falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikhil Mulley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-14) secure falcon daemon
Date Tue, 14 May 2013 19:01:16 GMT

    [ https://issues.apache.org/jira/browse/FALCON-14?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13657383#comment-13657383
] 

Nikhil Mulley commented on FALCON-14:
-------------------------------------

Hi Venkatesh,

This looks interesting. 

Had a brief look at the patch.

>>
+            String keytabFile = StartupProperties.get().getProperty(
+                    KERBEROS_KEYTAB, System.getProperty("user.home") + "/ivory.service.keytab").trim();
+            if (keytabFile.length() == 0) {
+                throw new FalconException("Missing required configuration property: "
+                        + KERBEROS_KEYTAB);
+            }
>>

Can you also please check on the mode and user permissions of the keytab file before initiating
the app authentication? It would be a key intermediate step to read and impose the necessary
permissions on the keytab before the startup/initialization of the kerberos methods (although
the API, should be able to handle it well and bail out), but application specific user should
also have proper permissions on the keytab and impose the necessary mode for operability.
For more security, I would suggest you impose another directory called ".krb5" under home
directory which should have permissions restricted to the owner of the home directory only.
Like what if home directory is mistakenly writeable..although this is more of admin/setup
items. Although, in most scenarios, I would store all services related keytabs under single
hood  /etc/security/keytabs  

Also, now that we are calling the project 'Falcon' officially, it perhaps makes sense to replace
s#ivory#falcon#g :-)


>>
+            UserGroupInformation.setConfiguration(conf);
+            UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
+
+            LOG.info("Got Kerberos ticket, keytab: " + keytabFile
+                    + ", Ivory principal principal: " + principal);
>>

Can you please log where are the credentials cache acquired and stored? I think it can be
imposed where to store the credential cache with KRB5CCNAME over the command line with mit-krb5
not sure about the Java API though.


>>
+
+######### Debugging parameters #########
 
 debug.config.store.uri=${user.dir}/target/store
 debug.config.oozie.conf.uri=${user.dir}/target/oozie
@@ -50,16 +53,41 @@ debug.system.lib.location=${user.dir}/webapp/target/falcon-webapp-0.2-SNAPSHOT/W
 debug.broker.url=vm://localhost
 debug.retry.recorder.path=${user.dir}/target/retry
 
>>

why is falcon-webapp-0.2-SNAPSHOT hardcoded?


Nikhil

                
> secure falcon daemon
> --------------------
>
>                 Key: FALCON-14
>                 URL: https://issues.apache.org/jira/browse/FALCON-14
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>         Attachments: FALCON-14.patch
>
>
> Add Authentication to falcon.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message