http://git-wip-us.apache.org/repos/asf/falcon/blob/4612c3f7/content/0.10/Security.html
----------------------------------------------------------------------
diff --git a/content/0.10/Security.html b/content/0.10/Security.html
new file mode 100644
index 0000000..bf30519
--- /dev/null
+++ b/content/0.10/Security.html
@@ -0,0 +1,521 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-08-08
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20160808" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Falcon - Securing Falcon</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript"
src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+
+<script type="text/javascript">$( document ).ready( function() { $(
'.carousel' ).carousel( { interval: 3500 } ) } );</script>
+
+ </head>
+ <body class="topBarDisabled">
+
+
+
+
+ <div class="container">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+
<img src="images/falcon-logo.png" alt="Apache Falcon"
width="200px" height="45px"/>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li class="">
+ <a href="index.html" title="Falcon">
+ Falcon</a>
+ </li>
+ <li class="divider ">/</li>
+ <li class="">Securing Falcon</li>
+
+
+
+ <li id="publishDate" class="pull-right">Last Published:
2016-08-08</li> <li class="divider pull-right">|</li>
+ <li id="projectVersion" class="pull-right">Version: 0.10</li>
+
+ </ul>
+ </div>
+
+
+
+ <div id="bodyColumn" >
+
+ <div class="section">
+<h2>Securing Falcon<a name="Securing_Falcon"></a></h2></div>
+<div class="section">
+<h3>Overview<a name="Overview"></a></h3>
+<p>Apache Falcon provides the following security features:</p>
+<ul>
+<li>Support credential provider alias for passwords used in Falcon server.</li>
+<li>Support authentication to identify proper users.</li>
+<li>Support authorization to specify resource access permission for users or
groups.</li>
+<li>Support SSL to provide transport level security for data confidentiality
and integrity.</li></ul></div>
+<div class="section">
+<h3>Credential Provider Alias for Passwords<a
name="Credential_Provider_Alias_for_Passwords"></a></h3>
+<p>Server-side configuration properties (i.e. startup.properties) contain
passwords and other sensitive information. In addition to specifying properties
in plain text, we provide the user an option to use credential provider alias
in the property file.</p>
+<p>Take SMTP password for example. The user can store the password in a <a
class="externalLink"
href="http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CommandsManual.html#credential";>Hadoop
credential provider</a> with the alias name <i>SMTPPasswordAlias</i>. In
startup.properties where SMTP password is needed, the user can refer to its
alias name <i>SMTPPasswordAlias</i> instead of providing the real password.</p>
+<p>The alias property to be resolved through Hadoop credential provider should
have the format: <i>credential.provider.alias.for.[property-key]</i>. For
example,
<i>credential.provider.alias.for.falcon.email.smtp.password=SMTPPasswordAlias</i>
for SMTP password. Falcon server, during the start, will automatically
retrieve the real password provided the alias name.</p>
+<p>The user can specify the provider path with the property key
<i>credential.provider.path</i>, e.g.
<i>credential.provider.path=jceks://file/tmp/test.jceks</i>. If not specified,
Falcon will use the default Hadoop credential provider path in
core-site.xml.</p></div>
+<div class="section">
+<h3>Authentication (User Identity)<a
name="Authentication_User_Identity"></a></h3>
+<p>Apache Falcon enforces authentication on protected resources. Once
authentication has been established it sets a signed HTTP Cookie that contains
an authentication token with the user name, user principal, authentication type
and expiration time.</p>
+<p>It does so by using <a class="externalLink"
href="./Http://hadoop.apache.org/docs/current/hadoop-auth/index.html.html">Hadoop
Auth</a>. Hadoop Auth is a Java library consisting of a client and a server
components to enable Kerberos SPNEGO authentication for HTTP. Hadoop Auth also
supports additional authentication mechanisms on the client and the server side
via 2 simple interfaces.</p></div>
+<div class="section">
+<h4>Authentication Methods<a name="Authentication_Methods"></a></h4>
+<p>It supports 2 authentication methods, simple and kerberos out of the
box.</p></div>
+<div class="section">
+<h5>Pseudo/Simple Authentication<a name="PseudoSimple_Authentication"></a></h5>
+<p>Falcon authenticates the user by simply trusting the value of the query
string parameter 'user.name'. This is the default mode Falcon is configured
with.</p></div>
+<div class="section">
+<h5>Kerberos Authentication<a name="Kerberos_Authentication"></a></h5>
+<p>Falcon uses HTTP Kerberos SPNEGO to authenticate the user.</p></div>
+<div class="section">
+<h3>Authorization<a name="Authorization"></a></h3>
+<p>Falcon also enforces authorization on Entities using ACLs (Access Control
Lists). ACLs are useful for implementing permission requirements and provide a
way to set different permissions for specific users or named groups.</p>
+<p>By default, support for authorization is disabled and can be enabled in
startup.properties.</p></div>
+<div class="section">
+<h4>ACLs in Entity<a name="ACLs_in_Entity"></a></h4>
+<p>All Entities now have ACL which needs to be present if authorization is
enabled. Only owners who own or created the entity will be allowed to update or
delete their entities.</p>
+<p>An entity has ACLs (Access Control Lists) that are useful for implementing
permission requirements and provide a way to set different permissions for
specific users or named groups.</p>
+<div class="source">
+<pre>
+ <ACL owner="test-user" group="test-group"
permission="*"/>
+
+</pre></div>
+<p>ACL indicates the Access control list for this cluster. owner is the Owner
of this entity. group is the one which has access to read. permission indicates
the rwx is not enforced at this time.</p></div>
+<div class="section">
+<h4>Super-User<a name="Super-User"></a></h4>
+<p>The super-user is the user with the same identity as falcon process itself.
Loosely, if you started the falcon, then you are the super-user. The super-user
can do anything in that permissions checks never fail for the super-user. There
is no persistent notion of who was the super-user; when the falcon is started
the process identity determines who is the super-user for now. The Falcon
super-user does not have to be the super-user of the falcon host, nor is it
necessary that all clusters have the same super-user. Also, an experimenter
running Falcon on a personal workstation, conveniently becomes that
installation's super-user without any configuration.</p>
+<p>Falcon also allows users to configure a super user group and allows users
belonging to this group to be a super user.</p>
+<p>ACL owner and group must be valid even if the authenticated user is a
super-user.</p></div>
+<div class="section">
+<h4>Group Memberships<a name="Group_Memberships"></a></h4>
+<p>Once a user has been authenticated and a username has been determined, the
list of groups is determined by a group mapping service, configured by the
hadoop.security.group.mapping property in Hadoop. The default implementation,
org.apache.hadoop.security.ShellBasedUnixGroupsMapping, will shell out to the
Unix bash -c groups command to resolve a list of groups for a user.</p>
+<p>Note that Falcon stores the user and group of an Entity as strings; there
is no conversion from user and group identity numbers as is conventional in
Unix.</p>
+<p>The only limitation is that a user cannot add a group in ACL that he does
not belong to.</p></div>
+<div class="section">
+<h4>Authorization Provider<a name="Authorization_Provider"></a></h4>
+<p>Falcon provides a plugin-able provider interface for Authorization. It also
ships with a default implementation that enforces the following authorization
policy.</p></div>
+<div class="section">
+<h5>Entity and Instance Management Operations Policy<a
name="Entity_and_Instance_Management_Operations_Policy"></a></h5>
+<p></p>
+<ul>
+<li>All Entity and Instance operations are authorized for users who created
them, Owners and users with group memberships</li>
+<li>Reference to entities with in a feed or process is allowed with out
enforcing permissions</li></ul>
+<p>Any Feed or Process can refer to a Cluster entity not owned by the Feed or
Process owner. Any Process can refer to a Feed entity not owned by the Process
owner</p>
+<p>The authorization is enforced in the following way:</p>
+<p></p>
+<ul>
+<li>if admin resource,
+<ul>
+<li>If authenticated user name matches the admin users configuration</li>
+<li>Else if groups of the authenticated user matches the admin groups
configuration</li>
+<li>Else authorization exception is thrown</li></ul></li>
+<li>Else if entities or instance resource
+<ul>
+<li>If the authenticated user matches the owner in ACL for the entity</li>
+<li>Else if the groups of the authenticated user matches the group in ACL for
the entity</li>
+<li>Else authorization exception is thrown</li></ul></li>
+<li>Else if lineage resource
+<ul>
+<li>All have read-only permissions, reason being folks should be able to
examine the dependency and allow reuse</li></ul></li></ul>
+<p>To authenticate user for REST api calls, user should append
"user.name=<username>" to the query.</p>
+<p><b>operations on Entity Resource</b></p>
+<p></p>
+<table border="0" class="table table-striped">
+<tr class="a">
+<th>Resource</th>
+<th>Description</th>
+<th>Authorization</th></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntityValidate.html">api/entities/validate/:entity-type</a></td>
+<td>Validate the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntitySubmit.html">api/entities/submit/:entity-type</a></td>
+<td>Submit the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntityUpdate.html">api/entities/update/:entity-type/:entity-name</a></td>
+<td>Update the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntitySubmitAndSchedule.html">api/entities/submitAndSchedule/:entity-type</a></td>
+<td>Submit & Schedule the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntitySchedule.html">api/entities/schedule/:entity-type/:entity-name</a></td>
+<td>Schedule the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntitySuspend.html">api/entities/suspend/:entity-type/:entity-name</a></td>
+<td>Suspend the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntityResume.html">api/entities/resume/:entity-type/:entity-name</a></td>
+<td>Resume the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntityDelete.html">api/entities/delete/:entity-type/:entity-name</a></td>
+<td>Delete the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntityStatus.html">api/entities/status/:entity-type/:entity-name</a></td>
+<td>Get the status of the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntityDefinition.html">api/entities/definition/:entity-type/:entity-name</a></td>
+<td>Get the definition of the entity</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/EntityList.html">api/entities/list/:entity-type?fields=:fields</a></td>
+<td>Get the list of entities</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/EntityDependencies.html">api/entities/dependencies/:entity-type/:entity-name</a></td>
+<td>Get the dependencies of the entity</td>
+<td>Owner/Group</td></tr></table><b>REST Call on Feed and Process Instances</b>
+<p></p>
+<table border="0" class="table table-striped">
+<tr class="a">
+<th>Resource</th>
+<th>Description</th>
+<th>Authorization</th></tr>
+<tr class="b">
+<td><a
href="./Restapi/InstanceRunning.html">api/instance/running/:entity-type/:entity-name</a></td>
+<td>List of running instances.</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/InstanceStatus.html">api/instance/status/:entity-type/:entity-name</a></td>
+<td>Status of a given instance</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/InstanceKill.html">api/instance/kill/:entity-type/:entity-name</a></td>
+<td>Kill a given instance</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/InstanceSuspend.html">api/instance/suspend/:entity-type/:entity-name</a></td>
+<td>Suspend a running instance</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./Restapi/InstanceResume.html">api/instance/resume/:entity-type/:entity-name</a></td>
+<td>Resume a given instance</td>
+<td>Owner/Group</td></tr>
+<tr class="a">
+<td><a
href="./Restapi/InstanceRerun.html">api/instance/rerun/:entity-type/:entity-name</a></td>
+<td>Rerun a given instance</td>
+<td>Owner/Group</td></tr>
+<tr class="b">
+<td><a
href="./InstanceLogs.html">api/instance/logs/:entity-type/:entity-name</a></td>
+<td>Get logs of a given instance</td>
+<td>Owner/Group</td></tr></table></div>
+<div class="section">
+<h5>Admin Resources Policy<a name="Admin_Resources_Policy"></a></h5>
+<p>Only users belonging to admin users or groups have access to this resource.
Admin membership is determined by a static configuration parameter.</p>
+<p></p>
+<table border="0" class="table table-striped">
+<tr class="a">
+<th>Resource</th>
+<th>Description</th>
+<th>Authorization</th></tr>
+<tr class="b">
+<td><a href="./Restapi/AdminVersion.html">api/admin/version</a></td>
+<td>Get version of the server</td>
+<td>No restriction</td></tr>
+<tr class="a">
+<td><a href="./Restapi/AdminStack.html">api/admin/stack</a></td>
+<td>Get stack of the server</td>
+<td>Admin User/Group</td></tr>
+<tr class="b">
+<td><a href="./Restapi/AdminConfig.html">api/admin/config/:config-type</a></td>
+<td>Get configuration information of the server</td>
+<td>Admin User/Group</td></tr></table></div>
+<div class="section">
+<h5>Lineage Resource Policy<a name="Lineage_Resource_Policy"></a></h5>
+<p>Lineage is read-only and hence all users can look at lineage for their
respective entities. <b>Note:</b> This gap will be fixed in a later
release.</p></div>
+<div class="section">
+<h3>Authentication Configuration<a
name="Authentication_Configuration"></a></h3>
+<p>Following is the Server Side Configuration Setup for
Authentication.</p></div>
+<div class="section">
+<h4>Common Configuration Parameters<a
name="Common_Configuration_Parameters"></a></h4>
+<div class="source">
+<pre>
+# Authentication type must be specified: simple|kerberos
+*.falcon.authentication.type=kerberos
+
+</pre></div></div>
+<div class="section">
+<h4>Kerberos Configuration<a name="Kerberos_Configuration"></a></h4>
+<div class="source">
+<pre>
+##### Service Configuration
+
+# Indicates the Kerberos principal to be used in Falcon Service.
+*.falcon.service.authentication.kerberos.principal=falcon/[email protected]
+
+# Location of the keytab file with the credentials for the Service principal.
+*.falcon.service.authentication.kerberos.keytab=/etc/security/keytabs/falcon.service.keytab
+
+# name node principal to talk to config store
+*.dfs.namenode.kerberos.principal=nn/[email protected]
+
+# Indicates how long (in seconds) falcon authentication token is valid before
it has to be renewed.
+*.falcon.service.authentication.token.validity=86400
+
+##### SPNEGO Configuration
+
+# Authentication type must be specified: simple|kerberos|<class>
+# org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler can
be used for backwards compatibility
+*.falcon.http.authentication.type=kerberos
+
+# Indicates how long (in seconds) an authentication token is valid before it
has to be renewed.
+*.falcon.http.authentication.token.validity=36000
+
+# The signature secret for signing the authentication tokens.
+*.falcon.http.authentication.signature.secret=falcon
+
+# The domain to use for the HTTP cookie that stores the authentication token.
+*.falcon.http.authentication.cookie.domain=
+
+# Indicates if anonymous requests are allowed when using 'simple'
authentication.
+*.falcon.http.authentication.simple.anonymous.allowed=true
+
+# Indicates the Kerberos principal to be used for HTTP endpoint.
+# The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO
specification.
+*.falcon.http.authentication.kerberos.principal=HTTP/[email protected]
+
+# Location of the keytab file with the credentials for the HTTP principal.
+*.falcon.http.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
+
+# The kerberos names rules is to resolve kerberos principal names, refer to
Hadoop's KerberosName for more details.
+*.falcon.http.authentication.kerberos.name.rules=DEFAULT
+
+# Comma separated list of black listed users
+*.falcon.http.authentication.blacklisted.users=
+
+# Increase Jetty request buffer size to accommodate the generated Kerberos
token
+*.falcon.jetty.request.buffer.size=16192
+
+</pre></div></div>
+<div class="section">
+<h4>Pseudo/Simple Configuration<a name="PseudoSimple_Configuration"></a></h4>
+<div class="source">
+<pre>
+##### SPNEGO Configuration
+
+# Authentication type must be specified: simple|kerberos|<class>
+# org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler can
be used for backwards compatibility
+*.falcon.http.authentication.type=simple
+
+# Indicates how long (in seconds) an authentication token is valid before it
has to be renewed.
+*.falcon.http.authentication.token.validity=36000
+
+# The signature secret for signing the authentication tokens.
+*.falcon.http.authentication.signature.secret=falcon
+
+# The domain to use for the HTTP cookie that stores the authentication token.
+*.falcon.http.authentication.cookie.domain=
+
+# Indicates if anonymous requests are allowed when using 'simple'
authentication.
+*.falcon.http.authentication.simple.anonymous.allowed=true
+
+# Comma separated list of black listed users
+*.falcon.http.authentication.blacklisted.users=
+
+</pre></div></div>
+<div class="section">
+<h3>Authorization Configuration<a
name="Authorization_Configuration"></a></h3></div>
+<div class="section">
+<h4>Enabling Authorization<a name="Enabling_Authorization"></a></h4>
+<p>By default, support for authorization is disabled and specifying ACLs in
entities are optional. To enable support for authorization, set
falcon.security.authorization.enabled to true in the startup configuration.</p>
+<div class="source">
+<pre>
+# Authorization Enabled flag: false|true
+*.falcon.security.authorization.enabled=true
+
+</pre></div></div>
+<div class="section">
+<h4>Authorization Provider<a name="Authorization_Provider"></a></h4>
+<p>Falcon provides a basic implementation for Authorization bundled,
org.apache.falcon.security .DefaultFalconAuthorizationProvider. This can be
overridden by custom implementations in the startup configuration.</p>
+<div class="source">
+<pre>
+# Authorization Provider Fully Qualified Class Name
+*.falcon.security.authorization.provider=org.apache.falcon.security.DefaultAuthorizationProvider
+
+</pre></div></div>
+<div class="section">
+<h4>Super User Group<a name="Super_User_Group"></a></h4>
+<p>Super user group is determined by the configuration:</p>
+<div class="source">
+<pre>
+# The name of the group of super-users
+*.falcon.security.authorization.superusergroup=falcon
+
+</pre></div></div>
+<div class="section">
+<h4>Admin Membership<a name="Admin_Membership"></a></h4>
+<p>Administrative users are determined by the configuration:</p>
+<div class="source">
+<pre>
+# Admin Users, comma separated users
+*.falcon.security.authorization.admin.users=falcon,ambari-qa,seetharam
+
+</pre></div>
+<p>Administrative groups are determined by the configuration:</p>
+<div class="source">
+<pre>
+# Admin Group Membership, comma separated users
+*.falcon.security.authorization.admin.groups=falcon,testgroup,staff
+
+</pre></div></div>
+<div class="section">
+<h3>SSL<a name="SSL"></a></h3>
+<p>Falcon provides transport level security ensuring data confidentiality and
integrity. This is enabled by default for communicating over HTTP between the
client and the server.</p></div>
+<div class="section">
+<h4>SSL Configuration<a name="SSL_Configuration"></a></h4>
+<div class="source">
+<pre>
+*.falcon.enableTLS=true
+*.keystore.file=/path/to/keystore/file
+*.keystore.password=password
+
+</pre></div></div>
+<div class="section">
+<h4>Distributed Falcon Setup<a name="Distributed_Falcon_Setup"></a></h4>
+<p>Falcon should be configured to communicate with Prism over TLS in secure
mode. Its not enabled by default.</p></div>
+<div class="section">
+<h3>Changes to ownership and permissions of directories managed by Falcon<a
name="Changes_to_ownership_and_permissions_of_directories_managed_by_Falcon"></a></h3>
+<p></p>
+<table border="0" class="table table-striped">
+<tr class="a">
+<th>Directory</th>
+<th>Location</th>
+<th>Owner</th>
+<th>Permissions</th></tr>
+<tr class="b">
+<td>Configuration Store</td>
+<td>${config.store.uri}</td>
+<td>falcon</td>
+<td>700</td></tr>
+<tr class="a">
+<td>Cluster Staging Location</td>
+<td>${cluster.staging-location}</td>
+<td>falcon</td>
+<td>777</td></tr>
+<tr class="b">
+<td>Cluster Working Location</td>
+<td>${cluster.working-location}</td>
+<td>falcon</td>
+<td>755</td></tr>
+<tr class="a">
+<td>Shared libs</td>
+<td>{cluster.working}/{lib,libext}</td>
+<td>falcon</td>
+<td>755</td></tr>
+<tr class="b">
+<td>Oozie coord/bundle XMLs</td>
+<td>${cluster.staging-location}/workflows/{entity}/{entity-name}</td>
+<td>$user</td>
+<td>cluster umask</td></tr>
+<tr class="a">
+<td>App logs</td>
+<td>${cluster.staging-location}/workflows/{entity}/{entity-name}/logs</td>
+<td>$user</td>
+<td>cluster umask</td></tr></table><b>Note:</b> Please note that the cluster
staging and working locations MUST be created prior to submitting a cluster
entity to Falcon. Also, note that the the parent dirs must have execute
permissions.</div>
+<div class="section">
+<h3>Backwards compatibility<a name="Backwards_compatibility"></a></h3></div>
+<div class="section">
+<h4>Scheduled Entities<a name="Scheduled_Entities"></a></h4>
+<p>Entities already scheduled with an earlier version of Falcon are not
compatible with this version</p></div>
+<div class="section">
+<h4>Falcon Clients<a name="Falcon_Clients"></a></h4>
+<p>Older Falcon clients are backwards compatible wrt Authentication and user
information sent as part of the HTTP header, Remote-User is still honoured when
the authentication type is configured as below:</p>
+<div class="source">
+<pre>
+*.falcon.http.authentication.type=org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler
+
+</pre></div></div>
+<div class="section">
+<h4>Blacklisted super users for authentication<a
name="Blacklisted_super_users_for_authentication"></a></h4>
+<p>The blacklist users used to have the following super users: hdfs,
mapreduce, oozie, and falcon. The list is externalized from code into
Startup.properties file and is empty now and needs to be configured
specifically in the file.</p></div>
+<div class="section">
+<h4>Falcon Dashboard<a name="Falcon_Dashboard"></a></h4>
+<p>To initialize the current user for dashboard, user should append query
param "user.name=<username>" to the REST api call.</p>
+<p>If dashboard user wishes to change the current user, they should do the
following.</p>
+<ul>
+<li>delete the hadoop.auth cookie from browser cache.</li>
+<li>append query param "user.name=<new_user>" to the next REST
API call.</li></ul>
+<p>In Kerberos method, the browser must support HTTP Kerberos SPNEGO.</p></div>
+<div class="section">
+<h3>Known Limitations<a name="Known_Limitations"></a></h3>
+<p></p>
+<ul>
+<li>ActiveMQ topics are not secure but will be in the near future</li>
+<li>Entities already scheduled with an earlier version of Falcon are not
compatible with this version as new</li></ul>workflow parameters are being
passed back into Falcon such as the user are required
+<ul>
+<li>Use of hftp as the scheme for read only interface in cluster entity <a
class="externalLink"
href="https://issues.apache.org/jira/browse/HADOOP-10215";>will not work in
Oozie</a></li></ul>The alternative is to use webhdfs scheme instead and its
been tested with <a href="./DistCp.html">DistCp</a>.</div>
+<div class="section">
+<h3>Examples<a name="Examples"></a></h3></div>
+<div class="section">
+<h4>Accessing the server using Falcon CLI (Java client)<a
name="Accessing_the_server_using_Falcon_CLI_Java_client"></a></h4>
+<p>There is no change in the way the CLI is used. The CLI has been changed to
work with the configured authentication method.</p></div>
+<div class="section">
+<h4>Accessing the server using curl<a
name="Accessing_the_server_using_curl"></a></h4>
+<p>Try accessing protected resources using curl. The protected resources
are:</p>
+<div class="source">
+<pre>
+$ kinit
+Please enter the password for venkatesh@LOCALHOST:
+
+$ curl http://localhost:15000/api/admin/version
+
+$ curl http://localhost:15000/api/admin/version?user.name=venkatesh
+
+$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt curl
http://localhost:15000/api/admin/version
+
+</pre></div></div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container">
+ <div class="row span12">Copyright ©
2013-2016
+ <a href="http://www.apache.org";>Apache Software
Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+ <p id="poweredBy" class="pull-right">
+ <a href="http://maven.apache.org/"; title="Built by
Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven"
src="./images/logos/maven-feather.png" />
+ </a>
+ </p>
+
+ </div>
+ </footer>
+ </body>
+</html>
