You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Andras Piros (JIRA)" <ji...@apache.org> on 2018/03/14 08:58:00 UTC
[jira] [Updated] (OOZIE-2880) Improve documentation on Oozie
authentication and authorization configuration
[ https://issues.apache.org/jira/browse/OOZIE-2880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Piros updated OOZIE-2880:
--------------------------------
Affects Version/s: 5.0.0b1
> Improve documentation on Oozie authentication and authorization configuration
> -----------------------------------------------------------------------------
>
> Key: OOZIE-2880
> URL: https://issues.apache.org/jira/browse/OOZIE-2880
> Project: Oozie
> Issue Type: Improvement
> Affects Versions: 5.0.0b1
> Reporter: Attila Sasvari
> Priority: Major
>
> h4. Authentication
> [Documentation of Oozie authentication|https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_User_Authentication_Configuration] is slightly incorrect.
> {quote}
> Pseudo/simple authentication requires the user to specify the user name on the request, this is done by the PseudoAuthenticator class by injecting the user.name parameter in the query string of all requests. The user.name parameter value is taken from the client process Java System property user.name .
> {quote}
> Actually, when someone performs an Oozie operation using the CLI, a hadoop auth token is created and saved to {{~/.oozie-auth-token}}. In subsequent actions, the token is retrieved from this cache file (until the token is expired). In other words, passing {{user.name}} as system property to the Oozie CLI in an unsecure environment (or using kinit -kt in a Kerberized cluster) takes no effect if {{.oozie-auth-token}} is present in the user's home and the token is still valid.
> With {{simple}} authentication type pseudo/simple authentication is used. However, in an unsecure environment I tested with hadoop 2.4 (default hadoop version) that [KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-2.4.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L188] returns a null token. In turn, admin operations cannot be used if there is no {{~/.oozie-auth-token}} with a valid token. Note: this was fixed by [HADOOP-11467|https://github.com/apache/hadoop/commit/875256834b892b574499d5fe68f95a9aed244f7d#diff-28df14cad207bee984f5ca4820bacabcR198].
> h4. Authorization
> Regarding [authorization configuration | https://oozie.apache.org/docs/4.3.0/AG_Install.html#User_Authorization_Configuration] the current documentation mentions a deprecated configuration property {{oozie.service.AuthorizationService.security.enabled}}. If a user specifies it, the following warning is logged in Oozie server log.
> {noformat}
> 2017-05-02 03:30:59,578 WARN org.apache.oozie.util.ConfigUtils: SERVER[myserver.com] Using a deprecated configuration property [oozie.service.Authorization
> Service.security.enabled], should use [oozie.service.AuthorizationService.authorization.enabled]. Please delete the deprecated property in order for the new property to take effect.
> {noformat}
> {{oozie.service.AuthorizationService.authorization.enabled}} should be used.
> Oozie authorization only make sense if *authentication (kerberos) is enabled*. Otherwise any user can claim any identity (as "simple" authentication type uses Pseudo authentication).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)