Re: Review Request 37771: Falcon Proxy user support

[Venkat Ranganathan]

> On Sept. 8, 2015, 7:35 a.m., Ajay Yadava wrote:
> > common/src/main/java/org/apache/falcon/service/ProxyUserService.java, line 
> > 81
> > <https://reviews.apache.org/r/37771/diff/3/?file=1056558#file1056558line81>
> >
> >     Will it make sense to move it to RuntimeProperties? Adding new proxy 
> > user won't be a very frequent operation I suppose, but adding groups might 
> > be.
> 
> Venkat Ranganathan wrote:
>     That is a good question.  I wanted it to be in Startup Properties as this 
> is a configuration that an administrator has to make (like one does in 
> core-site with the explicit idea that the proxy user is fully trusted and the 
> list of hosts/groups are configured at the time.   If there are any changes 
> in these, then we probably should configure LDap integration or some other 
> form of authentication option.
> 
> Ajay Yadava wrote:
>     I think there is some disconnect. Both startup.properties and 
> runtime.properties are administrator privileges, only difference is that 
> values in runtime.properties (RuntimeProperties class) are automatically 
> updated without restart. I was thinking that like most access operations, 
> administrators will continue to update these with time, hence it might be a 
> good idea to put them in runtime.properties.

Good point.  This was initially patterned after core-site which is more static 
for most services - but we have since added ability to refresh these settings 
also in Yarn, so moving these to runtime properties is OK


- Venkat


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/37771/#review97913
-----------------------------------------------------------


On Aug. 31, 2015, 4:05 p.m., Sowmya Ramesh wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/37771/
> -----------------------------------------------------------
> 
> (Updated Aug. 31, 2015, 4:05 p.m.)
> 
> 
> Review request for Falcon.
> 
> 
> Bugs: FALCON-1027
>     https://issues.apache.org/jira/browse/FALCON-1027
> 
> 
> Repository: falcon-git
> 
> 
> Description
> -------
> 
> Today, Falcon doesn’t have doAs capability i.e. it doesn’t support 
> impersonation. Support for impersonation or proxyuser functionality 
> (identical to Hadoop proxyuser capabilities and conceptually similar to Unix 
> 'sudo') needs to be added to REST API’s and CLI(Command
> line).
> 
> 
> Diffs
> -----
> 
>   client/src/main/java/org/apache/falcon/cli/FalconCLI.java 11dfe72 
>   client/src/main/java/org/apache/falcon/cli/FalconMetadataCLI.java 2f57c7d 
>   client/src/main/java/org/apache/falcon/client/AbstractFalconClient.java 
> 282b41b 
>   client/src/main/java/org/apache/falcon/client/FalconClient.java 44436d2 
>   common/src/main/java/org/apache/falcon/security/CurrentUser.java 4aed5d7 
>   common/src/main/java/org/apache/falcon/security/SecurityUtil.java 861f80f 
>   common/src/main/java/org/apache/falcon/service/GroupsService.java 
> PRE-CREATION 
>   common/src/main/java/org/apache/falcon/service/ProxyUserService.java 
> PRE-CREATION 
>   common/src/main/resources/startup.properties c48188c 
>   common/src/test/java/org/apache/falcon/security/CurrentUserTest.java 
> 9a3f365 
>   common/src/test/java/org/apache/falcon/security/SecurityUtilTest.java 
> 6e77462 
>   common/src/test/java/org/apache/falcon/service/GroupsServiceTest.java 
> PRE-CREATION 
>   common/src/test/java/org/apache/falcon/service/ProxyUserServiceTest.java 
> PRE-CREATION 
>   docs/src/site/twiki/FalconCLI.twiki 9203699 
>   docs/src/site/twiki/FalconDocumentation.twiki 29d93f7 
>   prism/src/main/java/org/apache/falcon/resource/AbstractEntityManager.java 
> 78964dd 
>   
> prism/src/main/java/org/apache/falcon/resource/AbstractSchedulableEntityManager.java
>  5b415a2 
>   prism/src/main/java/org/apache/falcon/resource/channel/HTTPChannel.java 
> 78f68ba 
>   
> prism/src/main/java/org/apache/falcon/resource/proxy/SchedulableEntityManagerProxy.java
>  ceabb06 
>   
> prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java
>  df64b44 
>   
> prism/src/main/java/org/apache/falcon/security/FalconAuthorizationFilter.java 
> 15e94cd 
>   prism/src/main/java/org/apache/falcon/security/HostnameFilter.java 
> PRE-CREATION 
>   prism/src/main/webapp/WEB-INF/web.xml 551bf56 
>   prism/src/test/java/org/apache/falcon/resource/EntityManagerTest.java 
> cce8737 
>   
> prism/src/test/java/org/apache/falcon/security/FalconAuthenticationFilterTest.java
>  9e8c76a 
>   prism/src/test/java/org/apache/falcon/security/HostnameFilterTest.java 
> PRE-CREATION 
>   src/conf/startup.properties 9925373 
>   unit/src/main/java/org/apache/falcon/unit/FalconUnitClient.java eb65cb3 
>   unit/src/test/java/org/apache/falcon/unit/FalconUnitTestBase.java 997b301 
>   webapp/pom.xml 5a9e1da 
>   webapp/src/conf/oozie/conf/oozie-site.xml ded4873 
>   
> webapp/src/main/java/org/apache/falcon/resource/SchedulableEntityManager.java 
> 1f8cc1b 
>   webapp/src/main/webapp/WEB-INF/distributed/web.xml 31d78a2 
>   webapp/src/main/webapp/WEB-INF/embedded/web.xml fa2db39 
>   webapp/src/main/webapp/WEB-INF/web.xml 2cfd7de 
>   webapp/src/test/java/org/apache/falcon/cli/FalconCLIIT.java 0062070 
>   webapp/src/test/java/org/apache/falcon/resource/EntityManagerJerseyIT.java 
> f0cee61 
>   
> webapp/src/test/java/org/apache/falcon/resource/MetadataResourceJerseyIT.java 
> eb1dda8 
>   webapp/src/test/java/org/apache/falcon/resource/TestContext.java 4a25b88 
>   webapp/src/test/resources/startup.properties PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/37771/diff/
> 
> 
> Testing
> -------
> 
> Unit tests and IT tests.
> Manual testing : 
> 
> * ProxyUSer service not added in startup properties, should throw "Service 
> ProxyUserService not registered"
> * Super user not added in proxy user setting in startup.properties, shoudl 
> throw "java.security.AccessControlException: User <superuser> not defined as 
> proxyuser"
> 
> CLI:
> * Add doAs option in CLI and verify command succeeds
> * Commands should succeed without doAs as is an optional arg
> 
> REST API:
> * pass doAs query param and verify REST requests succeeds
> * REST requests should succeed without doAs query param as it is optional
> 
> 
> * Perform schedule using doAs user. For other requests if doAs user is not 
> passed (say suspend, resume etc.) should get "User <superuser> not authorized 
> for Coord job <bundleId>"
> 
> 
> Thanks,
> 
> Sowmya Ramesh
> 
>