You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2011/09/08 06:55:09 UTC
[jira] [Created] (OOZIE-249) GH-332: Authentication module for
oozie
GH-332: Authentication module for oozie
---------------------------------------
Key: OOZIE-249
URL: https://issues.apache.org/jira/browse/OOZIE-249
Project: Oozie
Issue Type: Bug
Reporter: Hadoop QA
As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101734#comment-13101734 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
bansalmayank remarked:
HI Alejandro,
I have some questions regarding the current SLA schema.
We have SLA_NAME_SPACE_URI = "uri:oozie:sla:0.1" hardcoded and used in the code.
So if we change the sla schema in the future then it would be changed to "uri:oozie:sla:0.2"
1. We have to change the code to support it
2. How we are going to support multiple version of sla schema?
Thanks,
Mayank
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101736#comment-13101736 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
anew remarked:
Alejandro,
I am coming back to your earlier comment:
* ...the WF schema does not care of what goes in the extension schema, so changes in the extension schema do not affect the WF schema. That is the whole point of using extensions.
Strictly speaking, that means the schema for actions should also be in a separate xsd, because the workflow schema does not change if the action schema changes, right?
The question here is, what do you consider an "extension"? It seems that using schema extensions makes most sense if the extension is defined by a third party (that is not under control of the party that defines the main schema). And in that case, the schema extension should be accompanied by a library that knows how to parse the extension, and provides a well-defined API to interact with it.
That is not the case here, and by the way, it is not the case for the SLA extension either - in current Oozie, if the SLA schema changes, Oozie core code has to change. I do believe that you know better than I why it was done this way for SLA, so please help me understand if I am missing something.
So, for the sake of code simplicity, I would prefer to add the authentication to the workflow schema, and _not_ define a new extension a a separate xsd.
-Andreas.
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101737#comment-13101737 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
tucu00 remarked:
Extensions were added to allow users to annotate their WF with additional information Oozie does not care about.
SLA handling was a one off as it was special (Oozie had to do something). With Authentication the same thing happens.
You are correct, Oozie does not have an API to handle extensions.
I think a cleaner way is to add an API to handle extensions.
And yes, all actions should be extensions as they evolve much faster than the WF itself.
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101735#comment-13101735 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
bansalmayank remarked:
hi,
The code which i was referring in the previous comment,
you can find it in
CoordSubmitCommand.java
private void resolveSLA(Element eAppXml, CoordinatorJobBean coordJob) throws CommandException {
// String prefix = XmlUtils.getNamespacePrefix(eAppXml,
// SchemaService.SLA_NAME_SPACE_URI);
Element eSla = eAppXml.getChild("action", eAppXml.getNamespace()).getChild("info",
Namespace.getNamespace(SchemaService.SLA_NAME_SPACE_URI));
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13099915#comment-13099915 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
brookwc remarked:
Closed by eb21a642a629d016d5ac0cdabfb24e30c3c09324 Adding Credentials Module.
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101733#comment-13101733 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
bansalmayank remarked:
Adding the Discussion thread....
I think that makes sense.
-Andreas.
On Feb 17, 2011, at 10:32 AM, Alejandro Abdelnur wrote:
On #2,
but why not have the credentials in the extension itself? For example:
<action name="myaction">
<authentication credentials="cred1,cred2" xmlns="uri:oozie:credentials">
...
</authentication>
<map-reduce> ... </map-reduce>
</action>
Thanks.
Alejandro
On Thu, Feb 17, 2011 at 12:55 PM, Angelo Kaichen Huang <an...@yahoo-inc.com> wrote:
On #1, you are right.
On #2, we have to let each action declare which credentials they need, we have to something like that.
<action cred=”cred1, cred2”>
</action>
Therefore current schema has to be changed to add this attribute to action element. That’s the reason for us to create a new schema instead of doing extension.
Thanks,
Angelo
On 2/15/11 6:43 PM, "Alejandro Abdelnur" <tu...@cloudera.com> wrote:
On #1, that info is in the action XML already, correct? if so you don't need to store it again.
On #2, the WF schema does not care of what goes in the extension schema, so changes in the extension schema do not affect the WF schema. That is the whole point of using extensions. Regarding taking it later, once you go live with this you'll have to support whatever schema changes you did, because of that I think we should do this right from the get go.
Thanks.
Alejandro
On Wed, Feb 16, 2011 at 10:33 AM, Mayank Bansal <ba...@yahoo-inc.com> wrote:
Hi Alejandro,
We are not storing any credentials in the DB. Its just configuration like server name etc.
For XML, In my understanding if we want to change anything in extension schema we still need to refer that in workflow schema and that would change the workflow schema as well. However its a good point and we can create an issue and can take up later if its absolutely necessary.
Thanks,
Mayank
On 2/10/11 12:37 AM, "Alejandro Abdelnur" <tucu@cloudera.com <ht...@cloudera.com> > wrote:
Mayank,
A couple of follow ups.
* Why do you need to store the credentials in the DB, they are in the action XML, accessible?
* Why not use the WF XML extension points (like for SLA) instead modifying the WF XML schema?
Thanks.
Alejandro
__._,_.___
Reply to sender | Reply to group | Reply via web post | Start a New Topic
Messages in this topic (16)
RECENT ACTIVITY: New Members 5
Visit Your Group
MARKETPLACE
Find useful articles and helpful tips on living with Fibromyalgia. Visit the Fibromyalgia Zone today!
Stay on top of your group activity without leaving the page you're on - Get the Yahoo! Toolbar now.
Switch to: Text-Only, Daily Digest • Unsubscribe • Terms of Use
.
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OOZIE-249) GH-332: Authentication module for
oozie
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OOZIE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101738#comment-13101738 ]
Hadoop QA commented on OOZIE-249:
---------------------------------
angelokh remarked:
Closed by 71e9c11858c1cd4faaf01a2b6251cbb3774cde40 Adding Credentials Module.
> GH-332: Authentication module for oozie
> ---------------------------------------
>
> Key: OOZIE-249
> URL: https://issues.apache.org/jira/browse/OOZIE-249
> Project: Oozie
> Issue Type: Bug
> Reporter: Hadoop QA
>
> As Oozie is the workflow engine on the gateway, it has to be integrated with all other grid systems in order to run jobs and compliant with their authentication policy. Oozie should authenticate those users and propagate credentials (i.e delegation tokens) to the tasks through job conf by that they can be used by the tasks to authenticate themselves against those systems while running.
> We need one unified interface for user by which they can specify what all the systems they want to use and authenticate against and should be able to provide configuration for authentication.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira