falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srikanth Sundarrajan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-11) Add support for security in Falcon
Date Thu, 06 Feb 2014 06:58:15 GMT

    [ https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893113#comment-13893113

Srikanth Sundarrajan commented on FALCON-11:

Would be useful to add a comment in BasicAuthFilter around
                if (httpRequest.getMethod().equals("OPTIONS")) {
                    optionsServlet.service(request, response);
describing how KerberosAuthenticator works and why is the OPTIONS method required.

Can the blacklisted users be defaulted to maintain compatibility
        String blackListedUserConfig = StartupProperties.get().getProperty(BLACK_LISTED_USER,

I am assuming that user.name query param is being passed from prism to server and since the
channel between prism & server is being secured, there is no further challenge required
from the server to validate prism. Please confirm

One useful thing to document is
* What elements are created by falcon under what location and with what permissions &

Am putting down some notes, as I review this patch
oozie coord/bundle xmls: ${cluster.staging-location}/workflows/{entity}/{entity-name} - owner:
falcon, Permission: 644
app logs: ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs - owner: falcon,
Permission: 777
config-store - owner: falcon, Permission: 750
Shared libs: {cluster.working}/{lib,libext} - owner: falcon, Permission: 755

LogProvider is creating a proxies file system to retrieve job logs, which are actually created
by the falcon user. Proxy may be unnecessary.
            // fs on behalf of the end user.
            FileSystem fs = HadoopClientFactory.get().createProxiedFileSystem(conf);
            String resolvedRunId = getResolvedRunId(fs, clusterObj, entity, instance, runId);

Latedata related data is written to ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs/latedata
and since this folder is owned by falcon with 777 permissions, there is no need to proxy the
user in the LateDataHandler. Same thing applies for LateRerunConsumer & LateRerunHandler

> Add support for security in Falcon
> ----------------------------------
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>         Attachments: FALCON-11.patch
>   Original Estimate: 336h
>  Remaining Estimate: 336h
> The following is the break up of tasks for Falcon to be secure and work with secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.

This message was sent by Atlassian JIRA

View raw message