You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@falcon.apache.org by "Balu Vellanki (JIRA)" <ji...@apache.org> on 2014/08/07 19:38:12 UTC

[jira] [Commented] (FALCON-400) Add Authorization for Entities

    [ https://issues.apache.org/jira/browse/FALCON-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089503#comment-14089503 ] 

Balu Vellanki commented on FALCON-400:
--------------------------------------

Reviewed subtask patches for Falcon 400. I checked out latest code from master branch at https://github.com/apache/incubator-falcon on Thursday afternoon PST, I applied patchs from Jira 279 and ran the following command.

(master)$ mvn clean verify -Phadoop-2,test-patch

The build failed with an error saying 
[ERROR] /Users/bvellanki/SourceCode/apache-falcon/incubator-falcon/webapp/src/test/java/org/apache/falcon/validation/ClusterEntityValidationIT.java:[24,42] cannot find symbol
[ERROR] symbol  : class ACL
[ERROR] location: package org.apache.falcon.entity.v0.cluster


I realized that the code necessary for the build to pass in the patchs in the remaining subtasks. So I applied patchs from JIRA 462, 463, 464, 466, 468 and 557 in that order. The build still failed with following error. 

Tests run: 32, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 2.284 sec <<< FAILURE! - in org.apache.falcon.entity.parser.FeedEntityParserTest
testValidateACLBadOwner(org.apache.falcon.entity.parser.FeedEntityParserTest)  Time elapsed: 0.021 sec  <<< FAILURE!
org.testng.TestException:
Expected exception org.apache.falcon.entity.parser.ValidationException but got java.lang.AssertionError: Validation exception should have been thrown for invalid owner
at org.testng.Assert.fail(Assert.java:89) at org.apache.falcon.entity.parser.FeedEntityParserTest.testValidateACLBadOwner(FeedEntityParserTest.java:609)
testValidateACLBadOwnerAndGroup(org.apache.falcon.entity.parser.FeedEntityParserTest)  Time elapsed: 0.017 sec  <<< FAILURE!
org.testng.TestException:
Expected exception org.apache.falcon.entity.parser.ValidationException but got java.lang.AssertionError: Validation exception should have been thrown for invalid owner


That said, I went ahead and look at the individual files and I have following feedback/questions for the patchs.

1) why have the following method in AbstractTestBase.java at Lines 147 :
protected String getGroupName() throws IOException {
        return getGroupName(true);
}

I dont see a need for this class.

2) Unit tests in ClusterEntityParserTest.java do not cover the following methods in ClusterEntityParser.java  
validateACL(cluster);
validateLocations(cluster);

The corresponding tests for FeedEntityParser.java and ProcessEntityParser.java call the parser.validate() method, which in turn calls validateACL(...) and validateLocations(...)

testValidateACLWithNoACLAndAuthorizationEnabled and testValidateACLAuthorizationEnabled should call ClusterEntityParser.validate() 

3) The method ClusterEntityValidationIT.testValidateLocations() is empty with a TODO comment in it. Should this be updated before committing in Apache Git. 

4) DefaultAuthorizationProvider.authorizeEntity() does not check if the user who is listed to a entity.getGroups has rwx permission on the Entity. Some actions like “update” “delete” need the user who is not owner (but belongs to the group) to have rwx permissions, without which we should not allow edit API calls. 

If this is not supported, I don't see a real need for having permissions as part of the ACL. 

User who is not owner, but belongs to the groups should be able to 
- schedule/rerun a process only if the group has +x permission
- update/schedule/delete a process, entity only if the group has +w permission

5) HadoopClientFactoryTest.testCreateFileSystemWithUser()  hardcodes username seetharam ... not sure if this is acceptable.


> Add Authorization for Entities
> ------------------------------
>
>                 Key: FALCON-400
>                 URL: https://issues.apache.org/jira/browse/FALCON-400
>             Project: Falcon
>          Issue Type: New Feature
>    Affects Versions: 0.5
>            Reporter: Venkatesh Seetharam
>              Labels: authorization, security
>
> FALCON-11 addresses authentication as part of security. This should address authorization of entities. An entity can only be modified or deleted by the user who created this entity. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)