Configuring a Storm Service User Password Policy

Scenario

This section applies to MRS 3.x or later.

After submitting a topology task, a Storm service user must ensure that the task continuously runs. During topology running, the worker process may need to restart to ensure continuous topology work. If the password of a service user is changed or the number of days that a password is used exceeds the maximum number specified in a password policy, topology running may be affected. A system administrator must configure a separate password policy for Storm service users based on enterprise security requirements.

If a separate password policy is not configured for Storm service users, an old topology can be deleted and then submitted again after a service user password is changed so that the topology can continuous run.

Impact on the System

After a separate password policy is configured for a Storm service user, the user is not affected by Password Policy on the Manager page.
If a separate password policy is configured for a Storm service user and cross-cluster entrusted relationships are configured, a password must be reset for the Storm service user on Manager based on the password policy.

Prerequisites

A system administrator has understood service requirements and created a Human-Machine user, for example, testpol.

Procedure

Log in to any node in the cluster as user omm.
Run the following command to disable logout upon timeout:

TMOUT=0

After the operations in this section are complete, run the TMOUT=Timeout interval command to restore the timeout interval in a timely manner. For example, TMOUT=600 indicates that a user is logged out if the user does not perform any operation within 600 seconds.
Run the following commands to export the environment variables:

EXECUTABLE_HOME="${CONTROLLER_HOME}/kerberos_user_specific_binay/kerberos"

LD_LIBRARY_PATH=${EXECUTABLE_HOME}/lib:$LD_LIBRARY_PATH

PATH=${EXECUTABLE_HOME}/bin:$PATH
Run the following command and enter the Kerberos administrator password to log in to the Kerberos console:

kadmin -p kadmin/admin

For initial use, the kadmin/admin password must be changed for the kadmin/admin user.

If the following information is displayed, you have successfully logged in to the Kerberos console.
```
kadmin:
```
Run the following command to check details about the created Human-Machine user:

getprincUsername

Sample command for viewing details about the testpol user:

getprinc testpol

If the following information is displayed, the specified user has used the default password policy:
```
Principal: testpol@<System domain name>
......
Policy: default
```
Run the following command to create a separate password policy, such as streampol, for the Storm service user:

addpol -maxlife 0day -minlife 0sec -history 1 -maxfailure 5 -failurecountinterval 5min -lockoutduration 5min -minlength 8 -minclasses 4 streampol

In the command, -maxlife indicates the maximum validity period of a password, and 0day indicates that a password will never expire.
Run the following command to view the newly created policy streampol:

getpol streampol

If the following information is displayed, the new policy specifies that the password will never expire:
```
Policy: streampol 
 Maximum password life: 0 days 00:00:00 
......
```
Run the following command to apply the new policy streampol to the testpol Storm user:

modprinc -policy streampol testpol

In the command, streampol indicates a policy name, and testpol indicates a username.

If the following information is displayed, the properties of the specified user have been modified:
```
Principal "testpol@<System domain name>" modified.
```
Run the following command to view current information about the testpol Storm user:

getprinc testpol

If the following information is displayed, the specified user has used the new password policy:
```
Principal: testpol@<System domain name>
......
 Policy: streampol
```