You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by an...@apache.org on 2018/06/19 11:37:05 UTC

oozie git commit: OOZIE-3275 [docs] Update AG_Install.twiki with Access Control List documentation (andras.piros)

Repository: oozie
Updated Branches:
  refs/heads/master 8a0a6487d -> 442ffd696


OOZIE-3275 [docs] Update AG_Install.twiki with Access Control List documentation (andras.piros)


Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/442ffd69
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/442ffd69
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/442ffd69

Branch: refs/heads/master
Commit: 442ffd6963ec30b33088018cf0fb2648a32e9571
Parents: 8a0a648
Author: Andras Piros <an...@cloudera.com>
Authored: Tue Jun 19 13:26:52 2018 +0200
Committer: Andras Piros <an...@cloudera.com>
Committed: Tue Jun 19 13:26:52 2018 +0200

----------------------------------------------------------------------
 docs/src/site/twiki/AG_Install.twiki | 34 +++++++++++++++++++++++++++++++
 release-log.txt                      |  1 +
 2 files changed, 35 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/oozie/blob/442ffd69/docs/src/site/twiki/AG_Install.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki
index 2d48d43..46363a3 100644
--- a/docs/src/site/twiki/AG_Install.twiki
+++ b/docs/src/site/twiki/AG_Install.twiki
@@ -524,6 +524,8 @@ in =oozie-site.xml=:
   oozie.service.AuthorizationService.default.group.as.acl=true
 </verbatim>
 
+---++++ Defining Admin Users
+
 Admin users are determined from the list of admin groups, specified in
  =oozie.service.AuthorizationService.admin.groups= property. Use commas to separate multiple groups, spaces, tabs
 and ENTER characters are trimmed.
@@ -541,6 +543,38 @@ and ENTER characters are trimmed.
 In case there are admin users defined using both methods, the effective list of admin users will be the union
 of the admin users found in the adminusers.txt and those specified with =oozie.serviceAuthorizationService.admin.users=.
 
+---++++ Defining Access Control Lists
+
+Access Control Lists are defined in the following ways:
+   * workflow job submission over CLI: configuration property =group.name= of =job.properties=
+   * workflow job submission over HTTP: configuration property =group.name= of the XML submitted over HTTP
+   * workflow job re-run: configuration property =oozie.job.acl= (preferred) or configuration property =group.name= of
+   =job.properties=
+   * coordinator job submission over CLI: configuration property =oozie.job.acl= (preferred) or configuration property =group.name=
+   of =job.properties=
+   * bundle job submission over CLI: configuration property =oozie.job.acl= (preferred) or configuration property =group.name= of
+   =job.properties=
+
+For all other workflow, coordinator, or bundle actions the ACL set in beforehand will be used as basis.
+
+Once the ACL for the job is defined, Oozie will check over HDFS whether the user trying to perform a specific action is part of the
+necessary group(s). For implementation details please check out =org.apache.hadoop.security.Groups#getGroups(String user)=.
+
+Note that it's enough that the submitting user be part of at least one group of the ACL. Note also that the ACL can contain user
+names as well. If there is an ACL defined and the submitting user isn't part of any group or user name present in the ACL, an
+=AuthorizationException= is thrown.
+
+*Example: A typical ACL setup*
+
+Detail of =job.properties= on workflow job submission:
+<verbatim>
+user.name=joe
+group.name=marketing,admin,qa,root
+<verbatim>
+
+HDFS group membership of HDFS user =joe= is =qa=. That is, the check to =org.apache.hadoop.security.Groups#getGroups("joe")= returns
+=qa=. Hence, ACL check will pass inside =AuthorizationService=, because the =user.name= provided belongs to at least of the ACL list
+elements provided as =group.name=.
 
 ---+++ Oozie System ID Configuration
 

http://git-wip-us.apache.org/repos/asf/oozie/blob/442ffd69/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index cfb558c..aaf0d59 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 5.1.0 release (trunk - unreleased)
 
+OOZIE-3275 [docs] Update AG_Install.twiki with Access Control List documentation (andras.piros)
 OOZIE-2339 [fluent-job] Minimum Viable Fluent Job API (daniel.becker, andras.piros via rkanter, gezapeti, pbacsko)
 OOZIE-3224 Upgrade Jetty to 9.3 (kmarton via andras.piros)
 OOZIE-3284 Upgrade maven-javadoc-plugin to 3.0.1 (kmarton via pbacsko, andras.piros)