > >> with permissions and set the binary permission to *4470. *Once >>the >> >> > >> permissions where set it didn't add any issues with the >> >>worker-launcher >> >> > >> permissions. >> >> > >> >> >> > >> I am facing a new problem while submitting a topology, below is >>the >> >> > >> exception that is occurring in nimbus. The nimbus is getting >> >>halted. >> >> > >>The >> >> > >> exception is thrown by zookeeper but couldn't figure out any >>trace >> >>of >> >> > >>it. >> >> > >> Please let me know if you have come across the problem and any >> >> > >> configurations that needs to be taken care in Storm security >> >>branch. >> >> > >> >> >> > >> *java.lang.RuntimeException: >> >> > >> org.apache.zookeeper.KeeperException$NoAuthException: >> >>KeeperErrorCode = >> >> > >> NoAuth for >> >> > >> >> >> > >> >>>>>>/workerbeats/exclamation-topology-1-1404876382/db219ca4-da85-4c68-87c >>>>>>0- >> >>>>84 >> >> > >>734c9e89da-6703* >> >> > >> >> >> > >> Thanks, >> >> > >> >> >> > >> Raghav >> >> > >> >> >> > >> >> > >>
