falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkat Ranganathan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-1107) Move trusted recipe processing to server side
Date Fri, 29 Jan 2016 08:00:50 GMT

    [ https://issues.apache.org/jira/browse/FALCON-1107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123163#comment-15123163

Venkat Ranganathan commented on FALCON-1107:

bq.   It would have all the permissions as the current Falcon process

At a high level in an unsecure cluster, the OS authentication would be the same.   Even there,
we just don't have Falcon user alone - when the recipes are invoked we want to make sure the
user that requests the recipe is the one used to process the request, so we need to make sure
that we don't login and access the resources as Falcon.

In an unsecure cluster, Falcon having been configured as a proxy super, we can do the necessary
authentication and proxying of the target user.  This means that we will duplication the functionality
to do  User authentication, proxying of the right user in using system resources are duplicated
in the child process code also.

In a secure cluster, proxying for another user would mean that we specifically logout of the
Falcon context in the spawned child process and use the requesting user credentials to process
the request (otherwise you will be doing all work as falcon which is not right).   But we
may will not have a mechanism to get the kerberos context for the incoming user unless we
make it a requirement that we get the keytab for the requesting user for recipes to login
as that user.   So, we will have to get the delegation tokens for the requesting user and
pass it to the spawned process and process those token in the spawned process

> Move trusted recipe processing to server side
> ---------------------------------------------
>                 Key: FALCON-1107
>                 URL: https://issues.apache.org/jira/browse/FALCON-1107
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Sowmya Ramesh
>            Assignee: Sowmya Ramesh
>              Labels: Recipe
>             Fix For: trunk
>         Attachments: ApacheFalcon-RecipeDesignDocument.pdf
> Today Recipe cooking is a client side logic. Recipe also supports extensions i.e. user
can cook his/her own custom recipes.
> Decision to make it client side logic was for the following reasons
>   *   Keep it isolated from falcon server
>   *   As custom recipe cooking is supported, user recipes can introduce security vulnerabilities
and also can bring down the falcon server
> Today, falcon provides HDFS DR recipe out of the box. There is a plan to add UI support
for DR in Falcon.
> Rest API support cannot be added for recipe as it is client side processing.
> If the UI is pure java script[JS] then all the recipe cooking logic has to be repeated
in JS. This is not a feasible solution - if more recipes are added say DR for hive, hbase
and others, UI won't be extensible.
> For the above mentioned reasons Recipe should me made a server side logic.
> Provided/Trusted recipes [recipes provided out of the box]  can run as Falcon process.
Recipe cooking will be done in a new process if its custom recipe [user code].
> For cooking of custom recipes, design proposed should consider handling security implications,
handling the issues where the custom user code can bring down the Falcon server (trapping
System.exit), handling  class path isolation.
> Also it shouldn't in anyway destabilize the Falcon system.
> There are couple of approaches which was discussed
> *Approach 1:*
> Custom Recipe cooking can be carried out separately in another Oozie WF, this will ensure
isolation. Oozie already has the ability to schedule jobs as a user and handles all the security
aspects of it.
> Pros:
> - Provides isolation
> - Piggyback on Oozie as it already provides the required functionality
> Cons:
> - As recipe processing is done in different WF, from operations point of view user cannot
figure out recipe processing status and thus adds to the operational pain. Operational issue
with this approach is said to be the overall
> apparatus needed to monitor and manage the recipe-cooking workflows.  
> Oozie scheduling can bring arbitrary delays  Granted we can design around the limitations
and make use of the strengths of the approach but it seems something we can avoid if we can.
> - There has been few discussions to move away from Oozie as scheduling engine for Falcon.
If this is the plan going forward its good not to add new functionality using oozie.
> *Approach 2:*
> Custom recipe cooking is done on the server side in a separate independent process than
Falcon process I.e. It runs in a different JVM. Throttling should be added for how many recipe
cooking processes can be launched keeping in mind the machine configuration.
> Pros:
> - Provides isolation as recipe cooking is done in a independent process
> Cons:
> - Performance overhead as new process is launched for custom recipe cooking
> - Adds more complexity to the system
> This bug will be used to move recipe processing for trusted recipes to server side.

This message was sent by Atlassian JIRA

View raw message