[
https://issues.apache.org/jira/browse/FALCON-464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090877#comment-14090877
]
Venkatesh Seetharam commented on FALCON-464:
--------------------------------------------
bq. Should we skip this for GET APIs. Since there is no read/write control as
such, we should atleast allow everyone to view the instance/entity status
Not sure if that makes sense. Lets take the use case for a monitoring tool - we
would want to provide lifecycle management functions like kill, rerun, suspend,
resume, etc. along with each entity or its instance.
Also, why would someone be interested in some other pipeline. Makes sense?
> Enforce Authorization for REST API
> ----------------------------------
>
> Key: FALCON-464
> URL: https://issues.apache.org/jira/browse/FALCON-464
> Project: Falcon
> Issue Type: Sub-task
> Components: process
> Affects Versions: 0.6
> Reporter: Venkatesh Seetharam
> Assignee: Venkatesh Seetharam
> Labels: authorization, security
> Fix For: 0.6
>
> Attachments: FALCON-464-review.patch, FALCON-464.patch
>
>
> Only owner of entities can execute CRUD but no one else.
> Cluster and Feed entities are world-readable by default. Process entity can
> only be read by the owner and group.
> Input feeds must be readable and output feeds be writable by the process
> owner?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
