[
https://issues.apache.org/jira/browse/FALCON-1107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123163#comment-15123163
]
Venkat Ranganathan commented on FALCON-1107:
--------------------------------------------
bq. It would have all the permissions as the current Falcon process
At a high level in an unsecure cluster, the OS authentication would be the
same. Even there, we just don't have Falcon user alone - when the recipes are
invoked we want to make sure the user that requests the recipe is the one used
to process the request, so we need to make sure that we don't login and access
the resources as Falcon.
In an unsecure cluster, Falcon having been configured as a proxy super, we can
do the necessary authentication and proxying of the target user. This means
that we will duplication the functionality to do User authentication, proxying
of the right user in using system resources are duplicated in the child process
code also.
In a secure cluster, proxying for another user would mean that we specifically
logout of the Falcon context in the spawned child process and use the
requesting user credentials to process the request (otherwise you will be doing
all work as falcon which is not right). But we may will not have a mechanism
to get the kerberos context for the incoming user unless we make it a
requirement that we get the keytab for the requesting user for recipes to login
as that user. So, we will have to get the delegation tokens for the
requesting user and pass it to the spawned process and process those token in
the spawned process
> Move trusted recipe processing to server side
> ---------------------------------------------
>
> Key: FALCON-1107
> URL: https://issues.apache.org/jira/browse/FALCON-1107
> Project: Falcon
> Issue Type: Sub-task
> Reporter: Sowmya Ramesh
> Assignee: Sowmya Ramesh
> Labels: Recipe
> Fix For: trunk
>
> Attachments: ApacheFalcon-RecipeDesignDocument.pdf
>
>
> Today Recipe cooking is a client side logic. Recipe also supports extensions
> i.e. user can cook his/her own custom recipes.
> Decision to make it client side logic was for the following reasons
> * Keep it isolated from falcon server
> * As custom recipe cooking is supported, user recipes can introduce
> security vulnerabilities and also can bring down the falcon server
> Today, falcon provides HDFS DR recipe out of the box. There is a plan to add
> UI support for DR in Falcon.
> Rest API support cannot be added for recipe as it is client side processing.
> If the UI is pure java script[JS] then all the recipe cooking logic has to be
> repeated in JS. This is not a feasible solution - if more recipes are added
> say DR for hive, hbase and others, UI won't be extensible.
> For the above mentioned reasons Recipe should me made a server side logic.
> Provided/Trusted recipes [recipes provided out of the box] can run as Falcon
> process. Recipe cooking will be done in a new process if its custom recipe
> [user code].
> For cooking of custom recipes, design proposed should consider handling
> security implications, handling the issues where the custom user code can
> bring down the Falcon server (trapping System.exit), handling class path
> isolation.
> Also it shouldn't in anyway destabilize the Falcon system.
> There are couple of approaches which was discussed
> *Approach 1:*
> Custom Recipe cooking can be carried out separately in another Oozie WF, this
> will ensure isolation. Oozie already has the ability to schedule jobs as a
> user and handles all the security aspects of it.
> Pros:
> - Provides isolation
> - Piggyback on Oozie as it already provides the required functionality
> Cons:
> - As recipe processing is done in different WF, from operations point of view
> user cannot figure out recipe processing status and thus adds to the
> operational pain. Operational issue with this approach is said to be the
> overall
> apparatus needed to monitor and manage the recipe-cooking workflows.
> Oozie scheduling can bring arbitrary delays Granted we can design around the
> limitations and make use of the strengths of the approach but it seems
> something we can avoid if we can.
> - There has been few discussions to move away from Oozie as scheduling engine
> for Falcon. If this is the plan going forward its good not to add new
> functionality using oozie.
> *Approach 2:*
> Custom recipe cooking is done on the server side in a separate independent
> process than Falcon process I.e. It runs in a different JVM. Throttling
> should be added for how many recipe cooking processes can be launched keeping
> in mind the machine configuration.
> Pros:
> - Provides isolation as recipe cooking is done in a independent process
> Cons:
> - Performance overhead as new process is launched for custom recipe cooking
> - Adds more complexity to the system
> This bug will be used to move recipe processing for trusted recipes to server
> side.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
