[
https://issues.apache.org/jira/browse/OOZIE-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eugene Shevchuk updated OOZIE-1498:
-----------------------------------
Description: The problem was that anonymous users are enabled in oozie
configuration. It can lead to the following problem. When user's token is
expired PseudoAuthenticationHandler searches for user.name parameter in
request. Obviously, it can't find it because client doesn't know anything about
expired token. So auth handler assumes that user is anonymous and return
anonymous token with username=null. Oozie server can't deal with doAs parameter
and anonymous request simultaneously because 500 error will occur (user is
null). By default this option is disabled so any user can manage any job. Now
it's disabled by default (was: The problem was that anonymous users are
enabled in oozie configuration. It leads to the following problem. When user's
token is expired PseudoAuthenticationHandler searches for user.name parameter
in request. Obviously, it can't find it because client doesn't know anything
about expired token. So auth handler assumes that user is anonymous and return
anonymous token with username=null. Oozie server can't deal with doAs parameter
and anonymous request simultaneously because 500 error will occur (user is
null). By default this option is disabled so any user can manage any job. Now
it's disabled by default)
> Any user is allowed to manage job not as owner
> ----------------------------------------------
>
> Key: OOZIE-1498
> URL: https://issues.apache.org/jira/browse/OOZIE-1498
> Project: Oozie
> Issue Type: Bug
> Reporter: Eugene Shevchuk
> Attachments: fix.patch
>
>
> The problem was that anonymous users are enabled in oozie configuration. It
> can lead to the following problem. When user's token is expired
> PseudoAuthenticationHandler searches for user.name parameter in request.
> Obviously, it can't find it because client doesn't know anything about
> expired token. So auth handler assumes that user is anonymous and return
> anonymous token with username=null. Oozie server can't deal with doAs
> parameter and anonymous request simultaneously because 500 error will occur
> (user is null). By default this option is disabled so any user can manage any
> job. Now it's disabled by default
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
