[jira] [Updated] (FALCON-1367) Fix the ACL handling in Falcon

Tue, 04 Aug 2015 07:41:51 -0700 

     [ 
https://issues.apache.org/jira/browse/FALCON-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Venkat Ranganathan updated FALCON-1367:
---------------------------------------
    Description: 
Currently the ACL element is part of the entity and has the owner and group 
specified in it.   The owner of the entity is used as the proxy user of the 
entity. 

This seems problematic.   We don't want to embed authorization of a resource 
inside a resource.    Also,  scheduling an entity by a user should be 
independent of the owner as whom it runs (The proxy user work that 
[~sowmyaramesh] is adding a doAs capability)

Moving it out of the entity will allow authorization managers like Apache 
Ranger to manage the authorization of the entities.


We want to 
    # deprecate the use of ACL inside the entity by making it optional
    # Allow the owner and group of an entity to be managed separately (either 
by Falcon or controlled via a plugin by Authorization managers)
    # Identity and fix the permission models (only superuser or owner can 
change permissions etc)

> Fix the ACL handling in Falcon
> ------------------------------
>
>                 Key: FALCON-1367
>                 URL: https://issues.apache.org/jira/browse/FALCON-1367
>             Project: Falcon
>          Issue Type: Bug
>            Reporter: Venkat Ranganathan
>
> Currently the ACL element is part of the entity and has the owner and group 
> specified in it.   The owner of the entity is used as the proxy user of the 
> entity. 
> This seems problematic.   We don't want to embed authorization of a resource 
> inside a resource.    Also,  scheduling an entity by a user should be 
> independent of the owner as whom it runs (The proxy user work that 
> [~sowmyaramesh] is adding a doAs capability)
> Moving it out of the entity will allow authorization managers like Apache 
> Ranger to manage the authorization of the entities.
> We want to 
>     # deprecate the use of ACL inside the entity by making it optional
>     # Allow the owner and group of an entity to be managed separately (either 
> by Falcon or controlled via a plugin by Authorization managers)
>     # Identity and fix the permission models (only superuser or owner can 
> change permissions etc)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to