[
https://issues.apache.org/jira/browse/STORM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14074800#comment-14074800
]
ASF GitHub Bot commented on STORM-346:
--------------------------------------
Github user Parth-Brahmbhatt commented on a diff in the pull request:
https://github.com/apache/incubator-storm/pull/190#discussion_r15419864
--- Diff: storm-core/src/clj/backtype/storm/daemon/nimbus.clj ---
@@ -1046,7 +1047,10 @@
(dissoc storm-conf
STORM-ZOOKEEPER-TOPOLOGY-AUTH-SCHEME STORM-ZOOKEEPER-TOPOLOGY-AUTH-PAYLOAD))
total-storm-conf (merge conf storm-conf)
topology (normalize-topology total-storm-conf topology)
+ nimbus-autocred-plugins
(AuthUtils/getNimbusAutoCredPlugins total-storm-conf)
--- End diff --
I can see how this can be a security hole when the user passes his own
implementation and act as nimbus to get delegation tokens as some other user.
Good catch. I will go with your approach.
> (Security) Oozie style delegation tokens for HDFS/HBase
> -------------------------------------------------------
>
> Key: STORM-346
> URL: https://issues.apache.org/jira/browse/STORM-346
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Robert Joseph Evans
> Assignee: Parth Brahmbhatt
> Labels: security
>
> Oozie has the ability to fetch delegation tokens on behalf of other users by
> running as a super user that can become a proxy user for almost anyone else.
> We should build one or more classes similar to AutoTGT that can fetch a
> delegation token for HDFS/HBase, renew the token if needed, and then once the
> token is about to permanently expire fetch a new one.
> According to some people I have talked with HBase may need to have a JIRA
> filed against it so that it can pick up a new delegation token without
> needing to restart the process.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
