storm-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raghavendra Nandagopal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (STORM-348) (Security) Netty SASL Authentication
Date Tue, 22 Jul 2014 23:12:40 GMT

    [ https://issues.apache.org/jira/browse/STORM-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071100#comment-14071100
] 

Raghavendra Nandagopal commented on STORM-348:
----------------------------------------------

Below log shows the authentication between client and server worker processes.

{code}
2014-07-22 16:00:02 b.s.m.n.SaslStormServerHandler [DEBUG] SASL credentials is the storm user
name: raghav@TESTKERBEROS.COM
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: Got class backtype.storm.messaging.netty.ControlMessage
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] No saslNettyServer for [id: 0x1b237a4c,
/127.0.0.1:50718 => /127.0.0.1:6700] yet; creating now, with topology token:
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] SaslNettyServer: Topology token is: raghav@TESTKERBEROS.COM
with authmethod DIGEST-MD5
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] SaslDigestCallback: Creating SaslDigestCallback
handler with topology token: raghav@TESTKERBEROS.COM
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] processToken:  With nettyServer:
backtype.storm.messaging.netty.SaslNettyServer@30926bd7 and token length: 20
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 507
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Responding to server's token of
length: 97
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Responding to input token of
length: 0
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Response token length: 97
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client callback: setting
username: bXNzQFRFU1RLRVJCRVJPUy5DT00=
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client callback: setting
userPassword
2014-07-22 16:00:03 b.s.m.n.SaslNettyClient [DEBUG] handle: SASL client callback: setting
realm: default
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Response to server token has length:270
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 533
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Responding to server's token of
length: 40
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Response to server is null: authentication
should now be complete.
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] send/recv time (ms): 533
2014-07-22 16:00:03 b.s.m.n.SaslStormClientHandler [DEBUG] Server has sent us the SaslComplete
message. Allowing normal work to proceed.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: Got class backtype.storm.messaging.netty.SaslMessageToken
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Responding to input token of
length: 270
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server DIGEST-MD5 callback:
setting username for client: raghav@TESTKERBEROS.COM
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server DIGEST-MD5 callback:
setting password for client: raghav@TESTKERBEROS.COM
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] handle: SASL server DIGEST-MD5 callback:
setting canonicalized client ID: raghav@TESTKERBEROS.COM
2014-07-22 16:00:03 b.s.m.n.SaslNettyServer [DEBUG] response: Response token length: 40
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] SASL authentication is complete
for client with username: bXNzQFRFU1RLRVJCRVJPUy5DT00=
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] Removing SaslServerHandler from
pipeline since SASL authentication is complete.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: authenticated
client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: authenticated
client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: authenticated
client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request on server.
2014-07-22 16:00:03 b.s.m.n.SaslStormServerHandler [DEBUG] messageReceived: authenticated
client: bXNzQFRFU1RLRVJCRVJPUy5DT00= is authorized to do request on server.
{code}

> (Security) Netty SASL Authentication
> ------------------------------------
>
>                 Key: STORM-348
>                 URL: https://issues.apache.org/jira/browse/STORM-348
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Raghavendra Nandagopal
>              Labels: security
>         Attachments: Storm-Netty Authentication.pdf
>
>
> Currently The Netty transport does no authentication at all.  You can encrypt the tuples
being sent, but that is a huge performance hit for many cases that do not need it.  We should
support simple SASL authentication when Netty first connects to an external process.  We probably
want to use something similar to what we do for ZK, and generate a random secret for each
topology.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message