Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-2739

Storm UI fails to bind to ui.host when using https

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.1.1
    • Fix Version/s: None
    • Component/s: storm-ui
    • Labels:
      None
    • Environment:
      all

      Description

      When using https with the Storm UI, it ignores the value of ui.host, and binds to 0.0.0.0.

      Starting with this config:

      storm.local.dir: "/opt/storm"
      storm.zookeeper.servers:
          - "bigstorm.porcupineracing.com"
      nimbus.seeds: ["bigstorm.porcupineracing.com"]
      nimbus.childopts: "-Xmx1024m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
      ui.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
      supervisor.childopts: "-Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
      storm.thrift.transport: "org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin"
      java.security.auth.login.config: "/keytabs/jaas.conf"
      storm.zookeeper.superACL: "sasl:storm@PORCUPINERACING.COM"
      
      ui.host: 127.0.0.1
      
      nimbus.authorizer: "org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer"
      nimbus.admins:
        - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM"
        - "storm@PORCUPINERACING.COM"
        - "storm"
      nimbus.supervisor.users:
        - "storm/bigstorm.porcupineracing.com@PORCUPINERACING.COM"
        - "storm@PORCUPINERACING.COM"
        - "storm"
      nimbus.users:
         - "steven.miller"
         - "steven.miller@PORCUPINERACING.COM"
      

      I can start the UI and verify using lsof that it's only listening on localhost:

      [root@bigstorm bin]# ps axuww | grep ui.core
      root      5080  0.1  5.6 2850232 217688 pts/1  Sl   Sep14   1:31 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
      root     19913  0.0  0.0 112648   972 pts/1    R+   09:26   0:00 grep --color=auto ui.core
      
      [root@bigstorm bin]# lsof -p 5080 -P | grep LISTEN
      java    5080 root   27u     IPv6             597116       0t0      TCP localhost:8080 (LISTEN)
      

      Now if I add the https config:

      ui.https.host: "localhost"
      ui.https.port: 8443
      ui.https.keystore.type: "jks"
      ui.https.keystore.path: "/keytabs/keystore.jks"
      ui.https.keystore.password: "sooper-sekrit"
      ui.https.key.password: "sooper-sekrit"
      

      and I restart the UI, I can see that it's listening on *:8443:

      [root@bigstorm bin]# ps axuww | grep ui.core
      root     19921 17.2  5.4 2849188 210896 pts/1  Sl   09:26   0:04 java -server -Ddaemon.name=ui -Dstorm.options= -Dstorm.home=/opt/apache-storm-1.1.1 -Dstorm.log.dir=/opt/apache-storm-1.1.1/logs -Djava.library.path=/usr/local/lib:/opt/local/lib:/usr/lib -Dstorm.conf.file= -cp /opt/apache-storm-1.1.1/lib/asm-5.0.3.jar:/opt/apache-storm-1.1.1/lib/clojure-1.7.0.jar:/opt/apache-storm-1.1.1/lib/disruptor-3.3.2.jar:/opt/apache-storm-1.1.1/lib/kryo-3.0.3.jar:/opt/apache-storm-1.1.1/lib/log4j-api-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-core-2.8.2.jar:/opt/apache-storm-1.1.1/lib/log4j-over-slf4j-1.6.6.jar:/opt/apache-storm-1.1.1/lib/log4j-slf4j-impl-2.8.2.jar:/opt/apache-storm-1.1.1/lib/minlog-1.3.0.jar:/opt/apache-storm-1.1.1/lib/objenesis-2.1.jar:/opt/apache-storm-1.1.1/lib/reflectasm-1.10.1.jar:/opt/apache-storm-1.1.1/lib/ring-cors-0.1.5.jar:/opt/apache-storm-1.1.1/lib/servlet-api-2.5.jar:/opt/apache-storm-1.1.1/lib/slf4j-api-1.7.21.jar:/opt/apache-storm-1.1.1/lib/storm-core-1.1.1.jar:/opt/apache-storm-1.1.1/lib/storm-rename-hack-1.1.1.jar:/opt/apache-storm-1.1.1:/opt/apache-storm-default/conf -Xmx768m -Djava.security.auth.login.config=/keytabs/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dlogfile.name=ui.log -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/apache-storm-1.1.1/log4j2/cluster.xml org.apache.storm.ui.core
      root     20018  0.0  0.0 112648   968 pts/1    R+   09:27   0:00 grep --color=auto ui.core
      [root@bigstorm bin]# lsof -p 19921 -P | grep LISTEN
      java    19921 root   38u  IPv6             677914       0t0      TCP *:8443 (LISTEN)
      

      I have a situation in which I'm trying to limit access to the UI on a per-user basis. The UI seems, as far as I can tell, only to support limiting access to users with valid Kerberos tickets (which is everyone here ), so I was trying to put a proxy in front of the UI and run it just on localhost, and rely on the proxy to do the authentication.

      This bug means that if I was to do that, I'd have to run the UI without https, which means that people's credentials would be bouncing around in the clear (again, as far as I can tell; I tcpdumped that and I could see, say, storm@PORCUPINERACING.COM in the base64 decode of the Authorization: HTTP header, at least, which I figure was a bad sign).

      I looked at the code and didn't see anything obvious but since I don't know Clojure or Netty it was probably staring me in the face. . But if you could fix this that'd be awesome, and it'd let me secure this in a way that I'd find much more reassuring. Thanks!

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              stevemil00 Steve Miller
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: