storm-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject [2/5] storm git commit: STORM-689. SimpleACLAuthorizer should provide a way to restrict who can submit topologies. Added nimbus.groups.
Date Tue, 17 Mar 2015 14:53:57 GMT
STORM-689. SimpleACLAuthorizer should provide a way to restrict who can
submit topologies. Added nimbus.groups.


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/6f6f48db
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/6f6f48db
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/6f6f48db

Branch: refs/heads/master
Commit: 6f6f48dbb2a11988a96e1cad59ed4c468ef9ac6c
Parents: 3df6aaa
Author: Sriharsha Chintalapani <mail@harsha.io>
Authored: Thu Mar 12 15:31:53 2015 -0700
Committer: Sriharsha Chintalapani <mail@harsha.io>
Committed: Thu Mar 12 15:31:53 2015 -0700

----------------------------------------------------------------------
 SECURITY.md                                     | 23 +++++++++++
 storm-core/src/jvm/backtype/storm/Config.java   |  7 ++++
 .../auth/authorizer/SimpleACLAuthorizer.java    | 41 +++++++++++++-------
 3 files changed, 57 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/6f6f48db/SECURITY.md
----------------------------------------------------------------------
diff --git a/SECURITY.md b/SECURITY.md
index 5100735..7da95b8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -361,5 +361,28 @@ The Logviewer daemon now is also responsible for cleaning up old log
files for d
 | logviewer.cleanup.interval.secs | Interval of time in seconds that the logviewer cleans
up worker logs. |
 
 
+### Allowing specific users or groups to access storm
+
+ With SimpleACLAuthorizer any user with valid kerberos ticket can deploy a topology or do
further operations such as activate, deactivate , access cluster information.
+ One can restrict this access by specifying nimbus.users or nimbus.groups. If nimbus.users
configured only the users in the list can deploy a topology or access cluster.
+ Similarly nimbus.groups restrict storm cluster access to users who belong to those groups.
+ 
+ To configure specify the following config in storm.yaml
+
+```yaml
+nimbus.users: 
+   - "testuser"
+```
+
+or 
+
+```yaml
+nimbus.groups: 
+   - "storm"
+```
+ 
+
 ### DRPC
 Hopefully more on this soon
+
+

http://git-wip-us.apache.org/repos/asf/storm/blob/6f6f48db/storm-core/src/jvm/backtype/storm/Config.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/Config.java b/storm-core/src/jvm/backtype/storm/Config.java
index a098555..ccfd91e 100644
--- a/storm-core/src/jvm/backtype/storm/Config.java
+++ b/storm-core/src/jvm/backtype/storm/Config.java
@@ -346,6 +346,13 @@ public class Config extends HashMap<String, Object> {
     public static final Object NIMBUS_USERS_SCHEMA = ConfigValidation.StringsValidator;
 
     /**
+     * A list of groups , users belong to these groups are the only ones allowed to run user
operation on storm cluster.
+     * To use this set nimbus.authorizer to backtype.storm.security.auth.authorizer.SimpleACLAuthorizer
+     */
+    public static final String NIMBUS_GROUPS = "nimbus.groups";
+    public static final Object NIMBUS_GROUPS_SCHEMA = ConfigValidation.StringsValidator;
+
+    /**
      * A list of users that run the supervisors and should be authorized to interact with
      * nimbus as a supervisor would.  To use this set
      * nimbus.authorizer to backtype.storm.security.auth.authorizer.SimpleACLAuthorizer

http://git-wip-us.apache.org/repos/asf/storm/blob/6f6f48db/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
index d3d49ef..2866d6d 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/authorizer/SimpleACLAuthorizer.java
@@ -49,6 +49,7 @@ public class SimpleACLAuthorizer implements IAuthorizer {
     protected Set<String> _admins;
     protected Set<String> _supervisors;
     protected Set<String> _nimbusUsers;
+    protected Set<String> _nimbusGroups;
     protected IPrincipalToLocal _ptol;
     protected IGroupMappingServiceProvider _groupMappingProvider;
     /**
@@ -60,6 +61,7 @@ public class SimpleACLAuthorizer implements IAuthorizer {
         _admins = new HashSet<String>();
         _supervisors = new HashSet<String>();
         _nimbusUsers = new HashSet<String>();
+        _nimbusGroups = new HashSet<String>();
 
         if (conf.containsKey(Config.NIMBUS_ADMINS)) {
             _admins.addAll((Collection<String>)conf.get(Config.NIMBUS_ADMINS));
@@ -71,6 +73,10 @@ public class SimpleACLAuthorizer implements IAuthorizer {
             _nimbusUsers.addAll((Collection<String>)conf.get(Config.NIMBUS_USERS));
         }
 
+        if (conf.containsKey(Config.NIMBUS_GROUPS)) {
+            _nimbusGroups.addAll((Collection<String>)conf.get(Config.NIMBUS_GROUPS));
+        }
+
         _ptol = AuthUtils.GetPrincipalToLocalPlugin(conf);
         _groupMappingProvider = AuthUtils.GetGroupMappingServiceProviderPlugin(conf);
     }
@@ -92,6 +98,16 @@ public class SimpleACLAuthorizer implements IAuthorizer {
 
         String principal = context.principal().getName();
         String user = _ptol.toLocal(context.principal());
+        Set<String> userGroups = new HashSet<String>();
+
+        if (_groupMappingProvider != null) {
+            try {
+                userGroups = _groupMappingProvider.getGroups(user);
+            } catch(IOException e) {
+                LOG.warn("Error while trying to fetch user groups",e);
+            }
+        }
+
         if (_admins.contains(principal) || _admins.contains(user)) {
             return true;
         }
@@ -101,10 +117,7 @@ public class SimpleACLAuthorizer implements IAuthorizer {
         }
 
         if (_userCommands.contains(operation)) {
-            if (_nimbusUsers.size() > 0 && _nimbusUsers.contains(user))
-                return true;
-            else if (_nimbusUsers.size() == 0)
-                return true;
+            return _nimbusUsers.size() == 0 || _nimbusUsers.contains(user) || checkUserGroupAllowed(userGroups,
_nimbusGroups);
         }
 
         if (_topoCommands.contains(operation)) {
@@ -122,16 +135,16 @@ public class SimpleACLAuthorizer implements IAuthorizer {
                 topoGroups.addAll((Collection<String>)topology_conf.get(Config.TOPOLOGY_GROUPS));
             }
 
-            if(_groupMappingProvider != null && topoGroups.size() > 0) {
-                try {
-                    Set<String> userGroups = _groupMappingProvider.getGroups(user);
-                    for (String tgroup : topoGroups) {
-                        if(userGroups.contains(tgroup))
-                            return true;
-                    }
-                } catch(IOException e) {
-                    LOG.warn("Error while trying to fetch user groups",e);
-                }
+            if (checkUserGroupAllowed(userGroups, topoGroups)) return true;
+        }
+        return false;
+    }
+
+    private Boolean checkUserGroupAllowed(Set<String> userGroups, Set<String>
configuredGroups) {
+        if(userGroups.size() > 0 && configuredGroups.size() > 0) {
+            for (String tgroup : configuredGroups) {
+                if(userGroups.contains(tgroup))
+                    return true;
             }
         }
         return false;


Mime
View raw message