You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by tu...@apache.org on 2012/03/01 20:43:44 UTC
svn commit: r1295758 - in /incubator/oozie/trunk: ./
client/src/main/java/org/apache/oozie/client/
client/src/main/java/org/apache/oozie/client/rest/
core/src/main/java/org/apache/oozie/action/hadoop/
core/src/main/java/org/apache/oozie/client/rest/ co...
Author: tucu
Date: Thu Mar 1 19:43:43 2012
New Revision: 1295758
URL: http://svn.apache.org/viewvc?rev=1295758&view=rev
Log:
OOZIE-228 For authorization we should use the ACL model (tucu)
Added:
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/ConfigUtils.java
Modified:
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/CoordinatorJob.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/Job.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/WorkflowJob.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonTags.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonToBean.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonBundleJob.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonCoordinatorJob.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonWorkflowJob.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/bundle/BundleSubmitXCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitXCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunXCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitXCommand.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/executor/jpa/WorkflowsJobGetJPAExecutor.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/KerberosHadoopAccessorService.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/store/StoreStatusFilter.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/JobUtils.java
incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestHadoopAccessorService.java
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestJobsServlet.java
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestV1JobsServlet.java
incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
incubator/oozie/trunk/docs/src/site/twiki/BundleFunctionalSpec.twiki
incubator/oozie/trunk/docs/src/site/twiki/CoordinatorFunctionalSpec.twiki
incubator/oozie/trunk/docs/src/site/twiki/WorkflowFunctionalSpec.twiki
incubator/oozie/trunk/release-log.txt
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/CoordinatorJob.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/CoordinatorJob.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/CoordinatorJob.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/CoordinatorJob.java Thu Mar 1 19:43:43 2012
@@ -153,12 +153,22 @@ public interface CoordinatorJob extends
/**
* Return the application group.
+ * <p/>
+ * Use the {@link #getAcl()} method instead.
*
* @return the application group.
*/
+ @Deprecated
String getGroup();
/**
+ * Return the workflow job group.
+ *
+ * @return the workflow job group.
+ */
+ String getAcl();
+
+ /**
* Return the BundleId.
*
* @return the BundleId.
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/Job.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/Job.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/Job.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/Job.java Thu Mar 1 19:43:43 2012
@@ -77,9 +77,17 @@ public interface Job {
*
* @return the JOB group.
*/
+ @Deprecated
String getGroup();
/**
+ * Return the workflow job group.
+ *
+ * @return the workflow job group.
+ */
+ String getAcl();
+
+ /**
* Return the JOB console URL.
*
* @return the JOB console URL.
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java Thu Mar 1 19:43:43 2012
@@ -82,8 +82,11 @@ public class OozieClient {
public static final String USER_NAME = "user.name";
+ @Deprecated
public static final String GROUP_NAME = "group.name";
+ public static final String JOB_ACL = "oozie.job.acl";
+
public static final String APP_PATH = "oozie.wf.application.path";
public static final String COORDINATOR_APP_PATH = "oozie.coord.application.path";
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/WorkflowJob.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/WorkflowJob.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/WorkflowJob.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/WorkflowJob.java Thu Mar 1 19:43:43 2012
@@ -106,12 +106,22 @@ public interface WorkflowJob {
/**
* Return the workflow job group.
+ * <p/>
+ * Use the {@link #getAcl()} method instead.
*
* @return the workflow job group.
*/
+ @Deprecated
String getGroup();
/**
+ * Return the workflow job group.
+ *
+ * @return the workflow job group.
+ */
+ String getAcl();
+
+ /**
* Return the workflow job run number. <p/> Except for reruns, this property is always 1.
*
* @return the workflow job run number.
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonTags.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonTags.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonTags.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonTags.java Thu Mar 1 19:43:43 2012
@@ -44,7 +44,9 @@ public interface JsonTags {
public static final String WORKFLOW_START_TIME = "startTime";
public static final String WORKFLOW_END_TIME = "endTime";
public static final String WORKFLOW_USER = "user";
+ @Deprecated
public static final String WORKFLOW_GROUP = "group";
+ public static final String WORKFLOW_ACL = "acl";
public static final String WORKFLOW_RUN = "run";
public static final String WORKFLOW_CONSOLE_URL = "consoleUrl";
public static final String WORKFLOW_ACTIONS = "actions";
@@ -96,7 +98,9 @@ public interface JsonTags {
public static final String COORDINATOR_JOB_CONSOLE_URL = "consoleUrl";
public static final String COORDINATOR_JOB_ACTIONS = "actions";
public static final String COORDINATOR_JOB_USER = "user";
+ @Deprecated
public static final String COORDINATOR_JOB_GROUP = "group";
+ public static final String COORDINATOR_JOB_ACL = "acl";
public static final String COORDINATOR_JOB_EXTERNAL_ID = "coordExternalId";
public static final String COORDINATOR_ACTION_ID = "id";
@@ -134,7 +138,9 @@ public interface JsonTags {
public static final String BUNDLE_JOB_CREATED_TIME = "createdTime";
public static final String BUNDLE_JOB_CONSOLE_URL = "consoleUrl";
public static final String BUNDLE_JOB_USER = "user";
+ @Deprecated
public static final String BUNDLE_JOB_GROUP = "group";
+ public static final String BUNDLE_JOB_ACL = "acl";
public static final String BUNDLE_JOB_EXTERNAL_ID = "bundleExternalId";
public static final String BUNDLE_COORDINATOR_JOBS = "bundleCoordJobs";
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonToBean.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonToBean.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonToBean.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/rest/JsonToBean.java Thu Mar 1 19:43:43 2012
@@ -96,6 +96,7 @@ public class JsonToBean {
WF_JOB.put("getEndTime", new Property(JsonTags.WORKFLOW_END_TIME, Date.class));
WF_JOB.put("getUser", new Property(JsonTags.WORKFLOW_USER, String.class));
WF_JOB.put("getGroup", new Property(JsonTags.WORKFLOW_GROUP, String.class));
+ WF_JOB.put("getAcl", new Property(JsonTags.WORKFLOW_ACL, String.class));
WF_JOB.put("getRun", new Property(JsonTags.WORKFLOW_RUN, Integer.TYPE));
WF_JOB.put("getConsoleUrl", new Property(JsonTags.WORKFLOW_CONSOLE_URL, String.class));
WF_JOB.put("getActions", new Property(JsonTags.WORKFLOW_ACTIONS, WorkflowAction.class, true));
@@ -141,6 +142,7 @@ public class JsonToBean {
COORD_JOB.put("getEndTime", new Property(JsonTags.COORDINATOR_JOB_END_TIME, Date.class));
COORD_JOB.put("getUser", new Property(JsonTags.COORDINATOR_JOB_USER, String.class));
COORD_JOB.put("getGroup", new Property(JsonTags.COORDINATOR_JOB_GROUP, String.class));
+ COORD_JOB.put("getAcl", new Property(JsonTags.COORDINATOR_JOB_ACL, String.class));
COORD_JOB.put("getConsoleUrl", new Property(JsonTags.COORDINATOR_JOB_CONSOLE_URL, String.class));
COORD_JOB.put("getActions", new Property(JsonTags.COORDINATOR_ACTIONS, CoordinatorAction.class, true));
COORD_JOB.put("toString", new Property(JsonTags.TO_STRING, String.class));
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java Thu Mar 1 19:43:43 2012
@@ -556,7 +556,7 @@ public class JavaActionExecutor extends
// setting the group owning the Oozie job to allow anybody in that
// group to kill the jobs.
- launcherJobConf.set("mapreduce.job.acl-modify-job", context.getWorkflow().getGroup());
+ launcherJobConf.set("mapreduce.job.acl-modify-job", context.getWorkflow().getAcl());
return launcherJobConf;
}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonBundleJob.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonBundleJob.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonBundleJob.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonBundleJob.java Thu Mar 1 19:43:43 2012
@@ -154,6 +154,7 @@ public class JsonBundleJob implements Bu
json.put(JsonTags.BUNDLE_JOB_CREATED_TIME, JsonUtils.formatDateRfc822(getCreatedTime()));
json.put(JsonTags.BUNDLE_JOB_USER, getUser());
json.put(JsonTags.BUNDLE_JOB_GROUP, getGroup());
+ json.put(JsonTags.BUNDLE_JOB_ACL, getAcl());
json.put(JsonTags.BUNDLE_JOB_CONSOLE_URL, getConsoleUrl());
json.put(JsonTags.BUNDLE_COORDINATOR_JOBS, JsonCoordinatorJob.toJSONArray(coordJobs));
json.put(JsonTags.TO_STRING, toString());
@@ -214,10 +215,16 @@ public class JsonBundleJob implements Bu
* @see org.apache.oozie.client.Job#getGroup()
*/
@Override
+ @Deprecated
public String getGroup() {
return group;
}
+ @Override
+ public String getAcl() {
+ return getGroup();
+ }
+
/* (non-Javadoc)
* @see org.apache.oozie.client.Job#getId()
*/
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonCoordinatorJob.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonCoordinatorJob.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonCoordinatorJob.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonCoordinatorJob.java Thu Mar 1 19:43:43 2012
@@ -157,6 +157,7 @@ public class JsonCoordinatorJob implemen
json.put(JsonTags.COORDINATOR_JOB_PAUSE_TIME, JsonUtils.formatDateRfc822(getPauseTime()));
json.put(JsonTags.COORDINATOR_JOB_USER, getUser());
json.put(JsonTags.COORDINATOR_JOB_GROUP, getGroup());
+ json.put(JsonTags.COORDINATOR_JOB_ACL, getAcl());
json.put(JsonTags.COORDINATOR_JOB_CONSOLE_URL, getConsoleUrl());
json.put(JsonTags.COORDINATOR_JOB_MAT_THROTTLING, getMatThrottling());
json.put(JsonTags.COORDINATOR_ACTIONS, JsonCoordinatorAction.toJSONArray(actions));
@@ -321,6 +322,11 @@ public class JsonCoordinatorJob implemen
return group;
}
+ @Override
+ public String getAcl() {
+ return getGroup();
+ }
+
public void setGroup(String group) {
this.group = group;
}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonWorkflowJob.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonWorkflowJob.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonWorkflowJob.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/client/rest/JsonWorkflowJob.java Thu Mar 1 19:43:43 2012
@@ -114,6 +114,7 @@ public class JsonWorkflowJob implements
json.put(JsonTags.WORKFLOW_END_TIME, JsonUtils.formatDateRfc822(getEndTime()));
json.put(JsonTags.WORKFLOW_USER, getUser());
json.put(JsonTags.WORKFLOW_GROUP, getGroup());
+ json.put(JsonTags.WORKFLOW_ACL, getAcl());
json.put(JsonTags.WORKFLOW_RUN, (long) getRun());
json.put(JsonTags.WORKFLOW_CONSOLE_URL, getConsoleUrl());
json.put(JsonTags.WORKFLOW_ACTIONS, JsonWorkflowAction.toJSONArray(actions));
@@ -213,6 +214,11 @@ public class JsonWorkflowJob implements
return group;
}
+ @Override
+ public String getAcl() {
+ return getGroup();
+ }
+
public void setGroup(String group) {
this.group = group;
}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/bundle/BundleSubmitXCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/bundle/BundleSubmitXCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/bundle/BundleSubmitXCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/bundle/BundleSubmitXCommand.java Thu Mar 1 19:43:43 2012
@@ -53,6 +53,7 @@ import org.apache.oozie.service.UUIDServ
import org.apache.oozie.service.WorkflowAppService;
import org.apache.oozie.service.SchemaService.SchemaName;
import org.apache.oozie.service.UUIDService.ApplicationType;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.DateUtils;
import org.apache.oozie.util.ELEvaluator;
import org.apache.oozie.util.IOUtils;
@@ -405,7 +406,8 @@ public class BundleSubmitXCommand extend
// bundleJob.setStatus(BundleJob.Status.PREP); //This should be set in parent class.
bundleJob.setCreatedTime(new Date());
bundleJob.setUser(conf.get(OozieClient.USER_NAME));
- bundleJob.setGroup(conf.get(OozieClient.GROUP_NAME));
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
+ bundleJob.setGroup(group);
bundleJob.setConf(XmlUtils.prettyPrint(conf).toString());
bundleJob.setJobXml(resolvedJobXml);
Element jobElement = XmlUtils.parseXml(resolvedJobXml);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitCommand.java Thu Mar 1 19:43:43 2012
@@ -61,6 +61,7 @@ import org.apache.oozie.service.SchemaSe
import org.apache.oozie.service.UUIDService.ApplicationType;
import org.apache.oozie.store.CoordinatorStore;
import org.apache.oozie.store.StoreException;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.DateUtils;
import org.apache.oozie.util.ELEvaluator;
import org.apache.oozie.util.IOUtils;
@@ -813,7 +814,8 @@ public class CoordSubmitCommand extends
coordJob.setStatus(CoordinatorJob.Status.PREP);
coordJob.setCreatedTime(new Date()); // TODO: Do we need that?
coordJob.setUser(conf.get(OozieClient.USER_NAME));
- coordJob.setGroup(conf.get(OozieClient.GROUP_NAME));
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
+ coordJob.setGroup(group);
coordJob.setConf(XmlUtils.prettyPrint(conf).toString());
coordJob.setJobXml(XmlUtils.prettyPrint(eJob).toString());
coordJob.setLastActionNumber(0);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitXCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitXCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitXCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/coord/CoordSubmitXCommand.java Thu Mar 1 19:43:43 2012
@@ -69,6 +69,7 @@ import org.apache.oozie.service.UUIDServ
import org.apache.oozie.service.WorkflowAppService;
import org.apache.oozie.service.SchemaService.SchemaName;
import org.apache.oozie.service.UUIDService.ApplicationType;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.DateUtils;
import org.apache.oozie.util.ELEvaluator;
import org.apache.oozie.util.IOUtils;
@@ -992,7 +993,8 @@ public class CoordSubmitXCommand extends
coordJob.setAppPath(conf.get(OozieClient.COORDINATOR_APP_PATH));
coordJob.setCreatedTime(new Date());
coordJob.setUser(conf.get(OozieClient.USER_NAME));
- coordJob.setGroup(conf.get(OozieClient.GROUP_NAME));
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
+ coordJob.setGroup(group);
coordJob.setConf(XmlUtils.prettyPrint(conf).toString());
coordJob.setJobXml(XmlUtils.prettyPrint(eJob).toString());
coordJob.setLastActionNumber(0);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunCommand.java Thu Mar 1 19:43:43 2012
@@ -40,6 +40,7 @@ import org.apache.oozie.service.Services
import org.apache.oozie.service.DagXLogInfoService;
import org.apache.oozie.service.WorkflowStoreService;
import org.apache.oozie.service.HadoopAccessorService;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.ParamChecker;
import org.apache.oozie.util.PropertiesUtils;
import org.apache.oozie.util.XLog;
@@ -197,7 +198,8 @@ public class ReRunCommand extends Workfl
wfBean.setConf(XmlUtils.prettyPrint(conf).toString());
wfBean.setLogToken(conf.get(OozieClient.LOG_TOKEN, ""));
wfBean.setUser(conf.get(OozieClient.USER_NAME));
- wfBean.setGroup(conf.get(OozieClient.GROUP_NAME));
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
+ wfBean.setGroup(group);
wfBean.setExternalId(conf.get(OozieClient.EXTERNAL_ID));
wfBean.setEndTime(null);
wfBean.setRun(wfBean.getRun() + 1);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunXCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunXCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunXCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/ReRunXCommand.java Thu Mar 1 19:43:43 2012
@@ -50,6 +50,7 @@ import org.apache.oozie.service.JPAServi
import org.apache.oozie.service.Services;
import org.apache.oozie.service.WorkflowAppService;
import org.apache.oozie.service.WorkflowStoreService;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.InstrumentUtils;
import org.apache.oozie.util.LogUtils;
import org.apache.oozie.util.ParamChecker;
@@ -180,7 +181,8 @@ public class ReRunXCommand extends Workf
wfBean.setConf(XmlUtils.prettyPrint(conf).toString());
wfBean.setLogToken(conf.get(OozieClient.LOG_TOKEN, ""));
wfBean.setUser(conf.get(OozieClient.USER_NAME));
- wfBean.setGroup(conf.get(OozieClient.GROUP_NAME));
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
+ wfBean.setGroup(group);
wfBean.setExternalId(conf.get(OozieClient.EXTERNAL_ID));
wfBean.setEndTime(null);
wfBean.setRun(wfBean.getRun() + 1);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitCommand.java Thu Mar 1 19:43:43 2012
@@ -28,6 +28,7 @@ import org.apache.oozie.service.Workflow
import org.apache.oozie.service.HadoopAccessorService;
import org.apache.oozie.service.Services;
import org.apache.oozie.service.DagXLogInfoService;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.XLog;
import org.apache.oozie.util.ParamChecker;
import org.apache.oozie.util.XConfiguration;
@@ -113,7 +114,7 @@ public class SubmitCommand extends Workf
Path configDefault = new Path(new Path(conf.get(OozieClient.APP_PATH)).getParent(), CONFIG_DEFAULT);
String user = conf.get(OozieClient.USER_NAME);
- String group = conf.get(OozieClient.GROUP_NAME);
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
FileSystem fs = Services.get().get(HadoopAccessorService.class).createFileSystem(user, group,
configDefault.toUri(),
conf);
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitXCommand.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitXCommand.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitXCommand.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/command/wf/SubmitXCommand.java Thu Mar 1 19:43:43 2012
@@ -29,6 +29,7 @@ import org.apache.oozie.service.Workflow
import org.apache.oozie.service.HadoopAccessorService;
import org.apache.oozie.service.Services;
import org.apache.oozie.service.DagXLogInfoService;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.XLog;
import org.apache.oozie.util.ParamChecker;
import org.apache.oozie.util.XConfiguration;
@@ -100,7 +101,7 @@ public class SubmitXCommand extends Work
WorkflowLib workflowLib = Services.get().get(WorkflowStoreService.class).getWorkflowLibWithNoDB();
String user = conf.get(OozieClient.USER_NAME);
- String group = conf.get(OozieClient.GROUP_NAME);
+ String group = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.JOB_ACL, OozieClient.GROUP_NAME, null);
URI uri = new URI(conf.get(OozieClient.APP_PATH));
FileSystem fs = Services.get().get(HadoopAccessorService.class).createFileSystem(user,
group, uri, new Configuration());
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/executor/jpa/WorkflowsJobGetJPAExecutor.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/executor/jpa/WorkflowsJobGetJPAExecutor.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/executor/jpa/WorkflowsJobGetJPAExecutor.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/executor/jpa/WorkflowsJobGetJPAExecutor.java Thu Mar 1 19:43:43 2012
@@ -29,6 +29,7 @@ import org.apache.oozie.WorkflowJobBean;
import org.apache.oozie.WorkflowsInfo;
import org.apache.oozie.client.OozieClient;
import org.apache.oozie.client.WorkflowJob.Status;
+import org.apache.oozie.util.XLog;
import org.apache.openjpa.persistence.OpenJPAPersistence;
import org.apache.openjpa.persistence.OpenJPAQuery;
import org.apache.openjpa.persistence.jdbc.FetchDirection;
@@ -70,7 +71,6 @@ public class WorkflowsJobGetJPAExecutor
List<String> valArray = new ArrayList<String>();
StringBuilder sb = new StringBuilder("");
boolean isStatus = false;
- boolean isGroup = false;
boolean isAppName = false;
boolean isUser = false;
boolean isEnabled = false;
@@ -80,37 +80,8 @@ public class WorkflowsJobGetJPAExecutor
String colName = null;
String colVar = null;
if (entry.getKey().equals(OozieClient.FILTER_GROUP)) {
- List<String> values = filter.get(OozieClient.FILTER_GROUP);
- colName = "group";
- for (int i = 0; i < values.size(); i++) {
- colVar = "group";
- colVar = colVar + index;
- if (!isEnabled && !isGroup) {
- sb.append(seletStr).append(" where w.group IN (:group" + index);
- isGroup = true;
- isEnabled = true;
- }
- else {
- if (isEnabled && !isGroup) {
- sb.append(" and w.group IN (:group" + index);
- isGroup = true;
- }
- else {
- if (isGroup) {
- sb.append(", :group" + index);
- }
- }
- }
- if (i == values.size() - 1) {
- sb.append(")");
- }
- index++;
- valArray.add(values.get(i));
- orArray.add(colName);
- colArray.add(colVar);
- }
- }
- else {
+ XLog.getLog(getClass()).warn("Filter by 'group' is not supported anymore");
+ } else {
if (entry.getKey().equals(OozieClient.FILTER_STATUS)) {
List<String> values = filter.get(OozieClient.FILTER_STATUS);
colName = "status";
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/AuthorizationService.java Thu Mar 1 19:43:43 2012
@@ -38,6 +38,7 @@ import org.apache.oozie.executor.jpa.Bun
import org.apache.oozie.executor.jpa.CoordJobGetJPAExecutor;
import org.apache.oozie.executor.jpa.JPAExecutorException;
import org.apache.oozie.executor.jpa.WorkflowJobGetJPAExecutor;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.Instrumentation;
import org.apache.oozie.util.XLog;
@@ -54,20 +55,26 @@ public class AuthorizationService implem
public static final String CONF_SECURITY_ENABLED = CONF_PREFIX + "security.enabled";
/**
- * File that contains list of admin users for Oozie.
+ * Configuration parameter to enable or disable Oozie admin role.
*/
- public static final String ADMIN_USERS_FILE = "adminusers.txt";
+ public static final String CONF_AUTHORIZATION_ENABLED = CONF_PREFIX + "authorization.enabled";
+
+ /**
+ * Configuration parameter to enable old behavior default group as ACL.
+ */
+ public static final String CONF_DEFAULT_GROUP_AS_ACL = CONF_PREFIX + "default.group.as.acl";
/**
- * Default group returned by getDefaultGroup().
+ * File that contains list of admin users for Oozie.
*/
- public static final String DEFAULT_GROUP = "users";
+ public static final String ADMIN_USERS_FILE = "adminusers.txt";
protected static final String INSTRUMENTATION_GROUP = "authorization";
protected static final String INSTR_FAILED_AUTH_COUNTER = "authorization.failed";
private Set<String> adminUsers;
- private boolean securityEnabled;
+ private boolean authorizationEnabled;
+ private boolean useDefaultGroupAsAcl;
private final XLog log = XLog.getLog(getClass());
private Instrumentation instrumentation;
@@ -81,15 +88,19 @@ public class AuthorizationService implem
*/
public void init(Services services) throws ServiceException {
adminUsers = new HashSet<String>();
- securityEnabled = services.getConf().getBoolean(CONF_SECURITY_ENABLED, false);
+ authorizationEnabled = ConfigUtils.getWithDeprecatedCheck(services.getConf(), CONF_AUTHORIZATION_ENABLED,
+ CONF_SECURITY_ENABLED, false);
instrumentation = Services.get().get(InstrumentationService.class).get();
- if (securityEnabled) {
+ if (authorizationEnabled) {
log.info("Oozie running with security enabled");
loadAdminUsers();
}
else {
log.warn("Oozie running with security disabled");
}
+
+ useDefaultGroupAsAcl = Services.get().getConf().getBoolean(CONF_DEFAULT_GROUP_AS_ACL, false);
+
}
/**
@@ -97,8 +108,22 @@ public class AuthorizationService implem
*
* @return if security is enabled or not.
*/
+ @Deprecated
public boolean isSecurityEnabled() {
- return securityEnabled;
+ return authorizationEnabled;
+ }
+
+ public boolean useDefaultGroupAsAcl() {
+ return useDefaultGroupAsAcl;
+ }
+
+ /**
+ * Return if security is enabled or not.
+ *
+ * @return if security is enabled or not.
+ */
+ public boolean isAuthorizationEnabled() {
+ return isSecurityEnabled();
}
/**
@@ -156,7 +181,7 @@ public class AuthorizationService implem
}
/**
- * Check if the user belongs to the group or not. <p/> This implementation returns always <code>true</code>.
+ * Check if the user belongs to the group or not.
*
* @param user user name.
* @param group group name.
@@ -164,7 +189,13 @@ public class AuthorizationService implem
* @throws AuthorizationException thrown if the authorization query can not be performed.
*/
protected boolean isUserInGroup(String user, String group) throws AuthorizationException {
- return true;
+ GroupsService groupsService = Services.get().get(GroupsService.class);
+ try {
+ return groupsService.getGroups(user).contains(group);
+ }
+ catch (IOException ex) {
+ throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex);
+ }
}
/**
@@ -177,7 +208,7 @@ public class AuthorizationService implem
* can not be performed.
*/
public void authorizeForGroup(String user, String group) throws AuthorizationException {
- if (securityEnabled && !isUserInGroup(user, group)) {
+ if (authorizationEnabled && !isUserInGroup(user, group)) {
throw new AuthorizationException(ErrorCode.E0502, user, group);
}
}
@@ -190,7 +221,12 @@ public class AuthorizationService implem
* @throws AuthorizationException thrown if the default group con not be retrieved.
*/
public String getDefaultGroup(String user) throws AuthorizationException {
- return DEFAULT_GROUP;
+ try {
+ return Services.get().get(GroupsService.class).getGroups(user).get(0);
+ }
+ catch (IOException ex) {
+ throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex);
+ }
}
/**
@@ -212,7 +248,7 @@ public class AuthorizationService implem
* @throws AuthorizationException thrown if user does not have admin priviledges.
*/
public void authorizeForAdmin(String user, boolean write) throws AuthorizationException {
- if (securityEnabled && write && !isAdmin(user)) {
+ if (authorizationEnabled && write && !isAdmin(user)) {
incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
throw new AuthorizationException(ErrorCode.E0503, user);
}
@@ -324,6 +360,19 @@ public class AuthorizationService implem
}
}
+ private boolean isUserInAcl(String user, String aclStr) throws IOException {
+ boolean userInAcl = false;
+ if (aclStr.trim().length() > 0) {
+ GroupsService groupsService = Services.get().get(GroupsService.class);
+ String[] acl = aclStr.split(",");
+ for (int i = 0; !userInAcl && i < acl.length; i++) {
+ String aclItem = acl[i].trim();
+ userInAcl = aclItem.equals(user) || groupsService.getGroups(user).equals(aclItem);
+ }
+ }
+ return userInAcl;
+ }
+
/**
* Check if the user+group is authorized to operate on the specified job. <p/> Checks if the user is a super-user or
* the one who started the job. <p/> Read operations are allowed to all users.
@@ -334,73 +383,78 @@ public class AuthorizationService implem
* @throws AuthorizationException thrown if the user is not authorized for the job.
*/
public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException {
- if (securityEnabled && write && !isAdmin(user)) {
- // handle workflow jobs
- if (jobId.endsWith("-W")) {
- WorkflowJobBean jobBean = null;
- JPAService jpaService = Services.get().get(JPAService.class);
- if (jpaService != null) {
- try {
- jobBean = jpaService.execute(new WorkflowJobGetJPAExecutor(jobId));
+ if (authorizationEnabled && write && !isAdmin(user)) {
+ try {
+ // handle workflow jobs
+ if (jobId.endsWith("-W")) {
+ WorkflowJobBean jobBean = null;
+ JPAService jpaService = Services.get().get(JPAService.class);
+ if (jpaService != null) {
+ try {
+ jobBean = jpaService.execute(new WorkflowJobGetJPAExecutor(jobId));
+ }
+ catch (JPAExecutorException je) {
+ throw new AuthorizationException(je);
+ }
}
- catch (JPAExecutorException je) {
- throw new AuthorizationException(je);
+ else {
+ throw new AuthorizationException(ErrorCode.E0610);
}
- }
- else {
- throw new AuthorizationException(ErrorCode.E0610);
- }
- if (jobBean != null && !jobBean.getUser().equals(user)) {
- if (!isUserInGroup(user, jobBean.getGroup())) {
- incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
- throw new AuthorizationException(ErrorCode.E0508, user, jobId);
+ if (jobBean != null && !jobBean.getUser().equals(user)) {
+ if (!isUserInAcl(user, jobBean.getGroup())) {
+ incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
+ throw new AuthorizationException(ErrorCode.E0508, user, jobId);
+ }
}
}
- }
- // handle bundle jobs
- else if (jobId.endsWith("-B")){
- BundleJobBean jobBean = null;
- JPAService jpaService = Services.get().get(JPAService.class);
- if (jpaService != null) {
- try {
- jobBean = jpaService.execute(new BundleJobGetJPAExecutor(jobId));
+ // handle bundle jobs
+ else if (jobId.endsWith("-B")){
+ BundleJobBean jobBean = null;
+ JPAService jpaService = Services.get().get(JPAService.class);
+ if (jpaService != null) {
+ try {
+ jobBean = jpaService.execute(new BundleJobGetJPAExecutor(jobId));
+ }
+ catch (JPAExecutorException je) {
+ throw new AuthorizationException(je);
+ }
}
- catch (JPAExecutorException je) {
- throw new AuthorizationException(je);
+ else {
+ throw new AuthorizationException(ErrorCode.E0610);
}
- }
- else {
- throw new AuthorizationException(ErrorCode.E0610);
- }
- if (jobBean != null && !jobBean.getUser().equals(user)) {
- if (!isUserInGroup(user, jobBean.getGroup())) {
- incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
- throw new AuthorizationException(ErrorCode.E0509, user, jobId);
+ if (jobBean != null && !jobBean.getUser().equals(user)) {
+ if (!isUserInAcl(user, jobBean.getGroup())) {
+ incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
+ throw new AuthorizationException(ErrorCode.E0509, user, jobId);
+ }
}
}
- }
- // handle coordinator jobs
- else {
- CoordinatorJobBean jobBean = null;
- JPAService jpaService = Services.get().get(JPAService.class);
- if (jpaService != null) {
- try {
- jobBean = jpaService.execute(new CoordJobGetJPAExecutor(jobId));
+ // handle coordinator jobs
+ else {
+ CoordinatorJobBean jobBean = null;
+ JPAService jpaService = Services.get().get(JPAService.class);
+ if (jpaService != null) {
+ try {
+ jobBean = jpaService.execute(new CoordJobGetJPAExecutor(jobId));
+ }
+ catch (JPAExecutorException je) {
+ throw new AuthorizationException(je);
+ }
}
- catch (JPAExecutorException je) {
- throw new AuthorizationException(je);
+ else {
+ throw new AuthorizationException(ErrorCode.E0610);
}
- }
- else {
- throw new AuthorizationException(ErrorCode.E0610);
- }
- if (jobBean != null && !jobBean.getUser().equals(user)) {
- if (!isUserInGroup(user, jobBean.getGroup())) {
- incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
- throw new AuthorizationException(ErrorCode.E0509, user, jobId);
+ if (jobBean != null && !jobBean.getUser().equals(user)) {
+ if (!isUserInAcl(user, jobBean.getGroup())) {
+ incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
+ throw new AuthorizationException(ErrorCode.E0509, user, jobId);
+ }
}
}
}
+ catch (IOException ex) {
+ throw new AuthorizationException(ErrorCode.E0501, ex.getMessage(), ex);
+ }
}
}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java Thu Mar 1 19:43:43 2012
@@ -178,11 +178,9 @@ public class HadoopAccessorService imple
@SuppressWarnings("unchecked")
private <C extends Configuration> C createConfiguration(String user, String group, C conf) {
ParamChecker.notEmpty(user, "user");
- ParamChecker.notEmpty(group, "group");
C fsConf = (C) ((conf instanceof JobConf) ? new JobConf() : new Configuration());
XConfiguration.copy(conf, fsConf);
fsConf.set("user.name", user);
- fsConf.set("hadoop.job.ugi", user + "," + group);
return fsConf;
}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/KerberosHadoopAccessorService.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/KerberosHadoopAccessorService.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/KerberosHadoopAccessorService.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/service/KerberosHadoopAccessorService.java Thu Mar 1 19:43:43 2012
@@ -119,7 +119,6 @@ public class KerberosHadoopAccessorServi
*/
public JobClient createJobClient(String user, String group, final JobConf conf) throws HadoopAccessorException {
ParamChecker.notEmpty(user, "user");
- ParamChecker.notEmpty(group, "group");
validateJobTracker(conf.get("mapred.job.tracker"));
try {
UserGroupInformation ugi = getUGI(user);
@@ -151,7 +150,6 @@ public class KerberosHadoopAccessorServi
public FileSystem createFileSystem(String user, String group, final Configuration conf)
throws HadoopAccessorException {
ParamChecker.notEmpty(user, "user");
- ParamChecker.notEmpty(group, "group");
try {
validateNameNode(new URI(conf.get("fs.default.name")).getAuthority());
UserGroupInformation ugi = getUGI(user);
@@ -185,7 +183,6 @@ public class KerberosHadoopAccessorServi
public FileSystem createFileSystem(String user, String group, final URI uri, final Configuration conf)
throws HadoopAccessorException {
ParamChecker.notEmpty(user, "user");
- ParamChecker.notEmpty(group, "group");
validateNameNode(uri.getAuthority());
try {
UserGroupInformation ugi = getUGI(user);
@@ -213,7 +210,6 @@ public class KerberosHadoopAccessorServi
public void addFileToClassPath(String user, String group, final Path file, final Configuration conf)
throws IOException {
ParamChecker.notEmpty(user, "user");
- ParamChecker.notEmpty(group, "group");
try {
UserGroupInformation ugi = getUGI(user);
ugi.doAs(new PrivilegedExceptionAction<Void>() {
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java Thu Mar 1 19:43:43 2012
@@ -20,6 +20,7 @@ package org.apache.oozie.servlet;
import java.io.IOException;
import java.util.Arrays;
+import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -40,6 +41,7 @@ import org.apache.oozie.service.HadoopAc
import org.apache.oozie.service.HadoopAccessorService;
import org.apache.oozie.service.Services;
import org.apache.oozie.service.XLogService;
+import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.JobUtils;
import org.apache.oozie.util.XConfiguration;
import org.apache.oozie.util.XLog;
@@ -156,7 +158,7 @@ public abstract class BaseJobServlet ext
*/
static void checkAuthorizationForApp(String requestUser, Configuration conf) throws XServletException {
String user = conf.get(OozieClient.USER_NAME);
- String group = conf.get(OozieClient.GROUP_NAME);
+ String acl = ConfigUtils.getWithDeprecatedCheck(conf, OozieClient.GROUP_NAME, OozieClient.JOB_ACL, null);
try {
if (user == null) {
throw new XServletException(HttpServletResponse.SC_BAD_REQUEST, ErrorCode.E0401, OozieClient.USER_NAME);
@@ -165,14 +167,12 @@ public abstract class BaseJobServlet ext
throw new XServletException(HttpServletResponse.SC_BAD_REQUEST, ErrorCode.E0400, requestUser, user);
}
AuthorizationService auth = Services.get().get(AuthorizationService.class);
- if (group == null) {
- group = auth.getDefaultGroup(user);
- conf.set(OozieClient.GROUP_NAME, group);
- }
- else {
- auth.authorizeForGroup(user, group);
+
+ if (acl == null && auth.useDefaultGroupAsAcl()) {
+ acl = auth.getDefaultGroup(user);
+ conf.set(OozieClient.GROUP_NAME, acl);
}
- XLog.Info.get().setParameter(XLogService.GROUP, group);
+ XLog.Info.get().setParameter(XLogService.GROUP, acl);
String wfPath = conf.get(OozieClient.APP_PATH);
String coordPath = conf.get(OozieClient.COORDINATOR_APP_PATH);
String bundlePath = conf.get(OozieClient.BUNDLE_APP_PATH);
@@ -185,13 +185,13 @@ public abstract class BaseJobServlet ext
ServletUtilities.ValidateAppPath(wfPath, coordPath, bundlePath);
if (wfPath != null) {
- auth.authorizeForApp(user, group, wfPath, "workflow.xml", conf);
+ auth.authorizeForApp(user, acl, wfPath, "workflow.xml", conf);
}
else if (coordPath != null){
- auth.authorizeForApp(user, group, coordPath, "coordinator.xml", conf);
+ auth.authorizeForApp(user, acl, coordPath, "coordinator.xml", conf);
}
else if (bundlePath != null){
- auth.authorizeForApp(user, group, bundlePath, "bundle.xml", conf);
+ auth.authorizeForApp(user, acl, bundlePath, "bundle.xml", conf);
}
}
catch (AuthorizationException ex) {
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/store/StoreStatusFilter.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/store/StoreStatusFilter.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/store/StoreStatusFilter.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/store/StoreStatusFilter.java Thu Mar 1 19:43:43 2012
@@ -21,6 +21,7 @@ import java.util.List;
import java.util.Map;
import org.apache.oozie.client.OozieClient;
+import org.apache.oozie.util.XLog;
public class StoreStatusFilter {
public static final String coordSeletStr = "Select w.id, w.appName, w.status, w.user, w.group, w.startTimestamp, w.endTimestamp, w.appPath, w.concurrency, w.frequency, w.lastActionTimestamp, w.nextMaterializedTimestamp, w.createdTimestamp, w.timeUnitStr, w.timeZone, w.timeOut from CoordinatorJobBean w";
@@ -38,7 +39,6 @@ public class StoreStatusFilter {
public static void filter(Map<String, List<String>> filter, List<String> orArray, List<String> colArray,
List<String> valArray, StringBuilder sb, String seletStr, String countStr) {
boolean isStatus = false;
- boolean isGroup = false;
boolean isAppName = false;
boolean isUser = false;
boolean isEnabled = false;
@@ -52,35 +52,7 @@ public class StoreStatusFilter {
String colName = null;
String colVar = null;
if (entry.getKey().equals(OozieClient.FILTER_GROUP)) {
- List<String> values = filter.get(OozieClient.FILTER_GROUP);
- colName = "group";
- for (int i = 0; i < values.size(); i++) {
- colVar = "group";
- colVar = colVar + index;
- if (!isEnabled && !isGroup) {
- sb.append(seletStr).append(" where w.group IN (:group" + index);
- isGroup = true;
- isEnabled = true;
- }
- else {
- if (isEnabled && !isGroup) {
- sb.append(" and w.group IN (:group" + index);
- isGroup = true;
- }
- else {
- if (isGroup) {
- sb.append(", :group" + index);
- }
- }
- }
- if (i == values.size() - 1) {
- sb.append(")");
- }
- index++;
- valArray.add(values.get(i));
- orArray.add(colName);
- colArray.add(colVar);
- }
+ XLog.getLog(StoreStatusFilter.class).warn("Filter by 'group' is not supported anymore");
}
else {
if (entry.getKey().equals(OozieClient.FILTER_STATUS)) {
Added: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/ConfigUtils.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/ConfigUtils.java?rev=1295758&view=auto
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/ConfigUtils.java (added)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/ConfigUtils.java Thu Mar 1 19:43:43 2012
@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.oozie.util;
+
+import org.apache.hadoop.conf.Configuration;
+
+/**
+ *
+ */
+public class ConfigUtils {
+ private final static XLog LOG = XLog.getLog(ConfigUtils.class);
+
+ /**
+ * Fetches a property using both a deprecated name and the new name. The deprecated property
+ * has precedence over the new name. If the deprecated name is used a warning is written to
+ * the log.
+ *
+ * @param conf configuration object.
+ * @param newName new property name.
+ * @param oldName deprecated property name.
+ * @param defaultValue default value.
+ * @return the property value, or the default value if not found under the deprecated name and the new name.
+ */
+ public static String getWithDeprecatedCheck(Configuration conf, String newName, String oldName,
+ String defaultValue) {
+ String value = conf.get(oldName, null);
+ if (value == null) {
+ value = conf.get(newName, defaultValue);
+ }
+ else {
+ LOG.warn("Using a deprecated configuration property [{0}], should use [{1}]. " +
+ "Please delete the deprecated property in order for the new property to take effect.",
+ oldName, newName);
+ }
+ return value;
+ }
+
+ /**
+ * Fetches a property using both a deprecated name and the new name. The deprecated property
+ * has precedence over the new name. If the deprecated name is used a warning is written to
+ * the log.
+ *
+ * @param conf configuration object.
+ * @param newName new property name.
+ * @param oldName deprecated property name.
+ * @param defaultValue default value.
+ * @return the property value, or the default value if not found under the deprecated name and the new name.
+ */
+ public static boolean getWithDeprecatedCheck(Configuration conf, String newName, String oldName,
+ boolean defaultValue) {
+ String value = getWithDeprecatedCheck(conf, newName, oldName, Boolean.toString(defaultValue));
+ return Boolean.parseBoolean(value);
+ }
+}
Modified: incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/JobUtils.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/JobUtils.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/JobUtils.java (original)
+++ incubator/oozie/trunk/core/src/main/java/org/apache/oozie/util/JobUtils.java Thu Mar 1 19:43:43 2012
@@ -51,10 +51,6 @@ public class JobUtils {
throw new IllegalArgumentException("user cannot be null");
}
- if (group == null) {
- throw new IllegalArgumentException("group cannot be null");
- }
-
if (conf.get(XOozieClient.IS_PROXY_SUBMISSION) != null) { // do nothing for proxy submission job;
return;
}
Modified: incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/resources/oozie-default.xml?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/resources/oozie-default.xml (original)
+++ incubator/oozie/trunk/core/src/main/resources/oozie-default.xml Thu Mar 1 19:43:43 2012
@@ -135,7 +135,7 @@
<!-- AuthorizationService -->
<property>
- <name>oozie.service.AuthorizationService.security.enabled</name>
+ <name>oozie.service.AuthorizationService.authorization.enabled</name>
<value>false</value>
<description>
Specifies whether security (user name/admin role) is enabled or not.
@@ -143,6 +143,14 @@
</description>
</property>
+ <property>
+ <name>oozie.service.AuthorizationService.default.group.as.acl</name>
+ <value>false</value>
+ <description>
+ Enables old behavior where the User's default group is the job's ACL.
+ </description>
+ </property>
+
<!-- InstrumentationService -->
<property>
Modified: incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java (original)
+++ incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java Thu Mar 1 19:43:43 2012
@@ -22,6 +22,9 @@ import java.io.FileWriter;
import java.io.IOException;
import java.io.Reader;
import java.io.Writer;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
@@ -49,11 +52,28 @@ import org.apache.oozie.workflow.Workflo
*/
public class TestAuthorizationService extends XDataTestCase {
+ public static class DummyGroupsService extends GroupsService {
+ @Override
+ public void init(Services services) {
+ }
+
+ @Override
+ public List<String> getGroups(String user) throws IOException {
+ if (getTestUser().equals(user)) {
+ return Arrays.asList("users", getTestGroup());
+ }
+ else {
+ return Arrays.asList("users");
+ }
+ }
+
+ @Override
+ public void destroy() {
+ }
+ }
private Services services;
- @Override
- protected void setUp() throws Exception {
- super.setUp();
+ private void init(boolean useDefaultGroup) throws Exception {
setSystemProperty(SchemaService.WF_CONF_EXT_SCHEMAS, "wf-ext-schema.xsd");
Reader adminListReader = IOUtils.getResourceAsReader("adminusers.txt", -1);
@@ -63,7 +83,9 @@ public class TestAuthorizationService ex
services = new Services();
Configuration conf = services.getConf();
conf.set(Services.CONF_SERVICE_CLASSES,
- conf.get(Services.CONF_SERVICE_CLASSES) + "," + AuthorizationService.class.getName());
+ conf.get(Services.CONF_SERVICE_CLASSES) + "," + AuthorizationService.class.getName() +
+ "," + DummyGroupsService.class.getName());
+ conf.set(AuthorizationService.CONF_DEFAULT_GROUP_AS_ACL, Boolean.toString(useDefaultGroup));
services.init();
services.getConf().setBoolean(AuthorizationService.CONF_SECURITY_ENABLED, true);
services.get(AuthorizationService.class).init(services);
@@ -80,7 +102,16 @@ public class TestAuthorizationService ex
/**
* Tests the Authorization Service API.
*/
- public void testAuthorizationService() throws Exception {
+ public void testAuthorizationServiceUseDefaultGroup() throws Exception {
+ _testAuthorizationService(true);
+ }
+
+ public void testAuthorizationServiceUseACLs() throws Exception {
+ _testAuthorizationService(false);
+ }
+
+ private void _testAuthorizationService(boolean useDefaultGroup) throws Exception {
+ init(useDefaultGroup);
Reader reader = IOUtils.getResourceAsReader("wf-ext-schema-valid.xml", -1);
Writer writer = new FileWriter(getTestCaseDir() + "/workflow.xml");
IOUtils.copyCharStream(reader, writer);
@@ -89,7 +120,12 @@ public class TestAuthorizationService ex
Configuration jobConf = new XConfiguration();
jobConf.set(OozieClient.APP_PATH, getTestCaseDir() + File.separator + "workflow.xml");
jobConf.set(OozieClient.USER_NAME, getTestUser());
- jobConf.set(OozieClient.GROUP_NAME, getTestGroup());
+ if (useDefaultGroup) {
+ jobConf.set(OozieClient.GROUP_NAME, getTestGroup());
+ }
+ else {
+ jobConf.set(OozieClient.GROUP_NAME, getTestGroup() + ",foo");
+ }
injectKerberosInfo(jobConf);
jobConf.set(OozieClient.LOG_TOKEN, "t");
@@ -151,11 +187,19 @@ public class TestAuthorizationService ex
as.authorizeForJob(getTestUser(), jobId, false);
as.authorizeForJob(getTestUser(), jobId, true);
- //Because of group support and all users belong to same group
- as.authorizeForJob("blah", jobId, true);
+ if (!useDefaultGroup) {
+ as.authorizeForJob("foo", jobId, true);
+ }
+ try {
+ as.authorizeForJob("bar", jobId, true);
+ fail();
+ }
+ catch (AuthorizationException ex) {
+ }
}
public void testAuthorizationServiceForCoord() throws Exception {
+ init(false);
CoordinatorJobBean job = addRecordToCoordJobTable(CoordinatorJob.Status.PREP, false, false);
assertNotNull(job);
AuthorizationService as = services.get(AuthorizationService.class);
@@ -165,6 +209,7 @@ public class TestAuthorizationService ex
}
public void testAuthorizationServiceForBundle() throws Exception {
+ init(false);
BundleJobBean job = this.addRecordToBundleJobTable(Job.Status.PREP, false);
assertNotNull(job);
AuthorizationService as = services.get(AuthorizationService.class);
@@ -174,12 +219,14 @@ public class TestAuthorizationService ex
}
public void testDefaultGroup() throws Exception {
+ init(false);
AuthorizationService as = services.get(AuthorizationService.class);
assertNotNull(as);
assertNotNull(as.getDefaultGroup(getTestUser()));
}
public void testErrors() throws Exception {
+ init(false);
services.setService(ForTestAuthorizationService.class);
AuthorizationService as = services.get(AuthorizationService.class);
Modified: incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestHadoopAccessorService.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestHadoopAccessorService.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestHadoopAccessorService.java (original)
+++ incubator/oozie/trunk/core/src/test/java/org/apache/oozie/service/TestHadoopAccessorService.java Thu Mar 1 19:43:43 2012
@@ -63,13 +63,6 @@ public class TestHadoopAccessorService e
catch (IllegalArgumentException ex) {
}
- try {
- has.createJobClient(user, null, conf);
- fail();
- }
- catch (IllegalArgumentException ex) {
- }
-
user = getTestUser();
JobClient jc = has.createJobClient(user, group, conf);
assertNotNull(jc);
Modified: incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestJobsServlet.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestJobsServlet.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestJobsServlet.java (original)
+++ incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestJobsServlet.java Thu Mar 1 19:43:43 2012
@@ -109,7 +109,6 @@ public class TestJobsServlet extends Dag
DagEngine de = services.get(DagEngineService.class).getDagEngine(getTestUser(), "undef");
StringReader sr = new StringReader(de.getJob(MockDagEngineService.JOB_ID + wfCount).getConf());
Configuration conf1 = new XConfiguration(sr);
- assertEquals(AuthorizationService.DEFAULT_GROUP, conf1.get(OozieClient.GROUP_NAME));
return null;
}
});
Modified: incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestV1JobsServlet.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestV1JobsServlet.java?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestV1JobsServlet.java (original)
+++ incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestV1JobsServlet.java Thu Mar 1 19:43:43 2012
@@ -107,7 +107,6 @@ public class TestV1JobsServlet extends D
DagEngine de = services.get(DagEngineService.class).getDagEngine(getTestUser(), "undef");
StringReader sr = new StringReader(de.getJob(MockDagEngineService.JOB_ID + wfCount).getConf());
Configuration conf1 = new XConfiguration(sr);
- assertEquals(AuthorizationService.DEFAULT_GROUP, conf1.get(OozieClient.GROUP_NAME));
return null;
}
});
Modified: incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki Thu Mar 1 19:43:43 2012
@@ -304,7 +304,7 @@ Oozie has a basic authorization model:
* Users have read access to all jobs
* Users have write access to their own jobs
- * Users have write access to jobs for groups the users belong to
+ * Users have write access to jobs based on an Access Control List (list of users and groups)
* Users have read access to admin operations
* Admin users have write access to all jobs
* Admin users have write access to admin operations
@@ -322,6 +322,13 @@ If security is enabled, the admin users
* One user name per line
* Empty lines and lines starting with '#' are ignored
+NOTE: the old ACL model where a group was provided is still supported if the following property is set
+in =oozie-stei.xml=:
+
+<verbatim>
+ oozie.service.AuthorizationService.default.group.as.acl=true
+</verbatim>
+
---+++ Oozie System ID Configuration
Oozie has a system ID that is is used to generate the Oozie temporary runtime directory, the workflow job IDs, and the
Modified: incubator/oozie/trunk/docs/src/site/twiki/BundleFunctionalSpec.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/BundleFunctionalSpec.twiki?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/BundleFunctionalSpec.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/BundleFunctionalSpec.twiki Thu Mar 1 19:43:43 2012
@@ -159,11 +159,13 @@ A bundle definition is defined in XML by
When submitting a bundle job, the configuration must contain a =user.name= property. If security is enabled, Oozie must ensure that the value of the =user.name= property in the configuration match the user credentials present in the protocol (web services) request.
-When submitting a bundle job, the configuration may contain a =group.name= property. If security is enabled, Oozie must ensure that the user of the request belongs to the specified group.
+When submitting a bundle job, the configuration may contain the =oozie.job.acl= property (the =group.name= property
+has been deprecated). If authorization is enabled, this property is treated as as the ACL for the job, it can contain
+user and group IDs separated by commas.
-The specified user and group names are assigned to the created bundle job.
+The specified user and ACL are assigned to the created bundle job.
-Oozie must propagate the specified user and group to the system executing its children (coordinator jobs).
+Oozie must propagate the specified user and ACL to the system executing its children jobs (coordinator jobs).
---++ 6. Bundle Application Deployment
@@ -179,7 +181,8 @@ When a bundle job is submitted to Oozie,
The bundle application definition HDFS path must be specified in the 'oozie.bundle.application.path' job property.
-All the bundle job properties, the HDFS path for the bundle application, the 'user.name' and 'group.name' must be submitted to the Oozie using an XML configuration file (Hadoop XML configuration file).
+All the bundle job properties, the HDFS path for the bundle application, the 'user.name' and 'oozie.job.acl' must be
+submitted to the Oozie using an XML configuration file (Hadoop XML configuration file).
*%GREEN% Example: %ENDCOLOR%*:
@@ -282,4 +285,3 @@ Refer to the [[DG_CoordinatorRerun][Reru
[[index][::Go back to Oozie Documentation Index::]]
</noautolink>
-
\ No newline at end of file
Modified: incubator/oozie/trunk/docs/src/site/twiki/CoordinatorFunctionalSpec.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/CoordinatorFunctionalSpec.twiki?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/CoordinatorFunctionalSpec.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/CoordinatorFunctionalSpec.twiki Thu Mar 1 19:43:43 2012
@@ -2266,11 +2266,13 @@ The Coordinator engine should provide to
When submitting a coordinator job, the configuration must contain a =user.name= property. If security is enabled, Oozie must ensure that the value of the =user.name= property in the configuration match the user credentials present in the protocol (web services) request.
-When submitting a coordinator job, the configuration may contain a =group.name= property. If security is enabled, Oozie must ensure that the user of the request belongs to the specified group.
+When submitting a coordinator job, the configuration may contain the =oozie.job.acl= property (the =group.name= property
+has been deprecated). If authorization is enabled, this property is treated as as the ACL for the job, it can contain
+user and group IDs separated by commas.
-The specified user and group names are assigned to the created coordinator job.
+The specified user and ACL are assigned to the created coordinator job.
-Oozie must propagate the specified user and group to the system executing the actions (workflow jobs).
+Oozie must propagate the specified user and ACL to the system executing the actions (workflow jobs).
---++ 10. Coordinator Application Deployment
@@ -2316,7 +2318,8 @@ When a coordinator job is submitted to O
The coordinator application definition HDFS path must be specified in the 'oozie.coord.application.path' job property.
-All the coordinator job properties, the HDFS path for the coordinator application, the 'user.name' and 'group.name' must be submitted to the Oozie coordinator engine using an XML configuration file (Hadoop XML configuration file).
+All the coordinator job properties, the HDFS path for the coordinator application, the 'user.name' and 'oozie.job.acl'
+must be submitted to the Oozie coordinator engine using an XML configuration file (Hadoop XML configuration file).
*%GREEN% Example: %ENDCOLOR%*:
Modified: incubator/oozie/trunk/docs/src/site/twiki/WorkflowFunctionalSpec.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/WorkflowFunctionalSpec.twiki?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/WorkflowFunctionalSpec.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/WorkflowFunctionalSpec.twiki Thu Mar 1 19:43:43 2012
@@ -1473,7 +1473,7 @@ It returns the user name that started th
*String wf:group()*
-It returns the group name for the current workflow job.
+It returns the group/ACL for the current workflow job.
*String wf:callback(String stateVar)*
@@ -1615,12 +1615,13 @@ When submitting a workflow job, the conf
must ensure that the value of the =user.name= property in the configuration match the user credentials present in the
protocol (web services) request.
-When submitting a workflow job, the configuration may contain a =group.name= property. If security is enabled, Oozie
-must ensure that the user of the request belongs to the specified group.
+When submitting a workflow job, the configuration may contain the =oozie.job.acl= property (the =group.name= property
+has been deprecated). If authorization is enabled, this property is treated as as the ACL for the job, it can contain
+user and group IDs separated by commas.
-The specified user and group names are assigned to the created job.
+The specified user and ACL are assigned to the created job.
-Oozie must propagate the specified user and group to the system executing the actions.
+Oozie must propagate the specified user and ACL to the system executing the actions.
It is not allowed for map-reduce, pig and fs actions to override user/group information.
@@ -2184,6 +2185,7 @@ Content-Type: application/json;charset=U
appPath: "hdfs://user/tucu/indexer-wf",
user: "tucu",
group: "other",
+ acl: "other",
status: "RUNNING",
conf: "<configuration> ... </configuration>",
createdTime: "Thu, 01 Jan 2009 00:00:00 GMT",
@@ -2205,7 +2207,7 @@ Valid filter names are:
* name: the workflow application name from the workflow definition
* user: the user that submitted the job
- * group: the group for the job
+ * group: DEPRECATED, it does a NOP
* status: the status of the job
The query will do an AND among all the filter names.
Modified: incubator/oozie/trunk/release-log.txt
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/release-log.txt?rev=1295758&r1=1295757&r2=1295758&view=diff
==============================================================================
--- incubator/oozie/trunk/release-log.txt (original)
+++ incubator/oozie/trunk/release-log.txt Thu Mar 1 19:43:43 2012
@@ -1,5 +1,6 @@
-- Oozie 3.2.0 release
+OOZIE-228 For authorization we should use the ACL model (tucu)
OOZIE-715 Fix TestLocalOozieExample (angeloh via tucu)
OOZIE-701 Oozie notification URLs don't get replaced with the taken transition (tucu)
OOZIE-724 TestClassUtils fails as looks for hadoop-core (tucu)