Configure User Impersonation and Isolation for Storm
As of Storm 0.10.0-1602, you can configure user impersonation and isolation on a
secure cluster that uses Kerberos authentication. Configure user impersonation for Storm
when you want the mapr
user to submit jobs on behalf of another user. After
you enable user impersonation for Storm, you can also configure isolation to submit a job as
a user other than the mapr user.
About this task
Procedure
-
In the storm.yaml, add the following parameter to configure the Storm UI to use
the AuthenticationFilter:
#UI Authentication ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter" ui.filter.params: {'type': 'simple', 'user.name': 'mapr'}
-
In the storm.yaml, add the
mapr
user and the users that themapr
user will impersonate to a section namednimbus.users
.For example:nimbus.users: - "mapr" - "vagrant" - "mapruser1"
-
In the storm.yaml, add groups that the
mapr
user will impersonate and hosts where the impersonation will occur to a section namednimbus.impersonation.acl
. Add one group for each user that you added in the previous step.For example:nimbus.impersonation.acl: mapr: hosts: [localhost, 127.0.0.1, <hostname>] groups: [mapr,mapruser1,vagrant]
-
Change the permissions on the mapr keytab file.
sudo chmod a+x /opt/mapr/conf/mapr.keytab
-
Login as one of the users that the mapr user will impersonate and then create a
kerberos ticket for that user.
su <username>
kinit -kt /opt/mapr/conf/mapr.keytab -p mapr/<hostname>@<REALM>
-
Log into the cluster using the kerberos ticket that you created.
maprlogin kerberos
- Restart Storm services. See Manage Storm Services
-
To verify that impersonation is configure correctly, perform the following
steps:
-
After enabling user impersonation, if you want to enable isolation (submit job
as the same user that submitted the job), you can use the
StormSubmitter.submitTopologyAs API.
For example:
storm jar storm-isolation-test-1.0.jar storm.example.IsolationWordCountTopology isolation-topology vagrant
In Storm UI, you will see that the owner of the submitted topology is thevagrant
user.