Configuring a Storm Service User Password Policy

Scenario

This section applies to MRS 3.x or later.

After submitting a topology task, a Storm service user must ensure that the task continuously runs. During topology running, the worker process may need to restart to ensure continuous topology work. If the password of a service user is changed or the number of days that a password is used exceeds the maximum number specified in a password policy, topology running may be affected. A system administrator must configure a separate password policy for Storm service users based on enterprise security requirements.

Note

If a separate password policy is not configured for Storm service users, an old topology can be deleted and then submitted again after a service user password is changed so that the topology can continuous run.

Impact on the System

  • After a separate password policy is configured for a Storm service user, the user is not affected by Password Policy on the Manager page.

  • If a separate password policy is configured for a Storm service user and cross-cluster entrusted relationships are configured, a password must be reset for the Storm service user on Manager based on the password policy.

Prerequisites

A system administrator has understood service requirements and created a Human-Machine user, for example, testpol.

Procedure

  1. Log in to any node in the cluster as user omm.

  2. Run the following command to disable logout upon timeout:

    TMOUT=0

    Note

    After the operations in this section are complete, run the TMOUT=Timeout interval command to restore the timeout interval in a timely manner. For example, TMOUT=600 indicates that a user is logged out if the user does not perform any operation within 600 seconds.

  3. Run the following commands to export the environment variables:

    EXECUTABLE_HOME="${CONTROLLER_HOME}/kerberos_user_specific_binay/kerberos"

    LD_LIBRARY_PATH=${EXECUTABLE_HOME}/lib:$LD_LIBRARY_PATH

    PATH=${EXECUTABLE_HOME}/bin:$PATH

  4. Run the following command and enter the Kerberos administrator password to log in to the Kerberos console:

    kadmin -p kadmin/admin

    Note

    For initial use, the kadmin/admin password must be changed for the kadmin/admin user.

    If the following information is displayed, you have successfully logged in to the Kerberos console.

    kadmin:
    
  5. Run the following command to check details about the created Human-Machine user:

    getprincUsername

    Sample command for viewing details about the testpol user:

    getprinc testpol

    If the following information is displayed, the specified user has used the default password policy:

    Principal: testpol@<System domain name>
    ......
    Policy: default
    
  6. Run the following command to create a separate password policy, such as streampol, for the Storm service user:

    addpol -maxlife 0day -minlife 0sec -history 1 -maxfailure 5 -failurecountinterval 5min -lockoutduration 5min -minlength 8 -minclasses 4 streampol

    In the command, -maxlife indicates the maximum validity period of a password, and 0day indicates that a password will never expire.

  7. Run the following command to view the newly created policy streampol:

    getpol streampol

    If the following information is displayed, the new policy specifies that the password will never expire:

    Policy: streampol
     Maximum password life: 0 days 00:00:00
    ......
    
  8. Run the following command to apply the new policy streampol to the testpol Storm user:

    modprinc -policy streampol testpol

    In the command, streampol indicates a policy name, and testpol indicates a username.

    If the following information is displayed, the properties of the specified user have been modified:

    Principal "testpol@<System domain name>" modified.
    
  9. Run the following command to view current information about the testpol Storm user:

    getprinc testpol

    If the following information is displayed, the specified user has used the new password policy:

    Principal: testpol@<System domain name>
    ......
     Policy: streampol