From 54d2a33f85115f88b16530a1ea02daad628ef26f Mon Sep 17 00:00:00 2001
From: Paul Poulosky <ppoulosk@yahoo-inc.com>
Date: Tue, 28 Mar 2017 10:20:59 -0500
Subject: [PATCH 1/2] [STORM-2093] Fix permissions in multi-tenant, secure mode

---
 .../clj/org/apache/storm/daemon/logviewer.clj    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj b/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
index 284a237f55..909d2eb98d 100644
--- a/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
+++ b/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
@@ -506,6 +506,20 @@
       (-> (resp/response "Page not found")
           (resp/status 404)))))
 
+(defnk set-log-file-permissions [fname root-dir]
+  (let [file (.getCanonicalFile (File. root-dir fname))
+        run-as-user (*STORM-CONF* SUPERVISOR-RUN-WORKER-AS-USER)
+        parent (.getParent (File. root-dir fname))
+        md-file (if (nil? parent) nil (get-metadata-file-for-wroker-logdir parent))
+        topo-owner (if (nil? md-file) nil (get-topo-owner-from-metadata-file md-file))]
+    (if (and run-as-user
+             (not-nil? topo-owner)
+             (.exists file)
+             (not (Files/isReadable (.toPath file))))
+      (do
+        (log-debug "Setting permissions on file " fname " with topo-owner " topo-owner)
+        (SupervisorUtils/processLauncherAndWait *STORM-CONF* topo-owner ["code-dir" (.getCanonicalPath file)] nil (str "setup group read permissions for file: " fname))))))
+ 
 (defnk download-log-file [fname req resp user ^String root-dir :is-daemon false]
   (let [file (.getCanonicalFile (File. root-dir fname))]
     (if (.exists file)
@@ -1024,6 +1038,7 @@
             start (if (:start m) (parse-long-from-map m :start))
             length (if (:length m) (parse-long-from-map m :length))
             file (URLDecoder/decode (:file m))]
+        (set-log-file-permissions file log-root) 
         (log-template (log-page file start length (:grep m) user log-root)
           file user))
       (catch InvalidRequestException ex
@@ -1100,6 +1115,7 @@
   (GET "/download" [:as {:keys [servlet-request servlet-response log-root]} & m]
     (try
       (.mark logviewer:num-download-log-file-http-requests)
+      (set-log-file-permissions file log-root) 
       (let [user (.getUserName http-creds-handler servlet-request)
             file (URLDecoder/decode (:file m))]
         (download-log-file file servlet-request servlet-response user log-root))

From 961a5dc9eccce416860254b70ad66b641d53fcb6 Mon Sep 17 00:00:00 2001
From: Paul Poulosky <ppoulosk@yahoo-inc.com>
Date: Mon, 3 Apr 2017 09:15:36 -0500
Subject: [PATCH 2/2] Fix merge error

---
 storm-core/src/clj/org/apache/storm/daemon/logviewer.clj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj b/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
index 909d2eb98d..b4388b607c 100644
--- a/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
+++ b/storm-core/src/clj/org/apache/storm/daemon/logviewer.clj
@@ -1115,9 +1115,9 @@
   (GET "/download" [:as {:keys [servlet-request servlet-response log-root]} & m]
     (try
       (.mark logviewer:num-download-log-file-http-requests)
-      (set-log-file-permissions file log-root) 
       (let [user (.getUserName http-creds-handler servlet-request)
             file (URLDecoder/decode (:file m))]
+        (set-log-file-permissions file log-root) 
         (download-log-file file servlet-request servlet-response user log-root))
       (catch InvalidRequestException ex
         (log-error ex)