[
https://issues.apache.org/jira/browse/STORM-438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14086423#comment-14086423
]
Sriharsha Chintalapani commented on STORM-438:
----------------------------------------------
[~dagit] I noticed a case where my StormClient principal is "storm@domain" and
my supervisors are running as user "storm" . I listed "storm" under
nimbus.supervisor.users and Storm UI uses StormClient to request ops on nimbus
it will reject any operation apart from supervisor ops as the user becomes
"storm".
> SimpleACLAuthorizer should allow users with same keytab as supervisor to
> perform user operations
> ------------------------------------------------------------------------------------------------
>
> Key: STORM-438
> URL: https://issues.apache.org/jira/browse/STORM-438
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Sriharsha Chintalapani
> Priority: Minor
> Labels: Security
>
> Storm security allows user to provider jaas.conf with StormServer and
> StormClient. If the user who is submitting a topology uses StormClient keytab
> than it would throw AuthorizationException. In SimpleACLAuthorizer we check
> if supervisor_users contains context user if that matches we return true or
> false if the operation requested is a supervisor operation.
> In the above case it would return false as user exists in supervisors and the
> operation requested would be "getClusterInfo". This shouldn't fail since its
> part of userOperations.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
