Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
1.1.1
-
None
-
None
-
all
Description
When using https with the Storm UI, it ignores the value of ui.host, and binds to 0.0.0.0.
Starting with this config:
storm.local.dir: "/opt/storm" storm.zookeeper.servers: - "bigstorm.porcupineracing.com" nimbus.seeds: ["bigstorm.porcupineracing.com"] nimbus.childopts: "-Xmx1024m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" ui.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" supervisor.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" storm.thrift.transport: "org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin" java.security.auth.login.config: "/keytabs/jaas.conf" storm.zookeeper.superACL: "sasl:storm@PORCUPINERACING.COM" ui.host: 127.0.0.1 nimbus.authorizer: "org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer" nimbus.admins: - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM" - "storm@PORCUPINERACING.COM" - "storm" nimbus.supervisor.users: - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM" - "storm@PORCUPINERACING.COM" - "storm" nimbus.users: - "steven.miller" - "steven.miller@PORCUPINERACING.COM"
I can start the UI and verify using lsof that it's only listening on localhost:
[root@bigstorm bin]# ps axuww | grep ui.core
root 5080 0.1 5.6 2850232 217688 pts/1 Sl Sep14 1:31 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
root 19913 0.0 0.0 112648 972 pts/1 R+ 09:26 0:00 grep --color=auto ui.core
[root@bigstorm bin]# lsof -p 5080 -P | grep LISTEN
java 5080 root 27u IPv6 597116 0t0 TCP localhost:8080 (LISTEN)
Now if I add the https config:
ui.https.host: "localhost" ui.https.port: 8443 ui.https.keystore.type: "jks" ui.https.keystore.path: "/keytabs/keystore.jks" ui.https.keystore.password: "sooper-sekrit" ui.https.key.password: "sooper-sekrit"
and I restart the UI, I can see that it's listening on *:8443:
[root@bigstorm bin]# ps axuww | grep ui.core
root 19921 17.2 5.4 2849188 210896 pts/1 Sl 09:26 0:04 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
root 20018 0.0 0.0 112648 968 pts/1 R+ 09:27 0:00 grep --color=auto ui.core
[root@bigstorm bin]# lsof -p 19921 -P | grep LISTEN
java 19921 root 38u IPv6 677914 0t0 TCP *:8443 (LISTEN)
I have a situation in which I'm trying to limit access to the UI on a per-user basis. The UI seems, as far as I can tell, only to support limiting access to users with valid Kerberos tickets (which is everyone here 
), so I was trying to put a proxy in front of the UI and run it just on localhost, and rely on the proxy to do the authentication.
This bug means that if I was to do that, I'd have to run the UI without https, which means that people's credentials would be bouncing around in the clear (again, as far as I can tell; I tcpdumped that and I could see, say, storm@PORCUPINERACING.COM in the base64 decode of the Authorization: HTTP header, at least, which I figure was a bad sign).
I looked at the code and didn't see anything obvious but since I don't know Clojure or Netty it was probably staring me in the face. . But if you could fix this that'd be awesome, and it'd let me secure this in a way that I'd find much more reassuring. Thanks!