Hi there, Oozie has a basic authorization model:
- Users have read access to all jobs - Users have write access to their own jobs - Users have write access to jobs based on an Access Control List (list of users and groups) - Users have read access to admin operations - Admin users have write access to all jobs - Admin users have write access to admin operations If security is disabled all users are admin users. Oozie security is set via the following configuration property (default value shown): oozie.service.AuthorizationService.security.enabled=false NOTE: the old ACL model where a group was provided is still supported if the following property is set in oozie-site.xml : oozie.service.AuthorizationService.default.group.as.acl=true So you can define Oozie ACL-s similar to Hadoop ACLs using oozie.job.acl property in your workflows' configuration . For more information: - https://oozie.apache.org/docs/4.3.0/WorkflowFunctionalSpec.html#a6_User_Propagation - https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_Hadoop_Authentication_Configuration - Hadoop security by Ben Spivey & Joey Echeverria (book published by O'Reilly Media) On Wed, Feb 21, 2018 at 9:46 AM, Pierre Villard <[email protected] > wrote: > Hi, > > Wondering if there is a way to define ACLs so that a user can > start/stop/kill a workflow launched by another user (in kerberized > cluster)? > > The use case is the following: users a, b and c are working on a project X > and a business user has been created for project A. This business user is > used to launch the workflow. Problem is: users are connecting to Hue as a, > b, or c and they are not able to control the workflow. Is there a way to > say, for example, that if a user belongs to the same LDAP group as the > business user, the user is allowed to stop a workflow? > > Thanks > -- -- Attila Sasvari Software Engineer <http://www.cloudera.com/>
