falcon-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From venkat...@apache.org
Subject [3/5] git commit: FALCON-799 Falcon Dashboard unusable when server is started with umask 077. Contributed by Balu Vellanki
Date Thu, 16 Oct 2014 21:40:39 GMT
FALCON-799 Falcon Dashboard unusable when server is started with umask 077. Contributed by
Balu Vellanki


Project: http://git-wip-us.apache.org/repos/asf/incubator-falcon/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-falcon/commit/957aab14
Tree: http://git-wip-us.apache.org/repos/asf/incubator-falcon/tree/957aab14
Diff: http://git-wip-us.apache.org/repos/asf/incubator-falcon/diff/957aab14

Branch: refs/heads/master
Commit: 957aab148951690da99e84a2204a7dfa0cbdb580
Parents: 04efd17
Author: Venkatesh Seetharam <venkatesh@apache.org>
Authored: Thu Oct 16 13:58:32 2014 -0700
Committer: Venkatesh Seetharam <venkatesh@apache.org>
Committed: Thu Oct 16 13:58:32 2014 -0700

----------------------------------------------------------------------
 CHANGES.txt                                     |  3 ++
 docs/src/site/twiki/Security.twiki              | 42 ++++++++++----------
 html5-ui/entity.html                            |  6 +++
 html5-ui/js/falcon.js                           | 17 ++++++--
 .../security/FalconAuthenticationFilter.java    |  2 +-
 5 files changed, 43 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index e2c976b..222c351 100755
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -117,6 +117,9 @@ Trunk (Unreleased)
   OPTIMIZATIONS
 
   BUG FIXES
+   FALCON-799 Falcon Dashboard unusable when server is started with umask 077
+   (Balu Vellanki via Venkatesh Seetharam)
+
    FALCON-678 Falcon's default port has changed to 15443 (Balu Vellanki via
    Venkatesh Seetharam)
 

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/docs/src/site/twiki/Security.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Security.twiki b/docs/src/site/twiki/Security.twiki
index 2e97c8b..4e33182 100644
--- a/docs/src/site/twiki/Security.twiki
+++ b/docs/src/site/twiki/Security.twiki
@@ -85,26 +85,25 @@ implementation that enforces the following authorization policy.
 
 ---++++ Entity and Instance Management Operations Policy
 
-* All Entity and Instance operations are authorized for users who created them, Owners and
users
-with group memberships
-* Reference to entities with in a feed or process is allowed with out enforcing permissions
-Any Feed or Process can refer to a Cluster entity not owned by the Feed or Process owner
-Any Process can refer to a Feed entity not owned by the Process owner
+   * All Entity and Instance operations are authorized for users who created them, Owners
and users with group memberships
+   * Reference to entities with in a feed or process is allowed with out enforcing permissions
+
+Any Feed or Process can refer to a Cluster entity not owned by the Feed or Process owner.
Any Process can refer to a Feed entity not owned by the Process owner
 
 The authorization is enforced in the following way:
 
-if admin resource,
-     if authenticated user name matches the admin users configuration
-     Else if groups of the authenticated user matches the admin groups configuration
-     Else authorization exception is thrown
-Else if entities or instance resource
-     if the authenticated user matches the owner in ACL for the entity
-     Else if the groups of the authenticated user matches the group in ACL for the entity
-     Else authorization exception is thrown
-Else if lineage resource
-     All have read-only permissions, reason being folks should be able to examine the dependency
-     and allow reuse
+   * if admin resource,
+      * If authenticated user name matches the admin users configuration
+      * Else if groups of the authenticated user matches the admin groups configuration
+      * Else authorization exception is thrown
+   * Else if entities or instance resource
+      * If the authenticated user matches the owner in ACL for the entity
+      * Else if the groups of the authenticated user matches the group in ACL for the entity
+      * Else authorization exception is thrown
+   * Else if lineage resource
+      * All have read-only permissions, reason being folks should be able to examine the
dependency and allow reuse
 
+To authenticate user for REST api calls, user should append "user.name=<username>"
to the query.
 
 *operations on Entity Resource*
 
@@ -333,12 +332,11 @@ configured specifically in the file.
 
 ---+++ Falcon Dashboard
 
-The dashboard assumes an anonymous user in Pseudo/Simple method and hence anonymous users
must be enabled for it to
-work.
-<verbatim>
-# Indicates if anonymous requests are allowed when using 'simple' authentication.
-*.falcon.http.authentication.simple.anonymous.allowed=true
-</verbatim>
+To initialize the current user for dashboard, user should append query param "user.name=<username>"
to the REST api call.
+
+If dashboard user wishes to change the current user, they should do the following.
+   * delete the hadoop.auth cookie from browser cache.
+   * append query param "user.name=<new_user>" to the next REST API call.
 
 In Kerberos method, the browser must support HTTP Kerberos SPNEGO.
 

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/html5-ui/entity.html
----------------------------------------------------------------------
diff --git a/html5-ui/entity.html b/html5-ui/entity.html
index d4536fb..fc6f4b6 100644
--- a/html5-ui/entity.html
+++ b/html5-ui/entity.html
@@ -48,6 +48,12 @@
 <h3 class="link-icons entity-title" id="entity-title"></h3>
 <br />
 <div id="entity-info-container">
+    <div id="alert-panel">
+        <div class="alert alert-danger">
+            <button type="button" class="close" onclick="$('#alert-panel').hide();">&times;</button>
+            <div class="alert-body" id="alert-panel-body"></div>
+        </div>
+    </div>
 <div class="panel panel-default" id="panel-instance" style="display:none">
 <div class="panel-heading">Instances</div>
 <div class="panel-body"></div>

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/html5-ui/js/falcon.js
----------------------------------------------------------------------
diff --git a/html5-ui/js/falcon.js b/html5-ui/js/falcon.js
index a14c962..0dba31a 100644
--- a/html5-ui/js/falcon.js
+++ b/html5-ui/js/falcon.js
@@ -17,8 +17,6 @@
 (function(exports) {
   "use strict";
 
-  var USER_ID = 'falcon-dashboard';
-
   function onError(msg) {
     $('#alert-panel-body').html(msg);
     $('#alert-panel').alert();
@@ -31,8 +29,19 @@
   }
 
   function add_user(url) {
-    var paramSeparator = (url.indexOf('?') != -1) ? '&' : '?';
-    return url + paramSeparator + 'user.name=' + USER_ID;
+     var paramSeparator = (url.indexOf('?') != -1) ? '&' : '?';
+     var user_id = getQuery_params()['user.name'];
+     return (user_id == undefined) ? url : (url + paramSeparator + 'user.name=' + user_id);
+  }
+
+  function getQuery_params() {
+    var query = location.search.substr(1);
+    var result = {};
+    query.split("&").forEach(function(part) {
+      var item = part.split("=");
+      result[item[0]] = decodeURIComponent(item[1]);
+    });
+    return result;
   }
 
   function getJson_impl(url, success) {

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
b/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
index ae9e874..4edde75 100644
--- a/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
+++ b/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
@@ -171,7 +171,7 @@ public class FalconAuthenticationFilter
                     final String user = Servlets.getUserFromRequest(httpRequest);
                     if (StringUtils.isEmpty(user)) {
                         ((HttpServletResponse) response).sendError(Response.Status.BAD_REQUEST.getStatusCode(),
-                                "User can't be empty");
+                                "Param user.name can't be empty");
                     } else if (blackListedUsers.contains(user)) {
                         ((HttpServletResponse) response).sendError(Response.Status.BAD_REQUEST.getStatusCode(),
                                 "User can't be a superuser:" + BLACK_LISTED_USERS_KEY);


Mime
View raw message