Example 1 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class AuthTest method simpleAuthTest.
@Test
public void simpleAuthTest() throws Exception {
Nimbus.Iface impl = mock(Nimbus.Iface.class);
withServer(SimpleTransportPlugin.class, impl, (ThriftServer server, Map<String, Object> conf) -> {
try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("security_auth_test_topology");
}
// Verify digest is rejected...
Map<String, Object> badConf = new HashMap<>(conf);
badConf.put(Config.STORM_THRIFT_TRANSPORT_PLUGIN, DigestSaslTransportPlugin.class.getName());
badConf.put("java.security.auth.login.config", DIGEST_JAAS_CONF);
badConf.put(Config.STORM_NIMBUS_RETRY_TIMES, 0);
try (NimbusClient client = new NimbusClient(badConf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("bad_security_auth_test_topology");
fail("An exception should have been thrown trying to connect.");
} catch (Exception te) {
LOG.info("Got Exception...", te);
assert (Utils.exceptionCauseIsInstanceOf(TTransportException.class, te));
}
});
verify(impl).activate("security_auth_test_topology");
verify(impl, never()).activate("bad_security_auth_test_topology");
}
Also used :
DigestSaslTransportPlugin(org.apache.storm.security.auth.digest.DigestSaslTransportPlugin)
HashMap(java.util.HashMap)
Nimbus(org.apache.storm.generated.Nimbus)
NimbusClient(org.apache.storm.utils.NimbusClient)
HashMap(java.util.HashMap)
Map(java.util.Map)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
TTransportException(org.apache.storm.thrift.transport.TTransportException)
Test(org.junit.Test)
Example 2 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class AuthorizedUserFilter method filter.
@Override
public void filter(ContainerRequestContext containerRequestContext) {
AuthNimbusOp annotation = resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
if (annotation == null) {
return;
}
String op = annotation.value();
if (op == null) {
return;
}
Map topoConf = null;
if (annotation.needsTopoId()) {
final String topoId = containerRequestContext.getUriInfo().getPathParameters().get("id").get(0);
try (NimbusClient nimbusClient = NimbusClient.getConfiguredClient(conf)) {
topoConf = (Map) JSONValue.parse(nimbusClient.getClient().getTopologyConf(topoId));
} catch (AuthorizationException ae) {
LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", ReqContext.context(), topoId, ae.get_msg());
containerRequestContext.abortWith(makeResponse(ae, containerRequestContext, 403));
return;
} catch (TException e) {
LOG.error("Unable to fetch topo conf for {} due to ", topoId, e);
containerRequestContext.abortWith(makeResponse(new IOException("Unable to fetch topo conf for topo id " + topoId, e), containerRequestContext, 500));
return;
}
}
ReqContext reqContext = ReqContext.context();
if (reqContext.isImpersonating()) {
if (uiImpersonationHandler != null) {
if (!uiImpersonationHandler.permit(reqContext, op, topoConf)) {
Principal realPrincipal = reqContext.realPrincipal();
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
String realUser = "unknown";
if (realPrincipal != null) {
realUser = realPrincipal.getName();
}
InetAddress remoteAddress = reqContext.remoteAddress();
containerRequestContext.abortWith(makeResponse(new AuthorizationException("user '" + realUser + "' is not authorized to impersonate user '" + user + "' from host '" + remoteAddress.toString() + "'. Please" + "see SECURITY.MD to learn how to configure impersonation ACL."), containerRequestContext, 401));
return;
}
LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. " + "This is a potential security hole. Please see SECURITY.MD to learn how to " + "configure an impersonation authorizer.", reqContext.realPrincipal().toString(), reqContext.principal().toString(), conf.get(DaemonConfig.NIMBUS_IMPERSONATION_AUTHORIZER));
}
}
if (uiAclHandler != null) {
if (!uiAclHandler.permit(reqContext, op, topoConf)) {
Principal principal = reqContext.principal();
String user = "unknown";
if (principal != null) {
user = principal.getName();
}
containerRequestContext.abortWith(makeResponse(new AuthorizationException("UI request '" + op + "' for '" + user + "' user is not authorized"), containerRequestContext, 403));
return;
}
}
}
Also used :
TException(org.apache.storm.thrift.TException)
AuthorizationException(org.apache.storm.generated.AuthorizationException)
NimbusClient(org.apache.storm.utils.NimbusClient)
IOException(java.io.IOException)
ReqContext(org.apache.storm.security.auth.ReqContext)
AuthNimbusOp(org.apache.storm.daemon.ui.resources.AuthNimbusOp)
Map(java.util.Map)
InetAddress(java.net.InetAddress)
Principal(java.security.Principal)
Example 3 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class UploadCredentials method main.
/**
* Uploads credentials for a topology.
* @param args To accept topology name.
* @throws Exception on errors.
*/
public static void main(String[] args) throws Exception {
Map<String, Object> cl = CLI.opt("f", "file", null).opt("u", "user", null).boolOpt("e", "exception-when-empty").arg("topologyName", CLI.FIRST_WINS).optionalArg("rawCredentials", CLI.INTO_LIST).parse(args);
String credentialFile = (String) cl.get("f");
List<String> rawCredentials = (List<String>) cl.get("rawCredentials");
String topologyName = (String) cl.get("topologyName");
Utils.validateTopologyName(topologyName);
if (null != rawCredentials && ((rawCredentials.size() % 2) != 0)) {
throw new RuntimeException("Need an even number of arguments to make a map");
}
Map<String, String> credentialsMap = new HashMap<>();
if (null != credentialFile) {
Properties credentialProps = new Properties();
credentialProps.load(new FileReader(credentialFile));
for (Map.Entry<Object, Object> credentialProp : credentialProps.entrySet()) {
credentialsMap.put((String) credentialProp.getKey(), (String) credentialProp.getValue());
}
}
if (null != rawCredentials) {
for (int i = 0; i < rawCredentials.size(); i += 2) {
credentialsMap.put(rawCredentials.get(i), rawCredentials.get(i + 1));
}
}
Map<String, Object> topologyConf = new HashMap<>();
// Try to get the topology conf from nimbus, so we can reuse it.
try (NimbusClient nc = NimbusClient.getConfiguredClient(new HashMap<>())) {
Nimbus.Iface client = nc.getClient();
TopologySummary topo = client.getTopologySummaryByName(topologyName);
// We found the topology, lets get the conf
String topologyId = topo.get_id();
topologyConf = (Map<String, Object>) JSONValue.parse(client.getTopologyConf(topologyId));
LOG.info("Using topology conf from {} as basis for getting new creds", topologyId);
Map<String, Object> commandLine = Utils.readCommandLineOpts();
List<String> clCreds = (List<String>) commandLine.get(Config.TOPOLOGY_AUTO_CREDENTIALS);
List<String> topoCreds = (List<String>) topologyConf.get(Config.TOPOLOGY_AUTO_CREDENTIALS);
if (clCreds != null) {
Set<String> extra = new HashSet<>(clCreds);
if (topoCreds != null) {
extra.removeAll(topoCreds);
}
if (!extra.isEmpty()) {
LOG.warn("The topology {} is not using {} but they were included here.", topologyId, extra);
}
// command line is used.
if (topoCreds != null) {
Set<String> missing = new HashSet<>(topoCreds);
missing.removeAll(clCreds);
if (!missing.isEmpty()) {
LOG.warn("The topology {} is using {} but they were not included here.", topologyId, missing);
}
}
}
}
// use the local setting for the login config rather than the topology's
topologyConf.remove("java.security.auth.login.config");
boolean throwExceptionForEmptyCreds = (boolean) cl.get("e");
boolean hasCreds = StormSubmitter.pushCredentials(topologyName, topologyConf, credentialsMap, (String) cl.get("u"));
if (!hasCreds && throwExceptionForEmptyCreds) {
String message = "No credentials were uploaded for " + topologyName;
LOG.error(message);
throw new RuntimeException(message);
}
LOG.info("Uploaded new creds to topology: {}", topologyName);
}
Also used :
HashMap(java.util.HashMap)
NimbusClient(org.apache.storm.utils.NimbusClient)
Properties(java.util.Properties)
List(java.util.List)
FileReader(java.io.FileReader)
Nimbus(org.apache.storm.generated.Nimbus)
TopologySummary(org.apache.storm.generated.TopologySummary)
HashMap(java.util.HashMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 4 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class SynchronizeAssignments method getAssignmentsFromMaster.
/**
* Used by {@link Supervisor} to fetch assignments when start up.
* @param conf config
* @param clusterState {@link IStormClusterState}
* @param node id of node
*/
public void getAssignmentsFromMaster(Map conf, IStormClusterState clusterState, String node) {
if (ConfigUtils.isLocalMode(conf)) {
try {
List<SupervisorAssignments> supervisorAssignmentsList = getAllAssignmentsFromNumaSupervisors(this.supervisor.getLocalNimbus(), node);
assignedAssignmentsToLocal(clusterState, supervisorAssignmentsList);
} catch (TException e) {
LOG.error("Get assignments from local master exception", e);
}
} else {
try (NimbusClient master = NimbusClient.getConfiguredClient(conf)) {
List<SupervisorAssignments> supervisorAssignmentsList = getAllAssignmentsFromNumaSupervisors(master.getClient(), node);
LOG.debug("Sync an assignments from master, will start to sync with assignments: {}", supervisorAssignmentsList);
assignedAssignmentsToLocal(clusterState, supervisorAssignmentsList);
} catch (Exception t) {
LOG.error("Get assignments from master exception", t);
}
}
}
Also used :
TException(org.apache.storm.thrift.TException)
NimbusClient(org.apache.storm.utils.NimbusClient)
SupervisorAssignments(org.apache.storm.generated.SupervisorAssignments)
TException(org.apache.storm.thrift.TException)
Example 5 with NimbusClient
use of org.apache.storm.utils.NimbusClient in project storm by apache.
the class CaptureLoad method main.
/**
* Main entry point for CaptureLoad command.
* @param args the arguments to the command
* @throws Exception on any error
*/
public static void main(String[] args) throws Exception {
Options options = new Options();
options.addOption(Option.builder("a").longOpt("anonymize").desc("Strip out any possibly identifiable information").build());
options.addOption(Option.builder("o").longOpt("output-dir").argName("<file>").hasArg().desc("Where to write (defaults to " + DEFAULT_OUT_DIR + ")").build());
options.addOption(Option.builder("h").longOpt("help").desc("Print a help message").build());
CommandLineParser parser = new DefaultParser();
CommandLine cmd = null;
boolean printHelp = false;
try {
cmd = parser.parse(options, args);
} catch (ParseException e) {
System.err.println("ERROR " + e.getMessage());
printHelp = true;
}
if (printHelp || cmd.hasOption('h')) {
new HelpFormatter().printHelp("CaptureLoad [options] [topologyName]*", options);
return;
}
Config conf = new Config();
int exitStatus = -1;
String outputDir = DEFAULT_OUT_DIR;
if (cmd.hasOption('o')) {
outputDir = cmd.getOptionValue('o');
}
File baseOut = new File(outputDir);
LOG.info("Will save captured topologies to {}", baseOut);
baseOut.mkdirs();
try (NimbusClient nc = NimbusClient.getConfiguredClient(conf)) {
Nimbus.Iface client = nc.getClient();
List<String> topologyNames = cmd.getArgList();
for (TopologySummary topologySummary : client.getTopologySummaries()) {
if (topologyNames.isEmpty() || topologyNames.contains(topologySummary.get_name())) {
TopologyLoadConf capturedConf = captureTopology(client, topologySummary);
if (cmd.hasOption('a')) {
capturedConf = capturedConf.anonymize();
}
capturedConf.writeTo(new File(baseOut, capturedConf.name + ".yaml"));
}
}
exitStatus = 0;
} catch (Exception e) {
LOG.error("Error trying to capture topologies...", e);
} finally {
System.exit(exitStatus);
}
}
Also used :
Options(org.apache.commons.cli.Options)
Config(org.apache.storm.Config)
NimbusClient(org.apache.storm.utils.NimbusClient)
ParseException(org.apache.commons.cli.ParseException)
HelpFormatter(org.apache.commons.cli.HelpFormatter)
CommandLine(org.apache.commons.cli.CommandLine)
Nimbus(org.apache.storm.generated.Nimbus)
CommandLineParser(org.apache.commons.cli.CommandLineParser)
ParseException(org.apache.commons.cli.ParseException)
TopologySummary(org.apache.storm.generated.TopologySummary)
File(java.io.File)
DefaultParser(org.apache.commons.cli.DefaultParser)
Aggregations
NimbusClient (org.apache.storm.utils.NimbusClient)21
HashMap (java.util.HashMap)10
IOException (java.io.IOException)8
Map (java.util.Map)7
Nimbus (org.apache.storm.generated.Nimbus)6
TTransportException (org.apache.storm.thrift.transport.TTransportException)6
AuthorizationException (org.apache.storm.generated.AuthorizationException)5
TException (org.apache.storm.thrift.TException)5
PrivilegedActionException (java.security.PrivilegedActionException)4
CommandLine (org.apache.commons.cli.CommandLine)4
CommandLineParser (org.apache.commons.cli.CommandLineParser)4
DefaultParser (org.apache.commons.cli.DefaultParser)4
HelpFormatter (org.apache.commons.cli.HelpFormatter)4
Options (org.apache.commons.cli.Options)4
ParseException (org.apache.commons.cli.ParseException)4
Config (org.apache.storm.Config)4
IAutoCredentials (org.apache.storm.security.auth.IAutoCredentials)4
TopologySummary (org.apache.storm.generated.TopologySummary)3
Test (org.junit.Test)3
FileNotFoundException (java.io.FileNotFoundException)2
