[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430276#comment-16430276
]
Denes Bodo commented on OOZIE-3196:
-----------------------------------
Hello [~orova], [~andras.piros]!
The "basic" 3-level solution sounds great and seems very easy to understand and
use if you do not want user-based policies.
I would extend this suggestion with the following:
In my opinion with an ACL-like solution level3 should be extended as a level4.
I think we should define users (,groups) and allow/permit operations to them.
E.g.
{noformat}
ACTOR;OPERATION;MODE;PERMISSION
user1;WORKFLOW;CREATE;ALLOWED
user1;COORDINATOR;READ;DENIED
user2;ACTION_SHELL;;DENIED
#...
{noformat}
> Authorization: restrict world readability by user
> -------------------------------------------------
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
> Affects Versions: 5.0.0b1
> Reporter: Andras Piros
> Assignee: Peter Orova
> Priority: Major
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
