You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by Mate Juhasz <ma...@gmail.com> on 2019/05/22 11:07:01 UTC
Re: Review Request 70607: OOZIE-3196 Authorization: restrict world
readability by user
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70607/
-----------------------------------------------------------
(Updated May 22, 2019, 11:07 a.m.)
Review request for oozie.
Summary (updated)
-----------------
OOZIE-3196 Authorization: restrict world readability by user
Bugs: OOZIE-3196
https://issues.apache.org/jira/browse/OOZIE-3196
Repository: oozie-git
Description
-------
The current authorization model does not fit the enterprise requirements as everything is readable and writable by everyone by default.
Write access can be restricted using authorization but restricting read rights is only possible via Yarn ACLs and HDFS rights which still does not prevent accessing the workflow, coordinator or bundle job’s configurations for everyone.
Improve authorization so it’s possible to configure read/write access for workflows, coordinators, and bundles in a more granular way. Could involve Sentry during implementation or create and design a new system that fits the needs.
The main idea was to enhance the code with an AuthorizationInterface and allow the current authorization model to be extended with different implementations of this interface.
Diffs
-----
core/src/main/java/org/apache/oozie/BundleJobBean.java e3ba331d2
core/src/main/java/org/apache/oozie/CoordinatorJobBean.java 2a936d609
core/src/main/java/org/apache/oozie/ErrorCode.java 6b0ce4700
core/src/main/java/org/apache/oozie/WorkflowJobBean.java 1e55884cc
core/src/main/java/org/apache/oozie/service/AuthorizationPlugin.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/AuthorizationService.java 70c0ed7c5
core/src/main/java/org/apache/oozie/service/JobContext.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/LegacyAuthorizationPlugin.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/OperationContext.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/ResourceContext.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/StrictAuthorizationPlugin.java PRE-CREATION
core/src/main/java/org/apache/oozie/service/UserContext.java PRE-CREATION
core/src/main/java/org/apache/oozie/servlet/BaseAdminServlet.java 0b873bc62
core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java dad4a10b5
core/src/main/java/org/apache/oozie/servlet/BaseJobsServlet.java 95c65fe75
core/src/main/java/org/apache/oozie/servlet/SLAServlet.java 8fad98be9
core/src/test/java/org/apache/oozie/service/DummyAuthPlugin.java PRE-CREATION
core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java 36e480854
Diff: https://reviews.apache.org/r/70607/diff/1/
Testing
-------
Thanks,
Mate Juhasz