Andras Piros commented on OOZIE-3196:

[~orova] just having talked to [~dbist13] offline. We think following is 
important to reach a minimum viable product grade:
# be able to login / authenticate per user (configurable via {{oozie-site.xml}} 
deploy time)
# most UI tabs only viewable to {{admin}}
# secure REST calls for not logged in / not {{admin}} users outside of 
workflow, coordinator, and bundle listing / info
# filter workflow, coordinator, and bundle listing / info REST calls for not 
logged in / not {{admin}} users
# test UI and CLI that these work like expected

> Authorization: restrict world readability by user
> -------------------------------------------------
>                 Key: OOZIE-3196
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3196
>             Project: Oozie
>          Issue Type: New Feature
>          Components: bundle, coordinator, workflow
>    Affects Versions: 5.0.0b1
>            Reporter: Andras Piros
>            Assignee: Peter Orova
>            Priority: Major
> The [*current authorization 
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the 
> enterprise requirements as everything is readable and writable by everyone by 
> default.
> Write access can be restricted using authorization but restricting read 
> rights is only possible via Yarn ACLs and HDFS rights which still does not 
> prevent accessing the workflow, coordinator or bundle job’s configurations 
> for everyone.
> Improve authorization so it’s possible to configure read/write access for 
> workflows, coordinators, and bundles in a more granular way. Could involve 
> Sentry during implementation or create and design a new system that fits the 
> needs.

This message was sent by Atlassian JIRA

Reply via email to