falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srikanth Sundarrajan (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (FALCON-11) Add support for security in Falcon
Date Thu, 06 Feb 2014 07:08:13 GMT

    [ https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893113#comment-13893113
] 

Srikanth Sundarrajan edited comment on FALCON-11 at 2/6/14 7:06 AM:
--------------------------------------------------------------------

Would be useful to add a comment in BasicAuthFilter around
{code}
                if (httpRequest.getMethod().equals("OPTIONS")) {
                    optionsServlet.service(request, response);
{code}
describing how KerberosAuthenticator works and why is the OPTIONS method required.

Can the blacklisted users be defaulted to maintain compatibility
{code}
        String blackListedUserConfig = StartupProperties.get().getProperty(BLACK_LISTED_USER,
<<default-values>>);
{code}

I am assuming that user.name query param is being passed from prism to server and since the
channel between prism & server is being secured, there is no further challenge required
from the server to validate prism. Please confirm

One useful thing to document is
* What elements are created by falcon under what location and with what permissions &
ownership

Am putting down some notes, as I review this patch
{code}
oozie coord/bundle xmls: ${cluster.staging-location}/workflows/{entity}/{entity-name} - owner:
falcon, Permission: 644
app logs: ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs - owner: falcon,
Permission: 777
config-store - owner: falcon, Permission: 750
Shared libs: {cluster.working}/{lib,libext} - owner: falcon, Permission: 755
{code}

LogProvider is creating a proxies file system to retrieve job logs, which are actually created
by the falcon user. Proxy may be unnecessary.
{code}
            // fs on behalf of the end user.
            FileSystem fs = HadoopClientFactory.get().createProxiedFileSystem(conf);
            String resolvedRunId = getResolvedRunId(fs, clusterObj, entity, instance, runId);
{code}

Latedata related data is written to 
{code}
${cluster.staging-location}/workflows/{entity}/{entity-name}/logs/latedata 
{code} 
and since this folder is owned by falcon with 777 permissions, there is no need to proxy the
user in the LateDataHandler. Same thing applies for LateRerunConsumer & LateRerunHandler



was (Author: sriksun):
Would be useful to add a comment in BasicAuthFilter around
{code}
                if (httpRequest.getMethod().equals("OPTIONS")) {
                    optionsServlet.service(request, response);
{code}
describing how KerberosAuthenticator works and why is the OPTIONS method required.

Can the blacklisted users be defaulted to maintain compatibility
{code}
        String blackListedUserConfig = StartupProperties.get().getProperty(BLACK_LISTED_USER,
<<default-values>>);
{code}

I am assuming that user.name query param is being passed from prism to server and since the
channel between prism & server is being secured, there is no further challenge required
from the server to validate prism. Please confirm

One useful thing to document is
* What elements are created by falcon under what location and with what permissions &
ownership

Am putting down some notes, as I review this patch
{code}
oozie coord/bundle xmls: ${cluster.staging-location}/workflows/{entity}/{entity-name} - owner:
falcon, Permission: 644
app logs: ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs - owner: falcon,
Permission: 777
config-store - owner: falcon, Permission: 750
Shared libs: {cluster.working}/{lib,libext} - owner: falcon, Permission: 755
{code}

LogProvider is creating a proxies file system to retrieve job logs, which are actually created
by the falcon user. Proxy may be unnecessary.
{code}
            // fs on behalf of the end user.
            FileSystem fs = HadoopClientFactory.get().createProxiedFileSystem(conf);
            String resolvedRunId = getResolvedRunId(fs, clusterObj, entity, instance, runId);
{code}

Latedata related data is written to ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs/latedata
and since this folder is owned by falcon with 777 permissions, there is no need to proxy the
user in the LateDataHandler. Same thing applies for LateRerunConsumer & LateRerunHandler


> Add support for security in Falcon
> ----------------------------------
>
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>         Attachments: FALCON-11.patch
>
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The following is the break up of tasks for Falcon to be secure and work with secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message