Falcon - Contents

In-Reply-To: <76d05d682c9342aaa0493dd1d18e2d15@git.apache.org> References: <76d05d682c9342aaa0493dd1d18e2d15@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [03/51] [partial] falcon git commit: Copying over falcon site related files to git asf-site http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/OnBoarding.html ---------------------------------------------------------------------- diff --git a/site/0.7/OnBoarding.html b/site/0.7/OnBoarding.html new file mode 100644 index 0000000..fca1619 --- /dev/null +++ b/site/0.7/OnBoarding.html @@ -0,0 +1,368 @@ + + + + + + + + + Falcon - Contents + + + + + + + + + + + + + + + + + +

+ + +

+ +

+ + + +

+ +

Onboarding Steps
Sample Pipeline
Hive Examples

Onboarding Steps

Create cluster definition for the cluster, specifying name node, job tracker, workflow engine endpoint, messaging endpoint. Refer to cluster definition for details.
Create Feed definitions for each of the input and output specifying frequency, data path, ownership. Refer to feed definition for details.
Create Process definition for your job. Process defines configuration for the workflow job. Important attributes are frequency, inputs/outputs and workflow path. Refer to process definition for process details.
Define workflow for your job using the workflow engine(only oozie is supported as of now). Refer Oozie Workflow Specification. The libraries required for the workflow should be available in lib folder in workflow path.
Set-up workflow definition, libraries and referenced scripts on hadoop.
Submit cluster definition
Submit and schedule feed and process definitions

Sample Pipeline

Cluster

Cluster definition that contains end points for name node, job tracker, oozie and jms server: The cluster locations MUST be created prior to submitting a cluster entity to Falcon. staging must have 777 permissions and the parent dirs must have execute permissions working must have 755 permissions and the parent dirs must have execute permissions

+<?xml version="1.0"?>
+<!--
+    Cluster configuration
+  -->
+<cluster colo="ua2" description="" name="corp" xmlns="uri:falcon:cluster:0.1"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">    
+    <interfaces>
+        <interface type="readonly" endpoint="hftp://name-node.com:50070" version="2.5.0" />
+
+        <interface type="write" endpoint="hdfs://name-node.com:54310" version="2.5.0" />
+
+        <interface type="execute" endpoint="job-tracker:54311" version="2.5.0" />
+
+        <interface type="workflow" endpoint="http://oozie.com:11000/oozie/" version="4.0.1" />
+
+        <interface type="messaging" endpoint="tcp://jms-server.com:61616?daemon=true" version="5.1.6" />
+    </interfaces>
+
+    <locations>
+        <location name="staging" path="/projects/falcon/staging" />
+        <location name="temp" path="/tmp" />
+        <location name="working" path="/projects/falcon/working" />
+    </locations>
+</cluster>
+
+

Input Feed

Hourly feed that defines feed path, frequency, ownership and validity:

+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Hourly sample input data
+  -->
+
+<feed description="sample input data" name="SampleInput" xmlns="uri:falcon:feed:0.1"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <groups>group</groups>
+
+    <frequency>hours(1)</frequency>
+
+    <late-arrival cut-off="hours(6)" />
+
+    <clusters>
+        <cluster name="corp" type="source">
+            <validity start="2009-01-01T00:00Z" end="2099-12-31T00:00Z" timezone="UTC" />
+            <retention limit="months(24)" action="delete" />
+        </cluster>
+    </clusters>
+
+    <locations>
+        <location type="data" path="/projects/bootcamp/data/${YEAR}-${MONTH}-${DAY}-${HOUR}/SampleInput" />
+        <location type="stats" path="/projects/bootcamp/stats/SampleInput" />
+        <location type="meta" path="/projects/bootcamp/meta/SampleInput" />
+    </locations>
+
+    <ACL owner="suser" group="users" permission="0755" />
+
+    <schema location="/none" provider="none" />
+</feed>
+
+

Output Feed

Daily feed that defines feed path, frequency, ownership and validity:

+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Daily sample output data
+  -->
+
+<feed description="sample output data" name="SampleOutput" xmlns="uri:falcon:feed:0.1"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <groups>group</groups>
+
+    <frequency>days(1)</frequency>
+
+    <late-arrival cut-off="hours(6)" />
+
+    <clusters>
+        <cluster name="corp" type="source">
+            <validity start="2009-01-01T00:00Z" end="2099-12-31T00:00Z" timezone="UTC" />
+            <retention limit="months(24)" action="delete" />
+        </cluster>
+    </clusters>
+
+    <locations>
+        <location type="data" path="/projects/bootcamp/output/${YEAR}-${MONTH}-${DAY}/SampleOutput" />
+        <location type="stats" path="/projects/bootcamp/stats/SampleOutput" />
+        <location type="meta" path="/projects/bootcamp/meta/SampleOutput" />
+    </locations>
+
+    <ACL owner="suser" group="users" permission="0755" />
+
+    <schema location="/none" provider="none" />
+</feed>
+
+

Process

Sample process which runs daily at 6th hour on corp cluster. It takes one input - SampleInput for the previous day(24 instances). It generates one output - SampleOutput for previous day. The workflow is defined at /projects/bootcamp/workflow/workflow.xml. Any libraries available for the workflow should be at /projects/bootcamp/workflow/lib. The process also defines properties queueName, ssh.host, and fileTimestamp which are passed to the workflow. In addition, Falcon exposes the following properties to the workflow: nameNode, jobTracker(hadoop properties), input and output(Input/Output properties).

+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Daily sample process. Runs at 6th hour every day. Input - last day's hourly data. Generates output for yesterday
+ -->
+<process name="SampleProcess">
+    <cluster name="corp" />
+
+    <frequency>days(1)</frequency>
+
+    <validity start="2012-04-03T06:00Z" end="2022-12-30T00:00Z" timezone="UTC" />
+
+    <inputs>
+        <input name="input" feed="SampleInput" start="yesterday(0,0)" end="today(-1,0)" />
+    </inputs>
+
+    <outputs>
+            <output name="output" feed="SampleOutput" instance="yesterday(0,0)" />
+    </outputs>
+
+    <properties>
+        <property name="queueName" value="reports" />
+        <property name="ssh.host" value="host.com" />
+        <property name="fileTimestamp" value="${coord:formatTime(coord:nominalTime(), 'yyyy-MM-dd')}" />
+    </properties>
+
+    <workflow engine="oozie" path="/projects/bootcamp/workflow" />
+
+    <retry policy="periodic" delay="minutes(5)" attempts="3" />
+    
+    <late-process policy="exp-backoff" delay="hours(1)">
+        <late-input input="input" workflow-path="/projects/bootcamp/workflow/lateinput" />
+    </late-process>
+</process>
+
+

Oozie Workflow

The sample user workflow contains 3 actions:

Pig action - Executes pig script /projects/bootcamp/workflow/script.pig
concatenator - Java action that concatenates part files and generates a single file
file upload - ssh action that gets the concatenated file from hadoop and sends the file to a remote host

+<workflow-app xmlns="uri:oozie:workflow:0.2" name="sample-wf">
+        <start to="pig" />
+
+        <action name="pig">
+                <pig>
+                        <job-tracker>${jobTracker}</job-tracker>
+                        <name-node>${nameNode}</name-node>
+                        <prepare>
+                                <delete path="${output}"/>
+                        </prepare>
+                        <configuration>
+                                <property>
+                                        <name>mapred.job.queue.name</name>
+                                        <value>${queueName}</value>
+                                </property>
+                                <property>
+                                        <name>mapreduce.fileoutputcommitter.marksuccessfuljobs</name>
+                                        <value>true</value>
+                                </property>
+                        </configuration>
+                        <script>${nameNode}/projects/bootcamp/workflow/script.pig</script>
+                        <param>input=${input}</param>
+                        <param>output=${output}</param>
+                        <file>lib/dependent.jar</file>
+                </pig>
+                <ok to="concatenator" />
+                <error to="fail" />
+        </action>
+
+        <action name="concatenator">
+                <java>
+                        <job-tracker>${jobTracker}</job-tracker>
+                        <name-node>${nameNode}</name-node>
+                        <prepare>
+                                <delete path="${nameNode}/projects/bootcamp/concat/data-${fileTimestamp}.csv"/>
+                        </prepare>
+                        <configuration>
+                                <property>
+                                        <name>mapred.job.queue.name</name>
+                                        <value>${queueName}</value>
+                                </property>
+                        </configuration>
+                        <main-class>com.wf.Concatenator</main-class>
+                        <arg>${output}</arg>
+                        <arg>${nameNode}/projects/bootcamp/concat/data-${fileTimestamp}.csv</arg>
+                </java>
+                <ok to="fileupload" />
+                <error to="fail"/>
+        </action>
+                        
+        <action name="fileupload">
+                <ssh>
+                        <host>localhost</host>
+                        <command>/tmp/fileupload.sh</command>
+                        <args>${nameNode}/projects/bootcamp/concat/data-${fileTimestamp}.csv</args>
+                        <args>${wf:conf("ssh.host")}</args>
+                        <capture-output/>
+                </ssh>
+                <ok to="fileUploadDecision" />
+                <error to="fail"/>
+        </action>
+
+        <decision name="fileUploadDecision">
+                <switch>
+                        <case to="end">
+                                ${wf:actionData('fileupload')['output'] == '0'}
+                        </case>
+                        <default to="fail"/>
+                </switch>
+        </decision>
+
+        <kill name="fail">
+                <message>Workflow failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
+        </kill>
+
+        <end name="end" />
+</workflow-app>
+
+

File Upload Script

The script gets the file from hadoop, rsyncs the file to /tmp on remote host and deletes the file from hadoop

+#!/bin/bash
+
+trap 'echo "output=$?"; exit $?' ERR INT TERM
+
+echo "Arguments: $@"
+SRCFILE=$1
+DESTHOST=$3
+
+FILENAME=`basename $SRCFILE`
+rm -f /tmp/$FILENAME
+hadoop fs -copyToLocal $SRCFILE /tmp/
+echo "Copied $SRCFILE to /tmp"
+
+rsync -ztv --rsh=ssh --stats /tmp/$FILENAME $DESTHOST:/tmp
+echo "rsynced $FILENAME to $DESTUSER@$DESTHOST:$DESTFILE"
+
+hadoop fs -rmr $SRCFILE
+echo "Deleted $SRCFILE"
+
+rm -f /tmp/$FILENAME
+echo "output=0"
+
+

+ +

+ + + + http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/Operability.html ---------------------------------------------------------------------- diff --git a/site/0.7/Operability.html b/site/0.7/Operability.html new file mode 100644 index 0000000..38736e8 --- /dev/null +++ b/site/0.7/Operability.html @@ -0,0 +1,153 @@ + + + + + + + + + Falcon - Operationalizing Falcon + + + + + + + + + + + + + + + + + +

+ + +

+ +

+ + + +

+ +

Operationalizing Falcon

Overview

Apache Falcon provides various tools to operationalize Falcon consisting of Alerts for unrecoverable errors, Audits of user actions, Metrics, and Notifications. They are detailed below.

++ Lineage

Currently Lineage has no way to access or restore information about entity instances created during the time lineage was disabled. Information about entities however, is preserved and bootstrapped when lineage is enabled. If you have to reset the graph db then you can delete the graph db files as specified in the startup.properties and restart the falcon. Please note: you will loose all the information about the instances if you delete the graph db.

Monitoring

Falcon provides monitoring of various events by capturing metrics of those events. The metric numbers can then be used to monitor performance and health of the Falcon system and the entire processing pipelines.

Falcon also exposes metrics for titandb

Users can view the logs of these events in the metric.log file, by default this file is created under ${user.dir}/logs/ directory. Users may also extend the Falcon monitoring framework to send events to systems like Mondemand/lwes by implementingorg.apache.falcon.plugin.MonitoringPlugin interface.

The following events are captured by Falcon for logging the metrics:

New cluster definitions posted to Falcon (success & failures)
New feed definition posted to Falcon (success & failures)
New process definition posted to Falcon (success & failures)
Process update events (success & failures)
Feed update events (success & failures)
Cluster update events (success & failures)
Process suspend events (success & failures)
Feed suspend events (success & failures)
Process resume events (success & failures)
Feed resume events (success & failures)
Process remove events (success & failures)
Feed remove events (success & failures)
Cluster remove events (success & failures)
Process instance kill events (success & failures)
Process instance re-run events (success & failures)
Process instance generation events
Process instance failure events
Process instance auto-retry events
Process instance retry exhaust events
Feed instance deletion event
Feed instance deletion failure event (no retries)
Feed instance replication event
Feed instance replication failure event
Feed instance replication auto-retry event
Feed instance replication retry exhaust event
Feed instance late arrival event
Feed instance post cut-off arrival event
Process re-run due to late feed event
Transaction rollback failed event

The metric logged for an event has the following properties:

Action - Name of the event.
Dimensions - A list of name/value pairs of various attributes for a given action.
Status- Status of an action FAILED/SUCCEEDED.
Time-taken - Time taken in nanoseconds for a given action.

An example for an event logged for a submit of a new process definition:

2012-05-04 12:23:34,026 {Action:submit, Dimensions:{entityType=process}, Status: SUCCEEDED, Time-taken:97087000 ns}

Users may parse the metric.log or capture these events from custom monitoring frameworks and can plot various graphs or send alerts according to their requirements.

Notifications

Falcon creates a JMS topic for every process/feed that is scheduled in Falcon. The implementation class and the broker url of the JMS engine are read from the dependent cluster's definition. Users may register consumers on the required topic to check the availability or status of feed instances.

For a given process that is scheduled, the name of the topic is same as the process name. Falcon sends a Map message for every feed produced by the instance of a process to the JMS topic. The JMS MapMessage sent to a topic has the following properties: entityName, feedNames, feedInstancePath, workflowId, runId, nominalTime, timeStamp, brokerUrl, brokerImplClass, entityType, operation, logFile, topicName, status, brokerTTL;

For a given feed that is scheduled, the name of the topic is same as the feed name. Falcon sends a map message for every feed instance that is deleted/archived/replicated depending upon the retention policy set in the feed definition. The JMS MapMessage sent to a topic has the following properties: entityName, feedNames, feedInstancePath, workflowId, runId, nominalTime, timeStamp, brokerUrl, brokerImplClass, entityType, operation, logFile, topicName, status, brokerTTL;

The JMS messages are automatically purged after a certain period (default 3 days) by the Falcon JMS house-keeping service.TTL (Time-to-live) for JMS message can be configured in the Falcon's startup.properties file.

Alerts

Falcon generates alerts for unrecoverable errors into a log file by default. Users can view these alerts in the alerts.log file, by default this file is created under ${user.dir}/logs/ directory.

Users may also extend the Falcon Alerting plugin to send events to systems like Nagios, etc. by extending org.apache.falcon.plugin.AlertingPlugin interface.

Audits

Falcon audits all user activity and captures them into a log file by default. Users can view these audits in the audit.log file, by default this file is created under ${user.dir}/logs/ directory.

Users may also extend the Falcon Audit plugin to send audits to systems like Apache Argus, etc. by extending org.apache.falcon.plugin.AuditingPlugin interface.

+ +

+ + + + http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/PrismSetup.png ---------------------------------------------------------------------- diff --git a/site/0.7/PrismSetup.png b/site/0.7/PrismSetup.png new file mode 100644 index 0000000..b0dc9a5 Binary files /dev/null and b/site/0.7/PrismSetup.png differ http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/ProcessSchedule.png ---------------------------------------------------------------------- diff --git a/site/0.7/ProcessSchedule.png b/site/0.7/ProcessSchedule.png new file mode 100644 index 0000000..a7dd788 Binary files /dev/null and b/site/0.7/ProcessSchedule.png differ http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/Recipes.html ---------------------------------------------------------------------- diff --git a/site/0.7/Recipes.html b/site/0.7/Recipes.html new file mode 100644 index 0000000..7146f3d --- /dev/null +++ b/site/0.7/Recipes.html @@ -0,0 +1,166 @@ + + + + + + + + + Falcon - Falcon Recipes + + + + + + + + + + + + + + + + + +

+ + +

+ +

+ + + +

+ +

Falcon Recipes

Overview

A Falcon recipe is a static process template with parameterized workflow to realize a specific use case. Recipes are defined in user space. Recipes will not have support for update or lifecycle management.

For example:

Replicating directories from one HDFS cluster to another (not timed partitions)
Replicating hive metadata (database, table, views, etc.)
Replicating between HDFS and Hive - either way
Data masking etc.

Proposal

Falcon provides a Process abstraction that encapsulates the configuration for a user workflow with scheduling controls. All recipes can be modeled as a Process with in Falcon which executes the user workflow periodically. The process and its associated workflow are parameterized. The user will provide a properties file with name value pairs that are substituted by falcon before scheduling it. Falcon translates these recipes as a process entity by replacing the parameters in the workflow definition.

Falcon CLI recipe support

Recipe command usage is defined here.

CLI accepts recipe option with a recipe name and optional tool and does the following:

Validates the options; name option is mandatory and tool is optional and should be provided if user wants to override the base recipe tool
Looks for <name>-workflow.xml, <name>-template.xml and <name>.properties file in the path specified by falcon.recipe.path in client.properties. If files cannot be found then Falcon CLI will fail
Invokes a Tool to substitute the properties in the templated process for the recipe. By default invokes base tool if tool option is not passed. Tool is responsible for generating process entity at the path specified by FalconCLI
Validates the generated entity
Submit and schedule this entity
Generated process entity files are stored in tmp directory

Base Recipe tool

Falcon provides a base tool that recipes can override. Base Recipe tool does the following:

Expects recipe template file path, recipe properties file path and path where process entity to be submitted should be generated. Validates these arguments
Validates the artifacts i.e. workflow and/or lib files specified in the recipe template exists on local filesystem or HDFS at the specified path else returns error
Copies if the artifacts exists on local filesystem +
- If workflow is on local FS then falcon.recipe.workflow.path in recipe property file is mandatory for it to be copied to HDFS. If templated process requires custom libs falcon.recipe.workflow.lib.path property is mandatory for them to be copied from Local FS to HDFS. Recipe tool will copy the local artifacts only if these properties are set in properties file
Looks for the patten ##[A-Za-z0-9_.]*## in the templated process and substitutes it with the properties. Process entity generated after the substitution is written to the empty file passed by FalconCLI

Recipe template file format

Any templatized string should be in the format ##[A-Za-z0-9_.]*##.
There should be a corresponding entry in the recipe properties file "falcon.recipe.<templatized-string> = <value to be substituted>"

+Example: If the entry in recipe template is <workflow name="##workflow.name##"> there should be a corresponding entry in the recipe properties file falcon.recipe.workflow.name=hdfs-dr-workflow
+
+

Recipe properties file format

Regular key value pair properties file
Property key should be prefixed by "falcon.recipe."

+Example: falcon.recipe.workflow.name=hdfs-dr-workflow
+Recipe template will have <workflow name="##workflow.name##">. Recipe tool will look for the patten ##workflow.name##
+and replace it with the property value "hdfs-dr-workflow". Substituted template will have <workflow name="hdfs-dr-workflow">
+
+

Managing the scheduled recipe process

Scheduled recipe process is similar to regular process +
- List : falcon entity -type process -name <recipe-process-name> -list
- Status : falcon entity -type process -name <recipe-process-name> -status
- Delete : falcon entity -type process -name <recipe-process-name> -delete

Sample recipes

Sample recipes are published in addons/recipes

Packaging

There is no packaging for recipes at this time but will be added soon.

+ +

+ + + + http://git-wip-us.apache.org/repos/asf/falcon/blob/8609ffd6/site/0.7/Security.html ---------------------------------------------------------------------- diff --git a/site/0.7/Security.html b/site/0.7/Security.html new file mode 100644 index 0000000..73f67a9 --- /dev/null +++ b/site/0.7/Security.html @@ -0,0 +1,510 @@ + + + + + + + + + Falcon - Securing Falcon + + + + + + + + + + + + + + + + + +

+ + +

+ +

+ + + +

+ +

Securing Falcon

Overview

Apache Falcon enforces authentication and authorization which are detailed below. Falcon also provides transport level security ensuring data confidentiality and integrity.

Authentication (User Identity)

Apache Falcon enforces authentication on protected resources. Once authentication has been established it sets a signed HTTP Cookie that contains an authentication token with the user name, user principal, authentication type and expiration time.

It does so by using Hadoop Auth. Hadoop Auth is a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP. Hadoop Auth also supports additional authentication mechanisms on the client and the server side via 2 simple interfaces.

Authentication Methods

It supports 2 authentication methods, simple and kerberos out of the box.

Pseudo/Simple Authentication

Falcon authenticates the user by simply trusting the value of the query string parameter 'user.name'. This is the default mode Falcon is configured with.

Kerberos Authentication

Falcon uses HTTP Kerberos SPNEGO to authenticate the user.

Authorization

Falcon also enforces authorization on Entities using ACLs (Access Control Lists). ACLs are useful for implementing permission requirements and provide a way to set different permissions for specific users or named groups.

By default, support for authorization is disabled and can be enabled in startup.properties.

ACLs in Entity

All Entities now have ACL which needs to be present if authorization is enabled. Only owners who own or created the entity will be allowed to update or delete their entities.

An entity has ACLs (Access Control Lists) that are useful for implementing permission requirements and provide a way to set different permissions for specific users or named groups.

+    <ACL owner="test-user" group="test-group" permission="*"/>
+
+

ACL indicates the Access control list for this cluster. owner is the Owner of this entity. group is the one which has access to read. permission indicates the rwx is not enforced at this time.

Super-User

The super-user is the user with the same identity as falcon process itself. Loosely, if you started the falcon, then you are the super-user. The super-user can do anything in that permissions checks never fail for the super-user. There is no persistent notion of who was the super-user; when the falcon is started the process identity determines who is the super-user for now. The Falcon super-user does not have to be the super-user of the falcon host, nor is it necessary that all clusters have the same super-user. Also, an experimenter running Falcon on a personal workstation, conveniently becomes that installation's super-user without any configuration.

Falcon also allows users to configure a super user group and allows users belonging to this group to be a super user.

ACL owner and group must be valid even if the authenticated user is a super-user.

Group Memberships

Once a user has been authenticated and a username has been determined, the list of groups is determined by a group mapping service, configured by the hadoop.security.group.mapping property in Hadoop. The default implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping, will shell out to the Unix bash -c groups command to resolve a list of groups for a user.

Note that Falcon stores the user and group of an Entity as strings; there is no conversion from user and group identity numbers as is conventional in Unix.

The only limitation is that a user cannot add a group in ACL that he does not belong to.

Authorization Provider

Falcon provides a plugin-able provider interface for Authorization. It also ships with a default implementation that enforces the following authorization policy.

Entity and Instance Management Operations Policy

All Entity and Instance operations are authorized for users who created them, Owners and users with group memberships
Reference to entities with in a feed or process is allowed with out enforcing permissions

Any Feed or Process can refer to a Cluster entity not owned by the Feed or Process owner. Any Process can refer to a Feed entity not owned by the Process owner

The authorization is enforced in the following way:

if admin resource, +
- If authenticated user name matches the admin users configuration
- Else if groups of the authenticated user matches the admin groups configuration
- Else authorization exception is thrown
Else if entities or instance resource +
- If the authenticated user matches the owner in ACL for the entity
- Else if the groups of the authenticated user matches the group in ACL for the entity
- Else authorization exception is thrown
Else if lineage resource +
- All have read-only permissions, reason being folks should be able to examine the dependency and allow reuse

To authenticate user for REST api calls, user should append "user.name=<username>" to the query.

operations on Entity Resource

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Resource	Description	Authorization
api/entities/validate/:entity-type	Validate the entity	Owner/Group
api/entities/submit/:entity-type	Submit the entity	Owner/Group
api/entities/update/:entity-type/:entity-name	Update the entity	Owner/Group
api/entities/submitAndSchedule/:entity-type	Submit & Schedule the entity	Owner/Group
api/entities/schedule/:entity-type/:entity-name	Schedule the entity	Owner/Group
api/entities/suspend/:entity-type/:entity-name	Suspend the entity	Owner/Group
api/entities/resume/:entity-type/:entity-name	Resume the entity	Owner/Group
api/entities/delete/:entity-type/:entity-name	Delete the entity	Owner/Group
api/entities/status/:entity-type/:entity-name	Get the status of the entity	Owner/Group
api/entities/definition/:entity-type/:entity-name	Get the definition of the entity	Owner/Group
api/entities/list/:entity-type?fields=:fields	Get the list of entities	Owner/Group
api/entities/dependencies/:entity-type/:entity-name	Get the dependencies of the entity	Owner/Group

REST Call on Feed and Process Instances +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Resource	Description	Authorization
api/instance/running/:entity-type/:entity-name	List of running instances.	Owner/Group
api/instance/status/:entity-type/:entity-name	Status of a given instance	Owner/Group
api/instance/kill/:entity-type/:entity-name	Kill a given instance	Owner/Group
api/instance/suspend/:entity-type/:entity-name	Suspend a running instance	Owner/Group
api/instance/resume/:entity-type/:entity-name	Resume a given instance	Owner/Group
api/instance/rerun/:entity-type/:entity-name	Rerun a given instance	Owner/Group
api/instance/logs/:entity-type/:entity-name	Get logs of a given instance	Owner/Group

Admin Resources Policy

Only users belonging to admin users or groups have access to this resource. Admin membership is determined by a static configuration parameter.

+ + + + + + + + + + + + + + + + +

Resource	Description	Authorization
api/admin/version	Get version of the server	No restriction
api/admin/stack	Get stack of the server	Admin User/Group
api/admin/config/:config-type	Get configuration information of the server	Admin User/Group

Lineage Resource Policy

Lineage is read-only and hence all users can look at lineage for their respective entities. Note: This gap will be fixed in a later release.

Authentication Configuration

Following is the Server Side Configuration Setup for Authentication.

Common Configuration Parameters

+# Authentication type must be specified: simple|kerberos
+*.falcon.authentication.type=kerberos
+
+

Kerberos Configuration

+##### Service Configuration
+
+# Indicates the Kerberos principal to be used in Falcon Service.
+*.falcon.service.authentication.kerberos.principal=falcon/_HOST@EXAMPLE.COM
+
+# Location of the keytab file with the credentials for the Service principal.
+*.falcon.service.authentication.kerberos.keytab=/etc/security/keytabs/falcon.service.keytab
+
+# name node principal to talk to config store
+*.dfs.namenode.kerberos.principal=nn/_HOST@EXAMPLE.COM
+
+# Indicates how long (in seconds) falcon authentication token is valid before it has to be renewed.
+*.falcon.service.authentication.token.validity=86400
+
+##### SPNEGO Configuration
+
+# Authentication type must be specified: simple|kerberos|<class>
+# org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler can be used for backwards compatibility
+*.falcon.http.authentication.type=kerberos
+
+# Indicates how long (in seconds) an authentication token is valid before it has to be renewed.
+*.falcon.http.authentication.token.validity=36000
+
+# The signature secret for signing the authentication tokens.
+*.falcon.http.authentication.signature.secret=falcon
+
+# The domain to use for the HTTP cookie that stores the authentication token.
+*.falcon.http.authentication.cookie.domain=
+
+# Indicates if anonymous requests are allowed when using 'simple' authentication.
+*.falcon.http.authentication.simple.anonymous.allowed=true
+
+# Indicates the Kerberos principal to be used for HTTP endpoint.
+# The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.
+*.falcon.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+
+# Location of the keytab file with the credentials for the HTTP principal.
+*.falcon.http.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
+
+# The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's KerberosName for more details.
+*.falcon.http.authentication.kerberos.name.rules=DEFAULT
+
+# Comma separated list of black listed users
+*.falcon.http.authentication.blacklisted.users=
+
+# Increase Jetty request buffer size to accommodate the generated Kerberos token
+*.falcon.jetty.request.buffer.size=16192
+
+

Pseudo/Simple Configuration

+##### SPNEGO Configuration
+
+# Authentication type must be specified: simple|kerberos|<class>
+# org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler can be used for backwards compatibility
+*.falcon.http.authentication.type=simple
+
+# Indicates how long (in seconds) an authentication token is valid before it has to be renewed.
+*.falcon.http.authentication.token.validity=36000
+
+# The signature secret for signing the authentication tokens.
+*.falcon.http.authentication.signature.secret=falcon
+
+# The domain to use for the HTTP cookie that stores the authentication token.
+*.falcon.http.authentication.cookie.domain=
+
+# Indicates if anonymous requests are allowed when using 'simple' authentication.
+*.falcon.http.authentication.simple.anonymous.allowed=true
+
+# Comma separated list of black listed users
+*.falcon.http.authentication.blacklisted.users=
+
+

Authorization Configuration

Enabling Authorization

By default, support for authorization is disabled and specifying ACLs in entities are optional. To enable support for authorization, set falcon.security.authorization.enabled to true in the startup configuration.

+# Authorization Enabled flag: false|true
+*.falcon.security.authorization.enabled=true
+
+

Authorization Provider

Falcon provides a basic implementation for Authorization bundled, org.apache.falcon.security .DefaultFalconAuthorizationProvider. This can be overridden by custom implementations in the startup configuration.

+# Authorization Provider Fully Qualified Class Name
+*.falcon.security.authorization.provider=org.apache.falcon.security.DefaultAuthorizationProvider
+
+

Super User Group

Super user group is determined by the configuration:

+# The name of the group of super-users
+*.falcon.security.authorization.superusergroup=falcon
+
+

Admin Membership

Administrative users are determined by the configuration:

+# Admin Users, comma separated users
+*.falcon.security.authorization.admin.users=falcon,ambari-qa,seetharam
+
+

Administrative groups are determined by the configuration:

+# Admin Group Membership, comma separated users
+*.falcon.security.authorization.admin.groups=falcon,testgroup,staff
+
+

SSL

Falcon provides transport level security ensuring data confidentiality and integrity. This is enabled by default for communicating over HTTP between the client and the server.

SSL Configuration

+*.falcon.enableTLS=true
+*.keystore.file=/path/to/keystore/file
+*.keystore.password=password
+
+

Distributed Falcon Setup

Falcon should be configured to communicate with Prism over TLS in secure mode. Its not enabled by default.

Changes to ownership and permissions of directories managed by Falcon

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Directory	Location	Owner	Permissions
Configuration Store	${config.store.uri}	falcon	700
Cluster Staging Location	${cluster.staging-location}	falcon	777
Cluster Working Location	${cluster.working-location}	falcon	755
Shared libs	{cluster.working}/{lib,libext}	falcon	755
Oozie coord/bundle XMLs	${cluster.staging-location}/workflows/{entity}/{entity-name}	$user	cluster umask
App logs	${cluster.staging-location}/workflows/{entity}/{entity-name}/logs	$user	cluster umask

Note: Please note that the cluster staging and working locations MUST be created prior to submitting a cluster entity to Falcon. Also, note that the the parent dirs must have execute permissions.

Backwards compatibility

Scheduled Entities

Entities already scheduled with an earlier version of Falcon are not compatible with this version

Falcon Clients

Older Falcon clients are backwards compatible wrt Authentication and user information sent as part of the HTTP header, Remote-User is still honoured when the authentication type is configured as below:

+*.falcon.http.authentication.type=org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler
+
+

Blacklisted super users for authentication

The blacklist users used to have the following super users: hdfs, mapreduce, oozie, and falcon. The list is externalized from code into Startup.properties file and is empty now and needs to be configured specifically in the file.

Falcon Dashboard

To initialize the current user for dashboard, user should append query param "user.name=<username>" to the REST api call.

If dashboard user wishes to change the current user, they should do the following.

delete the hadoop.auth cookie from browser cache.
append query param "user.name=<new_user>" to the next REST API call.

In Kerberos method, the browser must support HTTP Kerberos SPNEGO.

Known Limitations

ActiveMQ topics are not secure but will be in the near future
Entities already scheduled with an earlier version of Falcon are not compatible with this version as new

workflow parameters are being passed back into Falcon such as the user are required +

Use of hftp as the scheme for read only interface in cluster entity will not work in Oozie

The alternative is to use webhdfs scheme instead and its been tested with DistCp.

Examples

Accessing the server using Falcon CLI (Java client)

There is no change in the way the CLI is used. The CLI has been changed to work with the configured authentication method.

Accessing the server using curl

Try accessing protected resources using curl. The protected resources are:

+$ kinit
+Please enter the password for venkatesh@LOCALHOST:
+
+$ curl http://localhost:15000/api/admin/version
+
+$ curl http://localhost:15000/api/admin/version?user.name=venkatesh
+
+$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt curl http://localhost:15000/api/admin/version
+
+

+ +

+ + + +