Wednesday, May 31, 2017

Securing Apache Storm - part II

This is the second in a series of tutorials on securing Apache Storm. The first post looked at setting up a simple Storm cluster that authenticates users via Kerberos, and deploying a topology. Apache Storm also ships with a UI (and REST API) that can be used to download configuration, start/stop topologies, etc. This post looks at deploying the Storm UI using Kerberos, and accessing it via a REST client.

1) Configure the Apache Storm UI

The first step is to follow the previous tutorial to deploy the Apache Kerby KDC, to configure Apache Zookeeper, and to download and deploy Apache Storm (sections 1-3). Note that there is a bug in Kerby that is not yet fixed in the 1.0.0 release that you might run in to when using curl (see below), depending on whether the MIT libraries are installed or not. In additional to the principals listed in the last post, the Kerby deployment test for Storm also contains a principal for the Storm UI (HTTP/localhost@storm.apache.org).

Now edit 'conf/storm.yaml' and add the following properties:
  • ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"
  •  ui.filter.params:
    • "type": "kerberos"
    • "kerberos.principal": "HTTP/localhost@storm.apache.org"
    • "kerberos.keytab": "/path.to.kerby.project/target/http.keytab"
    • "kerberos.name.rules": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"
Start the UI with:
  • bin/storm ui
2) Invoke on the Storm UI REST API

We will invoke on the Storm UI REST API using "curl" on the command line. This can be done as follows:
  • export KRB5_CONFIG=/path.to.kerby.project/target/krb5.conf
  • kinit -k -t /path.to.kerby.project/target/alice.keytab alice
  • curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/api/v1/cluster/configuration
You should see the cluster configuration in JSON format if the call is successful.

1 comment: