[jira] [Commented] (STORM-348) (Security) Netty SASL Authentication

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/STORM-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14074515#comment-14074515
 ] 

ASF GitHub Bot commented on STORM-348:
--------------------------------------

Github user revans2 commented on a diff in the pull request:

    https://github.com/apache/incubator-storm/pull/202#discussion_r15409160
  
    --- Diff: 
storm-core/src/jvm/backtype/storm/messaging/netty/StormServerPipelineFactory.java
 ---
    @@ -33,13 +36,27 @@ public ChannelPipeline getPipeline() throws Exception {
             // Create a default pipeline implementation.
             ChannelPipeline pipeline = Channels.pipeline();
     
    -        // Decoder
    -        pipeline.addLast("decoder", new MessageDecoder());
    -        // Encoder
    -        pipeline.addLast("encoder", new MessageEncoder());
    -        // business logic.
    -        pipeline.addLast("handler", new StormServerHandler(server));
    -
    +        boolean isNettyAuth = (Boolean) 
this.server.storm_conf.get(Config.STORM_MESSAGING_NETTY_AUTHENTICATION);
    +        if(isNettyAuth) {
    +           // Decoder
    +            pipeline.addLast("decoder", new MessageDecoder());
    +            // Encoder
    +            pipeline.addLast("encoder", new MessageEncoder());
    +            // Authenticate: Removed after authentication completes
    +            pipeline.addLast("saslServerHandler", new 
SaslStormServerHandler(server));
    +            // Authorize
    +            pipeline.addLast("authorizeServerHandler", new 
SaslStormServerAuthorizeHandler());
    +            // business logic.
    +            pipeline.addLast("handler", new StormServerHandler(server));
    +        } else {
    +           // Decoder
    +            pipeline.addLast("decoder", new MessageDecoder());
    +            // Encoder
    +            pipeline.addLast("encoder", new MessageEncoder());
    +            // business logic.
    +            pipeline.addLast("handler", new StormServerHandler(server));
    +        }
    +        
    --- End diff --
    
    Similar here, could we try to combine as much of the if/else blocks 
together do that the sasl handling is the only thing in the if block.


> (Security) Netty SASL Authentication
> ------------------------------------
>
>                 Key: STORM-348
>                 URL: https://issues.apache.org/jira/browse/STORM-348
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Raghavendra Nandagopal
>              Labels: security
>         Attachments: Storm-Netty Authentication.pdf
>
>
> Currently The Netty transport does no authentication at all.  You can encrypt 
> the tuples being sent, but that is a huge performance hit for many cases that 
> do not need it.  We should support simple SASL authentication when Netty 
> first connects to an external process.  We probably want to use something 
> similar to what we do for ZK, and generate a random secret for each topology.



--
This message was sent by Atlassian JIRA
(v6.2#6252)