[jira] [Created] (STORM-2739) Storm UI fails to bind to ui.host when using https

Fri, 15 Sep 2017 06:44:45 -0700 

Steve Miller created STORM-2739:
-----------------------------------

             Summary: Storm UI fails to bind to ui.host when using https
                 Key: STORM-2739
                 URL: https://issues.apache.org/jira/browse/STORM-2739
             Project: Apache Storm
          Issue Type: Bug
          Components: storm-ui
    Affects Versions: 1.1.1
         Environment: all
            Reporter: Steve Miller


When using https with the Storm UI, it ignores the value of ui.host, and binds 
to 0.0.0.0.

Starting with this config:


{code:yaml}
storm.local.dir: "/opt/storm"
storm.zookeeper.servers:
    - "bigstorm.porcupineracing.com"
nimbus.seeds: ["bigstorm.porcupineracing.com"]
nimbus.childopts: "-Xmx1024m 
-Djava.security.auth.login.config=/keytabs/jaas.conf 
-Djava.security.krb5.conf=/etc/krb5.conf"
ui.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf 
-Djava.security.krb5.conf=/etc/krb5.conf"
supervisor.childopts: "-Xmx768m 
-Djava.security.auth.login.config=/keytabs/jaas.conf 
-Djava.security.krb5.conf=/etc/krb5.conf"
storm.thrift.transport: 
"org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin"
java.security.auth.login.config: "/keytabs/jaas.conf"
storm.zookeeper.superACL: "sasl:st...@porcupineracing.com"

ui.host: 127.0.0.1

nimbus.authorizer: 
"org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer"
nimbus.admins:
  - "storm/bigstorm.porcupineracing....@porcupineracing.com"
  - "st...@porcupineracing.com"
  - "storm"
nimbus.supervisor.users:
  - "storm/bigstorm.porcupineracing....@porcupineracing.com"
  - "st...@porcupineracing.com"
  - "storm"
nimbus.users:
   - "steven.miller"
   - "steven.mil...@porcupineracing.com"
{code}

I can start the UI and verify using lsof that it's only listening on localhost:


{code}
[root@bigstorm bin]# ps axuww | grep ui.core
root      5080  0.1  5.6 2850232 217688 pts/1  Sl   Sep14   1:31 java -server 
-Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 
-Dstorm.log.dir=/opt/apache-storm-1.1.1/logs 
-Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= 
-cp 
/opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf
 -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf 
-Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log 
-DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector
 -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml 
org.apache.storm.ui.core
root     19913  0.0  0.0 112648   972 pts/1    R+   09:26   0:00 grep 
--color=auto ui.core

[root@bigstorm bin]# lsof -p 5080 -P | grep LISTEN
java    5080 root   27u     IPv6             597116       0t0      TCP 
localhost:8080 (LISTEN)
{code}


Now if I add the https config:

{code}
ui.https.host: "localhost"
ui.https.port: 8443
ui.https.keystore.type: "jks"
ui.https.keystore.path: "/keytabs/keystore.jks"
ui.https.keystore.password: "sooper-sekrit"
ui.https.key.password: "sooper-sekrit"
{code}

and I restart the UI, I can see that it's listening on *:8443:

{code}
[root@bigstorm bin]# ps axuww | grep ui.core
root     19921 17.2  5.4 2849188 210896 pts/1  Sl   09:26   0:04 java -server 
-Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 
-Dstorm.log.dir=/opt/apache-storm-1.1.1/logs 
-Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= 
-cp 
/opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf
 -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf 
-Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log 
-DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector
 -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml 
org.apache.storm.ui.core
root     20018  0.0  0.0 112648   968 pts/1    R+   09:27   0:00 grep 
--color=auto ui.core
[root@bigstorm bin]# lsof -p 19921 -P | grep LISTEN
java    19921 root   38u  IPv6             677914       0t0      TCP *:8443 
(LISTEN)
{code}

I have a situation in which I'm trying to limit access to the UI on a per-user 
basis.  The UI seems, as far as I can tell, only to support limiting access to 
users with valid Kerberos tickets (which is everyone here :) ), so I was trying 
to put a proxy in front of the UI and run it just on localhost, and rely on the 
proxy to do the authentication.

This bug means that if I was to do that, I'd have to run the UI without https, 
which means that people's credentials would be bouncing around in the clear 
(again, as far as I can tell; I tcpdumped that and I could see, say, 
st...@porcupineracing.com in the base64 decode of the Authorization: HTTP 
header, at least, which I figure was a bad sign).

I looked at the code and didn't see anything obvious but since I don't know 
Clojure or Netty it was probably staring me in the face. :) . But if you could 
fix this that'd be awesome, and it'd let me secure this in a way that I'd find 
much more reassuring.  Thanks!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to