Eugene Shevchuk created OOZIE-1498:
--------------------------------------
Summary: Any user is allowed to manage job not as owner
Key: OOZIE-1498
URL: https://issues.apache.org/jira/browse/OOZIE-1498
Project: Oozie
Issue Type: Bug
Reporter: Eugene Shevchuk
The problem was that anonymous users are enabled in oozie configuration. It
leads to the following problem. When user's token is expired
PseudoAuthenticationHandler searches for user.name parameter in request.
Obviously, it can't find it because client doesn't know anything about expired
token. So auth handler assumes that user is anonymous and return anonymous
token with username=null. Oozie server can't deal with doAs parameter and
anonymous request simultaneously because 500 error will occur (user is null).
By default this option is disabled so any user can manage any job. Now it's
disabled by default
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
