[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425269#comment-16425269 ]
Andras Piros commented on OOZIE-3196: ------------------------------------- [~orova] just having talked to [~dbist13] offline. We think following is important to reach a minimum viable product grade: # be able to login / authenticate per user (configurable via {{oozie-site.xml}} deploy time) # most UI tabs only viewable to {{admin}} # secure REST calls for not logged in / not {{admin}} users outside of workflow, coordinator, and bundle listing / info # filter workflow, coordinator, and bundle listing / info REST calls for not logged in / not {{admin}} users # test UI and CLI that these work like expected > Authorization: restrict world readability by user > ------------------------------------------------- > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow > Affects Versions: 5.0.0b1 > Reporter: Andras Piros > Assignee: Peter Orova > Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)