Configure User Impersonation and Isolation for Storm

As of Storm 0.10.0-1602, you can configure user impersonation and isolation on a secure cluster that uses Kerberos authentication. Configure user impersonation for Storm when you want the mapr user to submit jobs on behalf of another user. After you enable user impersonation for Storm, you can also configure isolation to submit a job as a user other than the mapr user.

In the following procedure, the examples will include the steps to allow the mapr user to submit jobs on behalf of users: vagrant and mapruser1.
  1. In the storm.yaml, add the following parameter to configure the Storm UI to use the AuthenticationFilter:
    #UI Authentication
     ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"
     ui.filter.params: {'type': 'simple', 'user.name': 'mapr'}
    
  2. In the storm.yaml, add the mapr user and the users that the mapr user will impersonate to a section named nimbus.users.
    For example:
    nimbus.users:  
      - "mapr"
      - "vagrant"
      - "mapruser1"
    
  3. In the storm.yaml, add groups that the mapr user will impersonate and hosts where the impersonation will occur to a section named nimbus.impersonation.acl. Add one group for each user that you added in the previous step.
    For example:
    nimbus.impersonation.acl: 
      	   mapr:
           	  hosts:
                 	[localhost, 127.0.0.1, <hostname>]
            	 groups:
                	 [mapr,mapruser1,vagrant]
    
  4. Change the permissions on the mapr keytab file.
    sudo chmod a+x /opt/mapr/conf/mapr.keytab 
  5. Login as one of the users that the mapr user will impersonate and then create a kerberos ticket for that user.
    su <username>
    
    kinit -kt /opt/mapr/conf/mapr.keytab -p mapr/<hostname>@<REALM>
  6. Log into the cluster using the kerberos ticket that you created.
    maprlogin kerberos
  7. Restart Storm services. See Manage Storm Services
  8. To verify that impersonation is configure correctly, perform the following steps:
    1. Log in to Storm UI as a user that the mapr user can impersonate.
      http://<hostname>:<UI_port:/?user.name=<username>
    2. On the command line, login as the same user and submit a topology.
      For example:
      su mapruser1
      storm jar storm-starter-*.jar storm.starter.WorldCountTopology remote-topology 
         
      In Storm UI, you will see that the owner of the submitted topology is the mapr user.

Enable Isolation

  1. After enabling user impersonation, if you want to enable isolation (submit job as the same user that submitted the job), you can use the StormSubmitter.submitTopologyAs API.
    For example:
    storm jar storm-isolation-test-1.0.jar 
    storm.example.IsolationWordCountTopology isolation-topology vagrant
    In Storm UI, you will see that the owner of the submitted topology is the vagrant user.