This is the fourth and final post in a series of blog posts on securing Apache
Storm. The
first post looked at setting up a simple Storm cluster that authenticates users via Kerberos, and deploying a topology. The
second
post looked at deploying the Storm UI using Kerberos, and accessing it
via a REST client. The
third post looked at how to use
Apache
Ranger to authorize access to Apache Storm. In this post, we will look at how Apache Ranger can create "tag" based authorization policies for Apache Storm using Apache
Atlas.
1) Start Apache Atlas and create entities/tags for Storm
First let's look at setting up Apache Atlas.
Download
the latest released version (0.8-incubating) and extract it. Build
the distribution that contains an embedded HBase and Solr instance via:
- mvn clean package -Pdist,embedded-hbase-solr -DskipTests
The distribution will then be available in
'distro/target/apache-atlas-0.8-incubating-bin'. To launch Atlas, we
need to set some variables to tell it to use the local HBase and Solr
instances:
- export MANAGE_LOCAL_HBASE=true
- export MANAGE_LOCAL_SOLR=true
Now let's start Apache Atlas with 'bin/atlas_start.py'. Open a browser
and go to 'http://localhost:21000/', logging on with credentials
'admin/admin'. Click on "TAGS" and create a new tag called "user_topologies". Unlike for HDFS or Kafka, Atlas doesn't provide an easy way to create a Storm Entity in the UI. Instead we can use the following json file to create a Storm Entity for "*" topologies:
You can upload it to Atlas via:
- curl -v -H 'Accept: application/json, text/plain, */*' -H 'Content-Type: application/json; charset=UTF-8' -u admin:admin -d @storm-create.json http://localhost:21000/api/atlas/entities
Once the new entity has been uploaded, then you can search for it in the Atlas UI, then click on "+" beside "Tags" and associate the new entity with the "user_topologies" tag.
2) Use the Apache Ranger TagSync service to import tags from Atlas into Ranger
To create tag based policies in Apache Ranger, we have to import
the entity + tag we have created in Apache Atlas into Ranger via the
Ranger TagSync service. After building Apache Ranger then extract the
file called "target/ranger-<version>-tagsync.tar.gz". Edit 'install.properties' as follows:
- Set TAG_SOURCE_ATLAS_ENABLED to "false"
- Set TAG_SOURCE_ATLASREST_ENABLED to "true"
- Set TAG_SOURCE_ATLASREST_DOWNLOAD_INTERVAL_IN_MILLIS to "60000" (just for testing purposes)
- Specify "admin" for both TAG_SOURCE_ATLASREST_USERNAME and TAG_SOURCE_ATLASREST_PASSWORD
Save 'install.properties' and install the tagsync service via "sudo
./setup.sh". Start the Apache Ranger admin service via "sudo ranger-admin start" and then the tagsync service via "sudo ranger-tagsync-services.sh
start".
3) Create Tag-based authorization policies in Apache Ranger
Now let's create a tag-based authorization policy in the Apache Ranger
admin UI. Click on "Access Manager" and then "Tag based policies".
Create a new Tag service called "StormTagService". Create a new policy
for this service called "UserTopologiesPolicy". In the "TAG" field enter a
"u" and the "user_topologies" tag should pop up, meaning that it was successfully
synced in from Apache Atlas. Create an "Allow" condition for the user
"alice" with all of the component permissions for "Storm":
We also need to do is to go back to the Resource based
policies and edit "cl1_storm" and select the tag service we have
created above. Finally, edit the existing "cl1_storm" policy created as par of the previous tutorials, and remove the permissions for "alice" there, so that we can be sure that authorization is working correctly. Then follow the
first tutorial and verify that "alice" is authorized to deploy a topology as per the tag-based authorization policy we have created in Ranger.
No comments:
Post a Comment