Repository: oozie Updated Branches: refs/heads/master 8a0a6487d -> 442ffd696
OOZIE-3275 [docs] Update AG_Install.twiki with Access Control List documentation (andras.piros) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/442ffd69 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/442ffd69 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/442ffd69 Branch: refs/heads/master Commit: 442ffd6963ec30b33088018cf0fb2648a32e9571 Parents: 8a0a648 Author: Andras Piros <[email protected]> Authored: Tue Jun 19 13:26:52 2018 +0200 Committer: Andras Piros <[email protected]> Committed: Tue Jun 19 13:26:52 2018 +0200 ---------------------------------------------------------------------- docs/src/site/twiki/AG_Install.twiki | 34 +++++++++++++++++++++++++++++++ release-log.txt | 1 + 2 files changed, 35 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/442ffd69/docs/src/site/twiki/AG_Install.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki index 2d48d43..46363a3 100644 --- a/docs/src/site/twiki/AG_Install.twiki +++ b/docs/src/site/twiki/AG_Install.twiki @@ -524,6 +524,8 @@ in =oozie-site.xml=: oozie.service.AuthorizationService.default.group.as.acl=true </verbatim> +---++++ Defining Admin Users + Admin users are determined from the list of admin groups, specified in =oozie.service.AuthorizationService.admin.groups= property. Use commas to separate multiple groups, spaces, tabs and ENTER characters are trimmed. @@ -541,6 +543,38 @@ and ENTER characters are trimmed. In case there are admin users defined using both methods, the effective list of admin users will be the union of the admin users found in the adminusers.txt and those specified with =oozie.serviceAuthorizationService.admin.users=. +---++++ Defining Access Control Lists + +Access Control Lists are defined in the following ways: + * workflow job submission over CLI: configuration property =group.name= of =job.properties= + * workflow job submission over HTTP: configuration property =group.name= of the XML submitted over HTTP + * workflow job re-run: configuration property =oozie.job.acl= (preferred) or configuration property =group.name= of + =job.properties= + * coordinator job submission over CLI: configuration property =oozie.job.acl= (preferred) or configuration property =group.name= + of =job.properties= + * bundle job submission over CLI: configuration property =oozie.job.acl= (preferred) or configuration property =group.name= of + =job.properties= + +For all other workflow, coordinator, or bundle actions the ACL set in beforehand will be used as basis. + +Once the ACL for the job is defined, Oozie will check over HDFS whether the user trying to perform a specific action is part of the +necessary group(s). For implementation details please check out =org.apache.hadoop.security.Groups#getGroups(String user)=. + +Note that it's enough that the submitting user be part of at least one group of the ACL. Note also that the ACL can contain user +names as well. If there is an ACL defined and the submitting user isn't part of any group or user name present in the ACL, an +=AuthorizationException= is thrown. + +*Example: A typical ACL setup* + +Detail of =job.properties= on workflow job submission: +<verbatim> +user.name=joe +group.name=marketing,admin,qa,root +<verbatim> + +HDFS group membership of HDFS user =joe= is =qa=. That is, the check to =org.apache.hadoop.security.Groups#getGroups("joe")= returns +=qa=. Hence, ACL check will pass inside =AuthorizationService=, because the =user.name= provided belongs to at least of the ACL list +elements provided as =group.name=. ---+++ Oozie System ID Configuration http://git-wip-us.apache.org/repos/asf/oozie/blob/442ffd69/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index cfb558c..aaf0d59 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 5.1.0 release (trunk - unreleased) +OOZIE-3275 [docs] Update AG_Install.twiki with Access Control List documentation (andras.piros) OOZIE-2339 [fluent-job] Minimum Viable Fluent Job API (daniel.becker, andras.piros via rkanter, gezapeti, pbacsko) OOZIE-3224 Upgrade Jetty to 9.3 (kmarton via andras.piros) OOZIE-3284 Upgrade maven-javadoc-plugin to 3.0.1 (kmarton via pbacsko, andras.piros)
