You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Artem Ervits (JIRA)" <ji...@apache.org> on 2018/03/20 16:33:00 UTC
[jira] [Comment Edited] (OOZIE-3196) Authorization: restrict world
readability by user
[ https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16406625#comment-16406625 ]
Artem Ervits edited comment on OOZIE-3196 at 3/20/18 4:32 PM:
--------------------------------------------------------------
this is a wonderful idea, at the minimum, implementation should be internal to Oozie not (Sentry, Ranger) specific. There should be a property file with Oozie authorizations and provide an interface for external projects to tap into.
Do we want this for per workflow, per coordinator, per bundle, per action?
feedback I got from customers is that they want jobs to be more private, prevent user from seeing a workflow, see job.properties (passwords), job logs, etc.
was (Author: dbist13):
this is a wonderful idea, at the minimum, implementation should be internal to Oozie not (Sentry, Ranger) specific. There should be a property file with Oozie authorizations and provide an interface for external projects to tap into.
Do we want this for per workflow, per coordinator, per bundle, per action?
feedback I got from customers is that they want jobs to be more private, prevent user from seeing a workflow, see job.properties (passwords).
> Authorization: restrict world readability by user
> -------------------------------------------------
>
> Key: OOZIE-3196
> URL: https://issues.apache.org/jira/browse/OOZIE-3196
> Project: Oozie
> Issue Type: New Feature
> Components: bundle, coordinator, workflow
> Affects Versions: 5.0.0b1
> Reporter: Andras Piros
> Priority: Major
>
> The [*current authorization model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the enterprise requirements as everything is readable and writable by everyone by default.
> Write access can be restricted using authorization but restricting read rights is only possible via Yarn ACLs and HDFS rights which still does not prevent accessing the workflow, coordinator or bundle job’s configurations for everyone.
> Improve authorization so it’s possible to configure read/write access for workflows, coordinators, and bundles in a more granular way. Could involve Sentry during implementation or create and design a new system that fits the needs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)