apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vlad Rozov <v.ro...@datatorrent.com>
Subject Re: impersonation and application path
Date Fri, 19 May 2017 14:43:00 GMT
Do I understand correctly that the question is regarding 
DAGContext.APPLICATION_PATH attribute value in case it is not defined? 
In this case, I would treat the current behavior as a bug and +1 the 
proposal to set it to the impersonated user B DFS home directory. As 
APPLICATION_PATH can be explicitly set I do not see a need to provide 
another settings to preserve the current behavior.

Thank you,

Vlad

On 5/18/17 15:46, Pramod Immaneni wrote:
> Sorry typo in sentence "as we are not asking for permissions for a lower
> privilege", please read as "as we are now asking for permissions for a
> lower privilege".
>
> On Thu, May 18, 2017 at 3:44 PM, Pramod Immaneni <pramod@datatorrent.com>
> wrote:
>
>> Apex cli supports impersonation in secure mode. With impersonation, the
>> user running the cli or the user authenticating with hadoop (henceforth
>> referred to as login user) can be different from the effective user with
>> which the actions are performed under hadoop. An example for this is an
>> application can be launched by user A to run in hadoop as user B. This is
>> kind of like the sudo functionality in unix. You can find more details
>> about the functionalilty here https://apex.apache.org/docs/apex/security/ in
>> the Impersonation section.
>>
>> What happens today with launching an application with impersonation, using
>> the above launch example, is that even though the application runs as user
>> B it still uses user A's hdfs path for the application path. The
>> application path is where the artifacts necessary to run the application
>> are stored and where the runtime files like checkpoints are stored. This
>> means that user B needs to have read and write access to user A's
>> application path folders.
>>
>> This may not be allowed in certain environments as it may be a policy
>> violation for the following reason. Because user A is able to impersonate
>> as user B to launch the application, A is considered to be a higher
>> privileged user than B and is given necessary privileges in hadoop to do
>> so. But after launch B needs to access folders belonging to A which could
>> constitute a violation as we are not asking for permissions for a lower
>> privilege user to access resources of a higher privilege user.
>>
>> I would like to propose adding a configuration setting, which when set
>> will use the application path in the impersonated user's home directory
>> (user B) as opposed to impersonating user's home directory (user A). If
>> this setting is not specified then the behavior can default to what it is
>> today for backwards compatibility.
>>
>> Comments, suggestions, concerns?
>>
>> Thanks
>>


Mime
View raw message