[jira] [Commented] (STORM-348) (Security) Netty SASL Authentication

Raghavendra Nandagopal (JIRA) Tue, 22 Jul 2014 16:13:23 -0700

    [ 
https://issues.apache.org/jira/browse/STORM-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071100#comment-14071100
 ]


Raghavendra Nandagopal commented on STORM-348:
----------------------------------------------

Below log shows the authentication between client and server worker processes.

{code}
2014-07-22 16:00:02 b.s.m.n.SaslStormServerHandler [DEBUG] SASL credentials is 
the storm user name: [email protected]
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: Got 
class backtype.storm.messaging.netty.ControlMessage
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] No saslNettyServer 
for [id: 0x1b237a4c, /127.0.0.1:50718 => /127.0.0.1:6700] yet; creating now, 
with topology token:
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] SaslNettyServer: Topology 
token is: [email protected] with authmethod DIGEST-MD5
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] SaslDigestCallback: 
Creating SaslDigestCallback handler with topology token: [email protected]
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] processToken:  With 
nettyServer: backtype.storm.messaging.netty.SaslNettyServer@30926bd7 and token 
length: 20
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 
507
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Responding to 
server's token of length: 97
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Responding to 
input token of length: 0
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Response token 
length: 97
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client 
callback: setting username: bXNzQFRFU1RLRVJCRVJPUy5DT00=
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client 
callback: setting userPassword
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client 
callback: setting realm: default
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Response to server 
token has length:270
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 
533
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Responding to 
server's token of length: 40
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Response to server 
is null: authentication should now be complete.
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 
533
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Server has sent us 
the SaslComplete message. Allowing normal work to proceed.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: Got 
class backtype.storm.messaging.netty.SaslMessageToken
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Responding to 
input token of length: 270
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server 
DIGEST-MD5 callback: setting username for client: [email protected]
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server 
DIGEST-MD5 callback: setting password for client: [email protected]
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server 
DIGEST-MD5 callback: setting canonicalized client ID: [email protected]
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Response token 
length: 40
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] SASL authentication 
is complete for client with username: bXNzQFRFU1RLRVJCRVJPUy5DT00=
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] Removing 
SaslServerHandler from pipeline since SASL authentication is complete.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: 
authenticated client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request 
on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: 
authenticated client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request 
on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: 
authenticated client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request 
on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: 
authenticated client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request 
on server.
{code}

> (Security) Netty SASL Authentication
> ------------------------------------
>
>                 Key: STORM-348
>                 URL: https://issues.apache.org/jira/browse/STORM-348
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Raghavendra Nandagopal
>              Labels: security
>         Attachments: Storm-Netty Authentication.pdf
>
>
> Currently The Netty transport does no authentication at all.  You can encrypt 
> the tuples being sent, but that is a huge performance hit for many cases that 
> do not need it.  We should support simple SASL authentication when Netty 
> first connects to an external process.  We probably want to use something 
> similar to what we do for ZK, and generate a random secret for each topology.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (STORM-348) (Security) Netty SASL Authentication

Reply via email to