FALCON-799 Falcon Dashboard unusable when server is started with umask 077. Contributed by Balu Vellanki
Project: http://git-wip-us.apache.org/repos/asf/incubator-falcon/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-falcon/commit/957aab14 Tree: http://git-wip-us.apache.org/repos/asf/incubator-falcon/tree/957aab14 Diff: http://git-wip-us.apache.org/repos/asf/incubator-falcon/diff/957aab14 Branch: refs/heads/master Commit: 957aab148951690da99e84a2204a7dfa0cbdb580 Parents: 04efd17 Author: Venkatesh Seetharam <venkat...@apache.org> Authored: Thu Oct 16 13:58:32 2014 -0700 Committer: Venkatesh Seetharam <venkat...@apache.org> Committed: Thu Oct 16 13:58:32 2014 -0700 ---------------------------------------------------------------------- CHANGES.txt | 3 ++ docs/src/site/twiki/Security.twiki | 42 ++++++++++---------- html5-ui/entity.html | 6 +++ html5-ui/js/falcon.js | 17 ++++++-- .../security/FalconAuthenticationFilter.java | 2 +- 5 files changed, 43 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index e2c976b..222c351 100755 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -117,6 +117,9 @@ Trunk (Unreleased) OPTIMIZATIONS BUG FIXES + FALCON-799 Falcon Dashboard unusable when server is started with umask 077 + (Balu Vellanki via Venkatesh Seetharam) + FALCON-678 Falcon's default port has changed to 15443 (Balu Vellanki via Venkatesh Seetharam) http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/docs/src/site/twiki/Security.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Security.twiki b/docs/src/site/twiki/Security.twiki index 2e97c8b..4e33182 100644 --- a/docs/src/site/twiki/Security.twiki +++ b/docs/src/site/twiki/Security.twiki @@ -85,26 +85,25 @@ implementation that enforces the following authorization policy. ---++++ Entity and Instance Management Operations Policy -* All Entity and Instance operations are authorized for users who created them, Owners and users -with group memberships -* Reference to entities with in a feed or process is allowed with out enforcing permissions -Any Feed or Process can refer to a Cluster entity not owned by the Feed or Process owner -Any Process can refer to a Feed entity not owned by the Process owner + * All Entity and Instance operations are authorized for users who created them, Owners and users with group memberships + * Reference to entities with in a feed or process is allowed with out enforcing permissions + +Any Feed or Process can refer to a Cluster entity not owned by the Feed or Process owner. Any Process can refer to a Feed entity not owned by the Process owner The authorization is enforced in the following way: -if admin resource, - if authenticated user name matches the admin users configuration - Else if groups of the authenticated user matches the admin groups configuration - Else authorization exception is thrown -Else if entities or instance resource - if the authenticated user matches the owner in ACL for the entity - Else if the groups of the authenticated user matches the group in ACL for the entity - Else authorization exception is thrown -Else if lineage resource - All have read-only permissions, reason being folks should be able to examine the dependency - and allow reuse + * if admin resource, + * If authenticated user name matches the admin users configuration + * Else if groups of the authenticated user matches the admin groups configuration + * Else authorization exception is thrown + * Else if entities or instance resource + * If the authenticated user matches the owner in ACL for the entity + * Else if the groups of the authenticated user matches the group in ACL for the entity + * Else authorization exception is thrown + * Else if lineage resource + * All have read-only permissions, reason being folks should be able to examine the dependency and allow reuse +To authenticate user for REST api calls, user should append "user.name=<username>" to the query. *operations on Entity Resource* @@ -333,12 +332,11 @@ configured specifically in the file. ---+++ Falcon Dashboard -The dashboard assumes an anonymous user in Pseudo/Simple method and hence anonymous users must be enabled for it to -work. -<verbatim> -# Indicates if anonymous requests are allowed when using 'simple' authentication. -*.falcon.http.authentication.simple.anonymous.allowed=true -</verbatim> +To initialize the current user for dashboard, user should append query param "user.name=<username>" to the REST api call. + +If dashboard user wishes to change the current user, they should do the following. + * delete the hadoop.auth cookie from browser cache. + * append query param "user.name=<new_user>" to the next REST API call. In Kerberos method, the browser must support HTTP Kerberos SPNEGO. http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/html5-ui/entity.html ---------------------------------------------------------------------- diff --git a/html5-ui/entity.html b/html5-ui/entity.html index d4536fb..fc6f4b6 100644 --- a/html5-ui/entity.html +++ b/html5-ui/entity.html @@ -48,6 +48,12 @@ <h3 class="link-icons entity-title" id="entity-title"></h3> <br /> <div id="entity-info-container"> + <div id="alert-panel"> + <div class="alert alert-danger"> + <button type="button" class="close" onclick="$('#alert-panel').hide();">×</button> + <div class="alert-body" id="alert-panel-body"></div> + </div> + </div> <div class="panel panel-default" id="panel-instance" style="display:none"> <div class="panel-heading">Instances</div> <div class="panel-body"></div> http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/html5-ui/js/falcon.js ---------------------------------------------------------------------- diff --git a/html5-ui/js/falcon.js b/html5-ui/js/falcon.js index a14c962..0dba31a 100644 --- a/html5-ui/js/falcon.js +++ b/html5-ui/js/falcon.js @@ -17,8 +17,6 @@ (function(exports) { "use strict"; - var USER_ID = 'falcon-dashboard'; - function onError(msg) { $('#alert-panel-body').html(msg); $('#alert-panel').alert(); @@ -31,8 +29,19 @@ } function add_user(url) { - var paramSeparator = (url.indexOf('?') != -1) ? '&' : '?'; - return url + paramSeparator + 'user.name=' + USER_ID; + var paramSeparator = (url.indexOf('?') != -1) ? '&' : '?'; + var user_id = getQuery_params()['user.name']; + return (user_id == undefined) ? url : (url + paramSeparator + 'user.name=' + user_id); + } + + function getQuery_params() { + var query = location.search.substr(1); + var result = {}; + query.split("&").forEach(function(part) { + var item = part.split("="); + result[item[0]] = decodeURIComponent(item[1]); + }); + return result; } function getJson_impl(url, success) { http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/957aab14/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java b/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java index ae9e874..4edde75 100644 --- a/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java +++ b/prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java @@ -171,7 +171,7 @@ public class FalconAuthenticationFilter final String user = Servlets.getUserFromRequest(httpRequest); if (StringUtils.isEmpty(user)) { ((HttpServletResponse) response).sendError(Response.Status.BAD_REQUEST.getStatusCode(), - "User can't be empty"); + "Param user.name can't be empty"); } else if (blackListedUsers.contains(user)) { ((HttpServletResponse) response).sendError(Response.Status.BAD_REQUEST.getStatusCode(), "User can't be a superuser:" + BLACK_LISTED_USERS_KEY);
