[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948453#comment-16948453
]
Hadoop QA commented on OOZIE-3196:
--
Testing JIRA OOZIE-3196
Cleaning local git workspace
{color:red}-1{color} Patch failed to apply to head of branch
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1, 5.0.0
>Reporter: Andras Piros
>Assignee: Mate Juhasz
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3196.001.patch
>
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948433#comment-16948433 ] Hadoop QA commented on OOZIE-3196: -- PreCommit-OOZIE-Build started > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Mate Juhasz >Priority: Major > Fix For: 5.3.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812246#comment-16812246 ] Mate Juhasz commented on OOZIE-3196: [~orova] thank you for letting me to take over the remaining tasks. I would like to get introduced with the related code parts first, then I will update the jira, hopefully with a POC. > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Mate Juhasz >Priority: Major > Fix For: 5.2.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796927#comment-16796927 ] Hadoop QA commented on OOZIE-3196: -- PreCommit-OOZIE-Build started > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.2.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796938#comment-16796938
]
Hadoop QA commented on OOZIE-3196:
--
Testing JIRA OOZIE-3196
Cleaning local git workspace
{color:red}-1{color} Patch failed to apply to head of branch
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1, 5.0.0
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
> Fix For: 5.2.0
>
> Attachments: OOZIE-3196.001.patch
>
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796921#comment-16796921 ] Julia Kinga Marton commented on OOZIE-3196: --- [~orova] can you please rebase your patch on top of the actual master? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.2.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591448#comment-16591448
]
Hadoop QA commented on OOZIE-3196:
--
Testing JIRA OOZIE-3196
Cleaning local git workspace
{color:red}-1{color} Patch failed to apply to head of branch
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1, 5.0.0
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
> Fix For: 5.1.0
>
> Attachments: OOZIE-3196.001.patch
>
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591442#comment-16591442 ] Hadoop QA commented on OOZIE-3196: -- PreCommit-OOZIE-Build started > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.1.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591432#comment-16591432 ] Andras Piros commented on OOZIE-3196: - [~orova] do you have time to work on this issue in the near future? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.1.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16438632#comment-16438632
]
Denes Bodo commented on OOZIE-3196:
---
[~orova]
{noformat}
Hello Denes Bodo!
Thank you for your suggestion. I agree that an ACL like capability would bring
value, although I believe a better way of doing that would be by providing an
authorization API that could be used by 3rd party applications. What do you
think?
{noformat}
I agree with the API and I think Oozie should have a default(basic)
implementation for this API to not have to wait much for the
Ranger/Santry/etc.. solution.
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1, 5.0.0
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
> Fix For: 5.1.0
>
> Attachments: OOZIE-3196.001.patch
>
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437589#comment-16437589
]
Hadoop QA commented on OOZIE-3196:
--
Testing JIRA OOZIE-3196
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:red}-1{color} the patch contains 5 line(s) longer than 132
characters
.{color:green}+1{color} the patch adds/modifies 3 testcase(s)
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1{color} There are no new bugs found in total.
. {color:green}+1{color} There are no new bugs found in [examples].
. {color:green}+1{color} There are no new bugs found in [webapp].
. {color:green}+1{color} There are no new bugs found in [core].
. {color:green}+1{color} There are no new bugs found in [tools].
. {color:green}+1{color} There are no new bugs found in [server].
. {color:green}+1{color} There are no new bugs found in [docs].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive2].
. {color:green}+1{color} There are no new bugs found in [sharelib/pig].
. {color:green}+1{color} There are no new bugs found in [sharelib/streaming].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive].
. {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
. {color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
. {color:green}+1{color} There are no new bugs found in [sharelib/oozie].
. {color:green}+1{color} There are no new bugs found in [sharelib/distcp].
. {color:green}+1{color} There are no new bugs found in [sharelib/spark].
. {color:green}+1{color} There are no new bugs found in [client].
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.Tests run: 2125
.Tests failed: 1
.Tests errors: 1
.The patch failed the following testcases:
testCoordActionRecoveryServiceForWaitingRegisterPartition(org.apache.oozie.service.TestRecoveryService)
.Tests failing with errors:
testConnectionRetry(org.apache.oozie.service.TestJMSAccessorService)
.{color:orange}Tests failed at first run:{color}
TestJavaActionExecutor#testCredentialsSkip
TestCoordActionInputCheckXCommandNonUTC>TestCoordActionInputCheckXCommand#testNone
TestOozieDBCLI#testOozieDBCLI
.For the complete list of flaky tests, see TEST-SUMMARY-FULL files.
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/PreCommit-OOZIE-Build/481/
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1, 5.0.0
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
> Fix For: 5.1.0
>
> Attachments: OOZIE-3196.001.patch
>
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437455#comment-16437455 ] Hadoop QA commented on OOZIE-3196: -- PreCommit-OOZIE-Build started > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.1.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437411#comment-16437411 ] Peter Orova commented on OOZIE-3196: WIP Patch - Web UI portions are not complete contains implementation for OOZIE-3217 > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.1.0 > > Attachments: OOZIE-3196.001.patch > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437029#comment-16437029 ] Peter Orova commented on OOZIE-3196: Hello [~dionusos]! Thank you for your suggestion. I agree that an ACL like capability would bring value, although I believe a better way of doing that would be by providing an authorization API that could be used by 3rd party applications. What do you think? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1, 5.0.0 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > Fix For: 5.1.0 > > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430276#comment-16430276
]
Denes Bodo commented on OOZIE-3196:
---
Hello [~orova], [~andras.piros]!
The "basic" 3-level solution sounds great and seems very easy to understand and
use if you do not want user-based policies.
I would extend this suggestion with the following:
In my opinion with an ACL-like solution level3 should be extended as a level4.
I think we should define users (,groups) and allow/permit operations to them.
E.g.
{noformat}
ACTOR;OPERATION;MODE;PERMISSION
user1;WORKFLOW;CREATE;ALLOWED
user1;COORDINATOR;READ;DENIED
user2;ACTION_SHELL;;DENIED
#...
{noformat}
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430243#comment-16430243 ] Peter Orova commented on OOZIE-3196: Some follow up: 1./ In the minimal viable product described by [~andras.piros] and [~dbist13], it seems that the authorization level of non-admin user in the current authorization scheme is not present. I.e. a user with read privileges on 'all' does not exist. Such user could be useful when creating dashboards and such. What do you all think? 2./ As far as the different levels of authorization that should be enforced, as discussed with [~andras.piros] offline, a three level schema seems reasonable with the following levels: level1 - no authorization level2 - currently existing authorization (admins, and plain users - the latter having read privileges on all) level3 - restricted (admins, users having r/w privileges on 'owned' items, possibly service user(s) having read only access) Could you share your thoughts on this? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425269#comment-16425269
]
Andras Piros commented on OOZIE-3196:
-
[~orova] just having talked to [~dbist13] offline. We think following is
important to reach a minimum viable product grade:
# be able to login / authenticate per user (configurable via {{oozie-site.xml}}
deploy time)
# most UI tabs only viewable to {{admin}}
# secure REST calls for not logged in / not {{admin}} users outside of
workflow, coordinator, and bundle listing / info
# filter workflow, coordinator, and bundle listing / info REST calls for not
logged in / not {{admin}} users
# test UI and CLI that these work like expected
> Authorization: restrict world readability by user
> -
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
>Affects Versions: 5.0.0b1
>Reporter: Andras Piros
>Assignee: Peter Orova
>Priority: Major
>
> The [*current authorization
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the
> enterprise requirements as everything is readable and writable by everyone by
> default.
> Write access can be restricted using authorization but restricting read
> rights is only possible via Yarn ACLs and HDFS rights which still does not
> prevent accessing the workflow, coordinator or bundle job’s configurations
> for everyone.
> Improve authorization so it’s possible to configure read/write access for
> workflows, coordinators, and bundles in a more granular way. Could involve
> Sentry during implementation or create and design a new system that fits the
> needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425248#comment-16425248 ] Peter Orova commented on OOZIE-3196: I think that from an integration perspective, securing the REST endpoints is the most impactful, and as such that should have the highest priority. The CLI uses the REST endpoints, so securing the REST takes care of that too. Not sure about the popularity of the UI, but I agree that it should also be addressed. > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16424481#comment-16424481 ] Artem Ervits commented on OOZIE-3196: - In order of priority: 1. Prevent UI access to private information 2. Prevent REST API access to private information 3. Prevent CLI access to private information > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16418626#comment-16418626 ] Peter Orova commented on OOZIE-3196: +1 for the internal implementation [~dbist13]. Let's focus first on the implementations necessary within Oozie, having in mind the possible integration patterns with external tools. As to the granularity, the best would be to secure the whole REST Api and the different use cases will have to be mapped to that. e.g. do we want to grant access to an "ordinary" user on oozie server configs? on server state? on the workflow list? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Assignee: Peter Orova >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16415705#comment-16415705 ] Artem Ervits commented on OOZIE-3196: - I heard from another client who's only concerned with who submitted the job and when etc, as underlining actions are already governed by their respective authorization mechanisms, in their case Ranger. > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16407651#comment-16407651 ] Denes Bodo commented on OOZIE-3196: --- I agree with the direction. :) That would be necessary to know/decide the use cases and the scenarios, how the user wants to configure the access/restriction. How about a new AuthorizationService which we can extend to support multiple providers? This service could be used from an HTTP Filter, or deeper in the flow. Also how do we want to use it: resource(WF,Bundle,Coordinator,Actions...), user, group, read/write/? > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3196) Authorization: restrict world readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16406625#comment-16406625 ] Artem Ervits commented on OOZIE-3196: - this is a wonderful idea, at the minimum, implementation should be internal to Oozie not (Sentry, Ranger) specific. There should be a property file with Oozie authorizations and provide an interface for external projects to tap into. Do we want this for per workflow, per coordinator, per bundle, per action? feedback I got from customers is that they want jobs to be more private, prevent user from seeing a workflow, see job.properties (passwords). > Authorization: restrict world readability by user > - > > Key: OOZIE-3196 > URL: https://issues.apache.org/jira/browse/OOZIE-3196 > Project: Oozie > Issue Type: New Feature > Components: bundle, coordinator, workflow >Affects Versions: 5.0.0b1 >Reporter: Andras Piros >Priority: Major > > The [*current authorization > model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the > enterprise requirements as everything is readable and writable by everyone by > default. > Write access can be restricted using authorization but restricting read > rights is only possible via Yarn ACLs and HDFS rights which still does not > prevent accessing the workflow, coordinator or bundle job’s configurations > for everyone. > Improve authorization so it’s possible to configure read/write access for > workflows, coordinators, and bundles in a more granular way. Could involve > Sentry during implementation or create and design a new system that fits the > needs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
