Mailing-List: contact dev-help@falcon.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@falcon.apache.org
Message-ID: <BLU179-W45009F02301DFA70C13099A45C0@phx.gbl>
Content-Type: multipart/alternative;
	boundary="_a1ac83a8-2011-4c57-b60a-87b970863b7a_"
From: Srikanth Sundarrajan <sriksun@hotmail.com>
To: "dev@falcon.apache.org" <dev@falcon.apache.org>
Subject: RE: [Discuss] : Should a non-superuser be allowed to update ACL of
 feed or process entity
Date: Tue, 15 Sep 2015 21:24:41 +0530
Importance: Normal
In-Reply-To: <D21D7E8E.134DA%bvellanki@hortonworks.com>
References: 
 <CAK9Nqe=nW7fJ1cGRMFsQuWJXU2JrH6VejDerMVvWBEGex3qbLw@mail.gmail.com>,<1892996543.81596.1442295930126.JavaMail.yahoo@mail.yahoo.com>,<D21D7E8E.134DA%bvellanki@hortonworks.com>
MIME-Version: 1.0

--_a1ac83a8-2011-4c57-b60a-87b970863b7a_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

IMHO=2C Only owner should be allowed to change the ownership on the entity=
=2C not a member of the group. Removing the ACL from the entity would be th=
e right way forward to solve for this. ACLs in the entity is too messy.

Regards
Srikanth Sundarrajan

> Subject: Re: [Discuss] : Should a non-superuser be allowed to update ACL =
of feed or process entity
> From: bvellanki@hortonworks.com
> To: dev@falcon.apache.org
> Date: Tue=2C 15 Sep 2015 14:52:47 +0000
>=20
> Based on discussion - we all seem to agree that
> - Only superuser should change ownership
> - Falcon team should implement the functionality for permissions part of
> ACL.=20
>=20
> Balu
>=20
> On 9/14/15=2C 10:45 PM=2C "Peeyush Bishnoi" <bpeeyush@yahoo.co.in> wrote:
>=20
> >Balu=2C
> >Thanks for initiating the discussion.
> >I am of the opinion here is that ACL of feed/process entity should work
> >similarly to the UNIX-like system.
> >If user1 has not set the permission for group writable =2C then user2
> >should not be allowed to updateACL of feed or process entity. If user1
> >has set the permission for group writable purposefully=2C then user2 sho=
uld
> >alsoupdate as per the agreement between user1 and user2 (collaborative
> >work) as they belong to same group.
> >
> >Thanks=2C---Peeyush
> >
> >
> >
> >=20
> >
> >
> >     On Tuesday=2C 15 September 2015 10:23 AM=2C Sandeep Samudrala
> ><sandysmdl@gmail.com> wrote:
> >  =20
> >
> > I agree with above point to handle submission time. But again an entity
> >can
> >be submitted and scheduled with different users=2C in which case the use=
r
> >with which schedule is ran will be used. We might have to handle even
> >scheduling part. I think rather than handling ACL at various levels=2C t=
he
> >whole ACL can be improved as part of FALCON-1367
> ><https://issues.apache.org/jira/browse/FALCON-1367>.
> >
> >On Tue=2C Sep 15=2C 2015 at 10:14 AM=2C pavan kumar Kolamuri <
> >pavan.kolamuri@gmail.com> wrote:
> >
> >> Even i agree that user2 shouldn't update/delete/suspend the entity=2C =
but
> >>we
> >> should be consistent across all API's for the same. As of now submit i=
s
> >> allowed if user belongs to the same group of ACL owner group right ?
> >>Should
> >> we also change this behaviour to make sure only ACL owner should be
> >>allowed
> >> to submit ?
> >>
> >> On Tue=2C Sep 15=2C 2015 at 9:58 AM=2C Pallavi Rao <pallavi.rao@inmobi=
.com>
> >> wrote:
> >>
> >> > Agree that "user2" shouldn't be allowed to just update the entity an=
d
> >> > change the ownership. All the more reason to have a separate Auth AP=
I=2C
> >> > rather than embed the ACL in the entity itself. Such issues can be
> >> handled
> >> > in a much cleaner way.
> >> >
> >> > Regards=2C
> >> > Pallavi
> >> >
> >> > On Tue=2C Sep 15=2C 2015 at 3:12 AM=2C Balu Vellanki <
> >> bvellanki@hortonworks.com>
> >> > wrote:
> >> >
> >> > > Hi Team=2C
> >> > >
> >> > > Today=2C Feed/Process entities have ACL with owner and group. Supp=
ort
> >>for
> >> > > permissions is not implemented yet. Any user who is the owner OR w=
ho
> >> > > belongs to the group can update/delete/suspend the entity.
> >> > >
> >> > > If two users "user1" and "user2" belong to same group "users" and
> >>the
> >> > > falcon entity ACL is <ACL owner=3D"user1" group=3D"users"
> >>permission=3D"*"/>=2C
> >> > > then user2 can update the falcon entity and claim ownership of thi=
s
> >> > entity.
> >> > > I believe that user2 should not be allowed to do so unless it is
> >> > > superuser.  Similar behavior is not allowed in HDFS.  Please
> >>comment if
> >> > you
> >> > > disagree.
> >> > >
> >> > > https://issues.apache.org/jira/browse/FALCON-1340
> >> > >
> >> > > Thanks
> >> > > Balu Velalnki
> >> > >
> >> >
> >> > --
> >> > _____________________________________________________________
> >> > The information contained in this communication is intended solely f=
or
> >> the
> >> > use of the individual or entity to whom it is addressed and others
> >> > authorized to receive it. It may contain confidential or legally
> >> privileged
> >> > information. If you are not the intended recipient you are hereby
> >> notified
> >> > that any disclosure=2C copying=2C distribution or taking any action =
in
> >> reliance
> >> > on the contents of this information is strictly prohibited and may b=
e
> >> > unlawful. If you have received this communication in error=2C please
> >>notify
> >> > us immediately by responding to this email and then delete it from
> >>your
> >> > system. The firm is neither liable for the proper and complete
> >> transmission
> >> > of the information contained in this communication nor for any delay
> >>in
> >> its
> >> > receipt.
> >> >
> >>
> >>
> >>
> >> --
> >> Regards
> >> Pavan Kumar Kolamuri
> >>
> >
> >
> > =20
>=20
 		 	   		  =

--_a1ac83a8-2011-4c57-b60a-87b970863b7a_--