Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ambari-dev@ambari.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: jaimin@apache.org
To: commits@ambari.apache.org
Message-Id: <3624ee5aab4a42bb9be156c7d1ee24d1@git.apache.org>
Subject: ambari git commit: AMBARI-17641. Add storm impersonation authorized
 along with default ACL. (Sriharsha via Jaimin)
Date: Mon, 18 Jul 2016 20:40:14 +0000 (UTC)
archived-at: Mon, 18 Jul 2016 20:40:17 -0000

Repository: ambari
Updated Branches:
  refs/heads/trunk def14ebd6 -> b69c3008a


AMBARI-17641. Add storm impersonation authorized along with default ACL. (Sriharsha via Jaimin)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b69c3008
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b69c3008
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b69c3008

Branch: refs/heads/trunk
Commit: b69c3008a69c4578d43c1c9835935a26156c859f
Parents: def14eb
Author: Jaimin Jetly <jaimin@hortonworks.com>
Authored: Mon Jul 18 13:40:43 2016 -0700
Committer: Jaimin Jetly <jaimin@hortonworks.com>
Committed: Mon Jul 18 13:42:22 2016 -0700

----------------------------------------------------------------------
 .../STORM/1.0.1/configuration/storm-site.xml    | 26 ++++++++++++++++++++
 .../common-services/STORM/1.0.1/kerberos.json   |  2 ++
 .../stacks/HDP/2.5/services/stack_advisor.py    | 15 ++++++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/b69c3008/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml
index 19f984b..31daf75 100644
--- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml
+++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/storm-site.xml
@@ -83,4 +83,30 @@
     <value>org.apache.storm.hack.StormShadeTransformer</value>
     <on-ambari-upgrade add="true"/>
   </property>
+  <property>
+    <name>nimbus.impersonation.authorizer</name>
+    <value/>
+    <description>
+      To ensure only authorized users can perform impersonation you should start nimbus with nimbus.impersonation.authorizer set to org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer.
+      A storm client may submit requests on behalf of another user. For example, if a userX submits an oozie workflow and as part of workflow execution if user oozie wants to submit a topology on behalf of userX it can do so by leveraging the impersonation feature.In order to submit topology as some other user , you can use StormSubmitter.submitTopologyAs API. Alternatively you can use NimbusClient.getConfiguredClientAs to get a nimbus client as some other user and perform any nimbus action(i.e. kill/rebalance/activate/deactivate) using this client.
+    </description>
+  </property>
+  <property>
+    <name>nimbus.impersonation.acl</name>
+    <value/>
+    <description>
+      The ImpersonationAuthorizer uses nimbus.impersonation.acl as the acl to authorize users. Following is a sample nimbus config for supporting impersonation:
+      nimbus.impersonation.acl:
+    impersonating_user1:
+        hosts:
+            [comma separated list of hosts from which impersonating_user1 is allowed to impersonate other users]
+        groups:
+            [comma separated list of groups whose users impersonating_user1 is allowed to impersonate]
+    impersonating_user2:
+        hosts:
+            [comma separated list of hosts from which impersonating_user2 is allowed to impersonate other users]
+        groups:
+            [comma separated list of groups whose users impersonating_user2 is allowed to impersonate]
+    </description>
+  </property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/ambari/blob/b69c3008/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json
index b88dd44..5a9f24c 100644
--- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json
@@ -40,6 +40,8 @@
             "supervisor.enable": "true",
             "storm.zookeeper.superACL": "sasl:{{storm_bare_jaas_principal}}",
             "java.security.auth.login.config": "{{conf_dir}}/storm_jaas.conf",
+            "nimbus.impersonation.authorizer": "org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer",
+            "nimbus.impersonation.acl": "{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}",
             "nimbus.admins": "['{{storm_bare_jaas_principal}}']",
             "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']",
             "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}"

http://git-wip-us.apache.org/repos/asf/ambari/blob/b69c3008/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py
index 0d12ffc..65c21fc 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py
@@ -22,6 +22,7 @@ import traceback
 
 from resource_management.core.logger import Logger
 from resource_management.core.exceptions import Fail
+from resource_management.libraries.functions.get_bare_principal import get_bare_principal
 
 class HDP25StackAdvisor(HDP24StackAdvisor):
 
@@ -310,11 +311,23 @@ class HDP25StackAdvisor(HDP24StackAdvisor):
       "HBASE": self.recommendHBASEConfigurations,
       "HIVE": self.recommendHIVEConfigurations,
       "ATLAS": self.recommendAtlasConfigurations,
-      "RANGER_KMS": self.recommendRangerKMSConfigurations
+      "RANGER_KMS": self.recommendRangerKMSConfigurations,
+      "STORM": self.recommendStormConfigurations
     }
     parentRecommendConfDict.update(childRecommendConfDict)
     return parentRecommendConfDict
 
+  def recommendStormConfigurations(self, configurations, clusterData, services, hosts):
+    storm_site = getServicesSiteProperties(services, "storm-site")
+    putStormSiteProperty = self.putProperty(configurations, "storm-site", services)
+    security_enabled = (storm_site is not None and "storm.zookeeper.superACL" in storm_site)
+    if security_enabled:
+      _storm_principal_name = services['configurations']['storm-env']['properties']['storm_principal_name']
+      storm_bare_jaas_principal = get_bare_principal(_storm_principal_name)
+      storm_nimbus_impersonation_acl = storm_site["nimbus.impersonation.acl"]
+      storm_nimbus_impersonation_acl.replace('{{storm_bare_jaas_principal}}', storm_bare_jaas_principal)
+      putStormSiteProperty('nimbus.impersonation.acl', storm_nimbus_impersonation_acl)
+
   def recommendAtlasConfigurations(self, configurations, clusterData, services, hosts):
     putAtlasApplicationProperty = self.putProperty(configurations, "application-properties", services)
     putAtlasRangerPluginProperty = self.putProperty(configurations, "ranger-atlas-plugin-properties", services)