Repository: storm Updated Branches: refs/heads/1.x-branch 66837b2a3 -> 38b346ee5
STORM-3027: make impersonation optional Project: http://git-wip-us.apache.org/repos/asf/storm/repo Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/ef746dfd Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/ef746dfd Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/ef746dfd Branch: refs/heads/1.x-branch Commit: ef746dfdd4df52e864ce210ed2438b98084647a9 Parents: 66837b2 Author: Robert (Bobby) Evans <ev...@yahoo-inc.com> Authored: Fri Mar 9 11:59:21 2018 -0600 Committer: Robert (Bobby) Evans <ev...@yahoo-inc.com> Committed: Wed Apr 11 09:58:36 2018 -0500 ---------------------------------------------------------------------- .../auth/AbstractSaslServerCallbackHandler.java | 8 +++++++ .../security/auth/SaslTransportPlugin.java | 5 +++-- .../security/auth/ThriftConnectionType.java | 19 +++++++++++++---- .../auth/digest/DigestSaslTransportPlugin.java | 4 ++-- .../auth/digest/ServerCallbackHandler.java | 22 ++++++-------------- .../kerberos/KerberosSaslTransportPlugin.java | 6 +++--- .../auth/kerberos/ServerCallbackHandler.java | 11 +++++++--- .../auth/plain/PlainSaslTransportPlugin.java | 4 ++-- .../auth/plain/PlainServerCallbackHandler.java | 19 ++++------------- 9 files changed, 51 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java b/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java index ebbe2ea..25112a4 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/AbstractSaslServerCallbackHandler.java @@ -34,6 +34,11 @@ public abstract class AbstractSaslServerCallbackHandler implements CallbackHandl private static final Logger LOG = LoggerFactory.getLogger(AbstractSaslServerCallbackHandler.class); protected final Map<String,String> credentials = new HashMap<>(); protected String userName; + protected final boolean impersonationAllowed; + + protected AbstractSaslServerCallbackHandler(boolean impersonationAllowed) { + this.impersonationAllowed = impersonationAllowed; + } public void handle(Callback[] callbacks) throws UnsupportedCallbackException { for (Callback callback : callbacks) { @@ -82,6 +87,9 @@ public abstract class AbstractSaslServerCallbackHandler implements CallbackHandl //When authNid and authZid are not equal , authNId is attempting to impersonate authZid, We //add the authNid as the real user in reqContext's subject which will be used during authorization. if(!authenticationID.equals(ac.getAuthorizationID())) { + if (!impersonationAllowed) { + throw new IllegalArgumentException("Impersonation is not allowed for this server"); + } LOG.info("Impersonation attempt authenticationID = {} authorizationID = {}", ac.getAuthenticationID(), ac.getAuthorizationID()); ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(ac.getAuthenticationID())); http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java b/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java index cad2b30..ceeba53 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/SaslTransportPlugin.java @@ -65,7 +65,7 @@ public abstract class SaslTransportPlugin implements ITransportPlugin { public TServer getServer(TProcessor processor) throws IOException, TTransportException { int port = type.getPort(storm_conf); Integer socketTimeout = type.getSocketTimeOut(storm_conf); - TTransportFactory serverTransportFactory = getServerTransportFactory(); + TTransportFactory serverTransportFactory = getServerTransportFactory(type.isImpersonationAllowed()); TServerSocket serverTransport = null; if (socketTimeout != null) { serverTransport = new TServerSocket(port, socketTimeout); @@ -96,10 +96,11 @@ public abstract class SaslTransportPlugin implements ITransportPlugin { /** * All subclass must implement this method + * @param impersonationAllowed true if SASL impersonation should be allowed, else false. * @return server transport factory * @throws IOException */ - protected abstract TTransportFactory getServerTransportFactory() throws IOException; + protected abstract TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException; /** http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java b/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java index bc7c966..10ce7a1 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/ThriftConnectionType.java @@ -27,11 +27,11 @@ import java.util.Map; */ public enum ThriftConnectionType { NIMBUS(Config.NIMBUS_THRIFT_TRANSPORT_PLUGIN, Config.NIMBUS_THRIFT_PORT, Config.NIMBUS_QUEUE_SIZE, - Config.NIMBUS_THRIFT_THREADS, Config.NIMBUS_THRIFT_MAX_BUFFER_SIZE, Config.STORM_THRIFT_SOCKET_TIMEOUT_MS), + Config.NIMBUS_THRIFT_THREADS, Config.NIMBUS_THRIFT_MAX_BUFFER_SIZE, Config.STORM_THRIFT_SOCKET_TIMEOUT_MS, true), DRPC(Config.DRPC_THRIFT_TRANSPORT_PLUGIN, Config.DRPC_PORT, Config.DRPC_QUEUE_SIZE, - Config.DRPC_WORKER_THREADS, Config.DRPC_MAX_BUFFER_SIZE, null), + Config.DRPC_WORKER_THREADS, Config.DRPC_MAX_BUFFER_SIZE, null, false), DRPC_INVOCATIONS(Config.DRPC_INVOCATIONS_THRIFT_TRANSPORT_PLUGIN, Config.DRPC_INVOCATIONS_PORT, null, - Config.DRPC_INVOCATIONS_THREADS, Config.DRPC_MAX_BUFFER_SIZE, null); + Config.DRPC_INVOCATIONS_THREADS, Config.DRPC_MAX_BUFFER_SIZE, null, false); private final String _transConf; private final String _portConf; @@ -39,15 +39,18 @@ public enum ThriftConnectionType { private final String _threadsConf; private final String _buffConf; private final String _socketTimeoutConf; + private final boolean impersonationAllowed; ThriftConnectionType(String transConf, String portConf, String qConf, - String threadsConf, String buffConf, String socketTimeoutConf) { + String threadsConf, String buffConf, String socketTimeoutConf, + boolean impersonationAllowed) { _transConf = transConf; _portConf = portConf; _qConf = qConf; _threadsConf = threadsConf; _buffConf = buffConf; _socketTimeoutConf = socketTimeoutConf; + this.impersonationAllowed = impersonationAllowed; } public String getTransportPlugin(Map conf) { @@ -89,4 +92,12 @@ public enum ThriftConnectionType { } return Utils.getInt(conf.get(_socketTimeoutConf)); } + + /** + * Check if SASL impersonation is allowed for this transport type. + * @return true if it is else false. + */ + public boolean isImpersonationAllowed() { + return impersonationAllowed; + } } http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java b/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java index 4d123aa..b2b2f33 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/digest/DigestSaslTransportPlugin.java @@ -36,9 +36,9 @@ public class DigestSaslTransportPlugin extends SaslTransportPlugin { public static final String DIGEST = "DIGEST-MD5"; private static final Logger LOG = LoggerFactory.getLogger(DigestSaslTransportPlugin.class); - protected TTransportFactory getServerTransportFactory() throws IOException { + protected TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException { //create an authentication callback handler - CallbackHandler serer_callback_handler = new ServerCallbackHandler(login_conf); + CallbackHandler serer_callback_handler = new ServerCallbackHandler(login_conf, impersonationAllowed); //create a transport factory that will invoke our auth callback for digest TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory(); http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java b/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java index 7c4414f..d688e46 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/digest/ServerCallbackHandler.java @@ -15,29 +15,18 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + package org.apache.storm.security.auth.digest; import java.io.IOException; -import java.util.HashMap; import java.util.Map; - -import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler; -import org.apache.storm.security.auth.ReqContext; -import org.apache.storm.security.auth.SaslTransportPlugin; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; -import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; -import javax.security.sasl.AuthorizeCallback; -import javax.security.sasl.RealmCallback; - +import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler; import org.apache.storm.security.auth.AuthUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * SASL server side callback handler @@ -47,7 +36,8 @@ public class ServerCallbackHandler extends AbstractSaslServerCallbackHandler { private static final String USER_PREFIX = "user_"; public static final String SYSPROP_SUPER_PASSWORD = "storm.SASLAuthenticationProvider.superPassword"; - public ServerCallbackHandler(Configuration configuration) throws IOException { + public ServerCallbackHandler(Configuration configuration, boolean impersonationAllowed) throws IOException { + super(impersonationAllowed); if (configuration==null) return; AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry(AuthUtils.LOGIN_CONTEXT_SERVER); http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java index 6f1c346..6db99bc 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.java @@ -28,7 +28,6 @@ import java.util.TreeMap; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.kerberos.KerberosTicket; -import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginException; import javax.security.sasl.Sasl; @@ -51,9 +50,10 @@ public class KerberosSaslTransportPlugin extends SaslTransportPlugin { public static final String KERBEROS = "GSSAPI"; private static final Logger LOG = LoggerFactory.getLogger(KerberosSaslTransportPlugin.class); - public TTransportFactory getServerTransportFactory() throws IOException { + @Override + public TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException { //create an authentication callback handler - CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf); + CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf, impersonationAllowed); //login our principal Subject subject = null; http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java index ba2f4af..de23368 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java @@ -24,7 +24,6 @@ import org.apache.storm.security.auth.SaslTransportPlugin; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.security.auth.Subject; import javax.security.auth.callback.*; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; @@ -39,8 +38,10 @@ public class ServerCallbackHandler implements CallbackHandler { private static final Logger LOG = LoggerFactory.getLogger(ServerCallbackHandler.class); private String userName; + private final boolean impersonationAllowed; - public ServerCallbackHandler(Configuration configuration, Map stormConf) throws IOException { + public ServerCallbackHandler(Configuration configuration, Map stormConf, boolean impersonationAllowed) throws IOException { + this.impersonationAllowed = impersonationAllowed; if (configuration==null) return; AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry(AuthUtils.LOGIN_CONTEXT_SERVER); @@ -52,7 +53,7 @@ public class ServerCallbackHandler implements CallbackHandler { } - public void handle(Callback[] callbacks) throws UnsupportedCallbackException { + public void handle(Callback[] callbacks) { for (Callback callback : callbacks) { if (callback instanceof NameCallback) { handleNameCallback((NameCallback) callback); @@ -86,6 +87,10 @@ public class ServerCallbackHandler implements CallbackHandler { //When authNid and authZid are not equal , authNId is attempting to impersonate authZid, We //add the authNid as the real user in reqContext's subject which will be used during authorization. if(!ac.getAuthenticationID().equals(ac.getAuthorizationID())) { + if (!impersonationAllowed) { + throw new IllegalArgumentException(ac.getAuthenticationID() + " attempting to impersonate " + ac.getAuthorizationID() + + ". This is not allowed by this server"); + } ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(ac.getAuthenticationID())); } else { ReqContext.context().setRealPrincipal(null); http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java index eaef91a..18cb79e 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainSaslTransportPlugin.java @@ -36,9 +36,9 @@ public class PlainSaslTransportPlugin extends SaslTransportPlugin { private static final Logger LOG = LoggerFactory.getLogger(PlainSaslTransportPlugin.class); @Override - protected TTransportFactory getServerTransportFactory() throws IOException { + protected TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException { //create an authentication callback handler - CallbackHandler serverCallbackHandler = new PlainServerCallbackHandler(); + CallbackHandler serverCallbackHandler = new PlainServerCallbackHandler(impersonationAllowed); if (Security.getProvider(SaslPlainServer.SecurityProvider.SASL_PLAIN_SERVER) == null) { Security.addProvider(new SaslPlainServer.SecurityProvider()); } http://git-wip-us.apache.org/repos/asf/storm/blob/ef746dfd/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java ---------------------------------------------------------------------- diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java index c646fc9..bad6653 100644 --- a/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java +++ b/storm-core/src/jvm/org/apache/storm/security/auth/plain/PlainServerCallbackHandler.java @@ -15,26 +15,14 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.storm.security.auth.plain; -import java.io.IOException; -import java.util.HashMap; -import java.util.Map; +package org.apache.storm.security.auth.plain; +import javax.security.auth.callback.PasswordCallback; import org.apache.storm.security.auth.AbstractSaslServerCallbackHandler; -import org.apache.storm.security.auth.ReqContext; -import org.apache.storm.security.auth.SaslTransportPlugin; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.NameCallback; -import javax.security.auth.callback.PasswordCallback; -import javax.security.auth.callback.UnsupportedCallbackException; -import javax.security.sasl.AuthorizeCallback; -import javax.security.sasl.RealmCallback; - /** * SASL server side callback handler */ @@ -42,7 +30,8 @@ public class PlainServerCallbackHandler extends AbstractSaslServerCallbackHandle private static final Logger LOG = LoggerFactory.getLogger(PlainServerCallbackHandler.class); public static final String PASSWORD = "password"; - public PlainServerCallbackHandler() throws IOException { + public PlainServerCallbackHandler(boolean impersonationAllowed) { + super(impersonationAllowed); userName=null; }
