Mailing-List: contact dev-help@falcon.incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@falcon.incubator.apache.org
Date: Thu, 6 Feb 2014 06:58:15 +0000 (UTC)
From: "Srikanth Sundarrajan (JIRA)" <jira@apache.org>
To: dev@falcon.incubator.apache.org
Message-ID: <JIRA.12647281.1368442174863.47325.1391669895445@arcas>
In-Reply-To: <JIRA.12647281.1368442174863@arcas>
References: <JIRA.12647281.1368442174863@arcas>
Subject: [jira] [Commented] (FALCON-11) Add support for security in Falcon
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893113#comment-13893113 ] 

Srikanth Sundarrajan commented on FALCON-11:
--------------------------------------------

Would be useful to add a comment in BasicAuthFilter around
{code}
                if (httpRequest.getMethod().equals("OPTIONS")) {
                    optionsServlet.service(request, response);
{code}
describing how KerberosAuthenticator works and why is the OPTIONS method required.

Can the blacklisted users be defaulted to maintain compatibility
{code}
        String blackListedUserConfig = StartupProperties.get().getProperty(BLACK_LISTED_USER, <<default-values>>);
{code}

I am assuming that user.name query param is being passed from prism to server and since the channel between prism & server is being secured, there is no further challenge required from the server to validate prism. Please confirm

One useful thing to document is
* What elements are created by falcon under what location and with what permissions & ownership

Am putting down some notes, as I review this patch
{code}
oozie coord/bundle xmls: ${cluster.staging-location}/workflows/{entity}/{entity-name} - owner: falcon, Permission: 644
app logs: ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs - owner: falcon, Permission: 777
config-store - owner: falcon, Permission: 750
Shared libs: {cluster.working}/{lib,libext} - owner: falcon, Permission: 755
{code}

LogProvider is creating a proxies file system to retrieve job logs, which are actually created by the falcon user. Proxy may be unnecessary.
{code}
            // fs on behalf of the end user.
            FileSystem fs = HadoopClientFactory.get().createProxiedFileSystem(conf);
            String resolvedRunId = getResolvedRunId(fs, clusterObj, entity, instance, runId);
{code}

Latedata related data is written to ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs/latedata and since this folder is owned by falcon with 777 permissions, there is no need to proxy the user in the LateDataHandler. Same thing applies for LateRerunConsumer & LateRerunHandler


> Add support for security in Falcon
> ----------------------------------
>
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>         Attachments: FALCON-11.patch
>
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The following is the break up of tasks for Falcon to be secure and work with secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.


--
This message was sent by Atlassian JIRA
(v6.1.5#6160)