[
https://issues.apache.org/jira/browse/STORM-438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14087824#comment-14087824
]
Robert Joseph Evans commented on STORM-438:
-------------------------------------------
Yes, the truth is I took a Shortcut on KerberosPrincipalToLocal. If you look
at
[Hadoop|https://github.com/apache/hadoop-common/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java]
or
[Zookeeper|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/KerberosName.java]
they have code to do a proper principal to local mapping using the authtolocal
rules. If someone wants to file a JIRA and adopt the same parsing code that
the two implementations share, we could get the full flexibility to work around
this issue.
> SimpleACLAuthorizer should allow users with same keytab as supervisor to
> perform user operations
> ------------------------------------------------------------------------------------------------
>
> Key: STORM-438
> URL: https://issues.apache.org/jira/browse/STORM-438
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Sriharsha Chintalapani
> Priority: Minor
> Labels: Security
>
> Storm security allows user to provider jaas.conf with StormServer and
> StormClient. If the user who is submitting a topology uses StormClient keytab
> than it would throw AuthorizationException. In SimpleACLAuthorizer we check
> if supervisor_users contains context user if that matches we return true or
> false if the operation requested is a supervisor operation.
> In the above case it would return false as user exists in supervisors and the
> operation requested would be "getClusterInfo". This shouldn't fail since its
> part of userOperations.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
