falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkatesh Seetharam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-11) Add support for security in Falcon
Date Fri, 07 Feb 2014 00:50:21 GMT

    [ https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13894051#comment-13894051
] 

Venkatesh Seetharam commented on FALCON-11:
-------------------------------------------

Thanks [~sriksun] for taking time to review this and much appreciated.

bq. Would be useful to add a comment in BasicAuthFilter around
OK. hadoop-auth has some but will add

bq. Can the blacklisted users be defaulted to maintain compatibility
Its not desirable since the list is not exhaustive, does not have hive, etc. Also, users can
chose to run services under a different name. 
[~arpitgupta], can you comment on why this is not desirable? Is it hard to add it in startup.properties?

bq. I am assuming that user.name query param is being passed from prism to server and since
the channel between prism & server is being secured, there is no further challenge required
from the server to validate prism. Please confirm
Thats the intent but the BasicAuthFilter is configured ofr the sync path which needs to be
removed in FALCON-229.

bq. One useful thing to document is What elements are created by falcon under what location
and with what permissions & ownership
Nothing has changed except that its more tight now. Where should this be documented?

bq. LogProvider is creating a proxies file system to retrieve job logs, which are actually
created by the falcon user. Proxy may be unnecessary.
This was part of review request and is taken care of. But it all depends on the default umask.
The umask is not inherited from the parent dir but the default is 755 which should be fine
for this.

bq Latedata related data is written to folder is owned by falcon with 777 permissions, there
is no need to proxy the user in the LateDataHandler. Same thing applies for LateRerunConsumer
& LateRerunHandler
Yes, taken care of. 

bq. Now that we have gone through individual JIRAs, If you provide a revised merged patch
(in this issue) along with individual patches against respective JIRAs, it might help to review
them faster and also commit.
Yes sir. Will test it once and upload the patch. Thanks!

> Add support for security in Falcon
> ----------------------------------
>
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>         Attachments: FALCON-11.patch
>
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The following is the break up of tasks for Falcon to be secure and work with secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message