You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@falcon.apache.org by "Balu Vellanki (JIRA)" <ji...@apache.org> on 2015/10/01 23:47:28 UTC
[jira] [Updated] (FALCON-1055) Inconsistent behaviour of
entity/instance operations regarding authorization
[ https://issues.apache.org/jira/browse/FALCON-1055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Balu Vellanki updated FALCON-1055:
----------------------------------
Issue Type: Sub-task (was: Bug)
Parent: FALCON-1367
> Inconsistent behaviour of entity/instance operations regarding authorization
> ----------------------------------------------------------------------------
>
> Key: FALCON-1055
> URL: https://issues.apache.org/jira/browse/FALCON-1055
> Project: Falcon
> Issue Type: Sub-task
> Components: client, feed, process
> Affects Versions: 0.7
> Reporter: Pragya Mittal
>
> While performing API operations on entity(process/feed/cluster) for non-ACL owner (different from ACL OWNER and which does not belong to ACL GROUP) , inconsistent behaviour is reported.
> - Can list entities
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type feed -list
> (FEED) FeedAclTestTry--raaw
> (FEED) ELExpFutureAndLatestTest--raaw-logs16-ddc91917
> (FEED) ProcessInstanceRunningTest--raaw-logs16-93197d85
> (FEED) FeedAclTestTry--raaw-logs16-d6375244
> (FEED) ProcessInstanceRunningTest--agregated-logs16-3109a564
> {code}
> - Can define entities
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type feed -name FeedAclTestTry--raaw -definition
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <feed name="FeedAclTestTry--raaw" description="clicks log" xmlns="uri:falcon:feed:0.1">
> <partitions>
> <partition name="country"/>
> <partition name="colo"/>
> </partitions>
> <frequency>minutes(20)</frequency>
> <timezone>UTC</timezone>
> <late-arrival cut-off="hours(6)"/>
> <clusters>
> <cluster name="FeedAclTestTry--corp-450c9f4a" type="source">
> <validity start="2009-02-01T00:00Z" end="2099-05-01T00:00Z"/>
> <retention limit="months(9000)" action="delete"/>
> </cluster>
> </clusters>
> <locations>
> <location type="data" path="/tmp/falcon-regression/FeedAclTestTry/input/${YEAR}/${MONTH}/${DAY}/${HOUR}/${MINUTE}"/>
> <location type="stats" path="/projects/falcon/clicksStats"/>
> <location type="meta" path="/projects/falcon/clicksMetaData"/>
> </locations>
> <ACL owner="pragyamittal" group="dataqa" permission="*"/>
> <schema location="/schema/clicks" provider="protobuf"/>
> <properties>
> <property name="field1" value="value1"/>
> <property name="field2" value="value2"/>
> </properties>
> </feed>
> {code}
> - Can look for dependency
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type feed -name FeedAclTestTry--raaw -dependency
> (cluster) FeedAclTestTry--corp-450c9f4a
> {code}
> - Can delete
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type feed -name FeedAclTestTry--raaw -delete
> falcon/ua1/FeedAclTestTry--raaw(feed) removed successfully (KILLED in ENGINE)
> prism/FeedAclTestTry--raaw(feed) removed successfully
> {code}
> - Cant update
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -file ~/pragya/processNew.xml -update
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=ProcessInstanceRunningTest--agregator-coord16-e1fd7fae, action=submit
> at org.apache.falcon.client.FalconCLIException.fromReponse(FalconCLIException.java:44)
> at org.apache.falcon.client.FalconClient.checkIfSuccessful(FalconClient.java:985)
> at org.apache.falcon.client.FalconClient.update(FalconClient.java:337)
> at org.apache.falcon.cli.FalconCLI.entityCommand(FalconCLI.java:398)
> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:184)
> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:134)
> {code}
> - Cant suspend
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -suspend
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.falcon.FalconException::org.apache.falcon.FalconException: {"errorCode":403,"errorMessage":"org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=ProcessInstanceRunningTest--agregator-coord16-e1fd7fae, action=suspend","requestId":"931475624@qtp-380412694-4 - d532a446-2edd-46ee-863b-b7da59da6897"}
> at org.apache.falcon.client.FalconCLIException.fromReponse(FalconCLIException.java:44)
> at org.apache.falcon.client.FalconClient.checkIfSuccessful(FalconClient.java:985)
> at org.apache.falcon.client.FalconClient.sendEntityRequest(FalconClient.java:598)
> at org.apache.falcon.client.FalconClient.suspend(FalconClient.java:294)
> at org.apache.falcon.cli.FalconCLI.entityCommand(FalconCLI.java:415)
> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:184)
> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:134)
> {code}
> - Cant resume
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -resume
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.falcon.FalconException::org.apache.falcon.FalconException: {"errorCode":403,"errorMessage":"org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=ProcessInstanceRunningTest--agregator-coord16-e1fd7fae, action=resume","requestId":"931475624@qtp-380412694-4 - 4bae6360-c5d1-45db-9eb2-183f1598c383"}
> at org.apache.falcon.client.FalconCLIException.fromReponse(FalconCLIException.java:44)
> at org.apache.falcon.client.FalconClient.checkIfSuccessful(FalconClient.java:985)
> at org.apache.falcon.client.FalconClient.sendEntityRequest(FalconClient.java:598)
> at org.apache.falcon.client.FalconClient.resume(FalconClient.java:301)
> at org.apache.falcon.cli.FalconCLI.entityCommand(FalconCLI.java:419)
> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:184)
> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:134)
> {code}
> - Cant perform touch
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -touch
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.falcon.FalconException::org.apache.falcon.FalconException: {"errorCode":403,"errorMessage":"org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=ProcessInstanceRunningTest--agregator-coord16-e1fd7fae, action=touch","requestId":"931475624@qtp-380412694-4 - c68b0f4c-c1c6-432c-b815-140c81ce5e99"}
> at org.apache.falcon.client.FalconCLIException.fromReponse(FalconCLIException.java:44)
> at org.apache.falcon.client.FalconClient.checkIfSuccessful(FalconClient.java:985)
> at org.apache.falcon.client.FalconClient.touch(FalconClient.java:395)
> at org.apache.falcon.cli.FalconCLI.entityCommand(FalconCLI.java:460)
> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:184)
> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:134)
> {code}
> - Cant perform status
> {code}
> dataqa@ip-192-168-138-200:/usr/lib/falcon/falconPrism/bin$ sudo -u oozie ./falcon entity -type feed -name FeedAclTestTry--raaw-logs16-d6375244 -status
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.falcon.FalconException::org.apache.falcon.FalconException: {"errorCode":403,"errorMessage":"org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=FeedAclTestTry--raaw-logs16-d6375244, action=status","requestId":"931475624@qtp-380412694-4 - 5573e2f5-076d-45d2-ba7e-bc63525fcd92"}
> at org.apache.falcon.client.FalconCLIException.fromReponse(FalconCLIException.java:44)
> at org.apache.falcon.client.FalconClient.checkIfSuccessful(FalconClient.java:985)
> at org.apache.falcon.client.FalconClient.sendEntityRequest(FalconClient.java:598)
> at org.apache.falcon.client.FalconClient.getStatus(FalconClient.java:352)
> at org.apache.falcon.cli.FalconCLI.entityCommand(FalconCLI.java:427)
> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:184)
> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:134)
> {code}
> *Can someone please explain the expected behaviour of entities especially with respect to delete(write operation) and status(read operation).*
> Although non-ACL owner cannot perform any operation (read/write) on instances. Below is the error it throws :
> {code}
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -status
> Stacktrace:
> org.apache.falcon.client.FalconCLIException: Bad Request;ua1/org.apache.falcon.FalconException::org.apache.falcon.FalconException: {"errorCode":403,"errorMessage":"org.apache.hadoop.security.authorize.AuthorizationException: org.apache.hadoop.security.authorize.AuthorizationException: Permission denied: authenticatedUser=oozie not entity owner=pragyamittal, entity=ProcessInstanceRunningTest--agregator-coord16-e1fd7fae, action=status","requestId":"931475624@qtp-380412694-4 - 6eb3e0c7-2877-4cb0-8a36-bef0b285ccc5"}
> {code}
> Same error is thrown by below commands saying org.apache.hadoop.security.authorize.AuthorizationException
> {code}
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -kill
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -params
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -logs
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -running
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -resume
> sudo -u oozie ./falcon instance -type process -name ProcessInstanceRunningTest--agregator-coord16-e1fd7fae -start 2010-01-02T01:00Z -end 2010-01-02T01:11Z -suspend
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)