You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@oozie.apache.org by Pierre Villard <pi...@gmail.com> on 2018/02/21 08:46:37 UTC

ACLs

Hi,

Wondering if there is a way to define ACLs so that a user can
start/stop/kill a workflow launched by another user (in kerberized cluster)?

The use case is the following: users a, b and c are working on a project X
and a business user has been created for project A. This business user is
used to launch the workflow. Problem is: users are connecting to Hue as a,
b, or c and they are not able to control the workflow. Is there a way to
say, for example, that if a user belongs to the same LDAP group as the
business user, the user is allowed to stop a workflow?

Thanks

Re: ACLs

Posted by Pierre Villard <pi...@gmail.com>.

Thanks Attila, it works like a charm.

Pierre

2018-02-21 17:29 GMT+01:00 Attila Sasvari <as...@cloudera.com>:

> Hi there,
>
> Oozie has a basic authorization model:
>
>    - Users have read access to all jobs
>    - Users have write access to their own jobs
>    - Users have write access to jobs based on an Access Control List (list
>    of users and groups)
>    - Users have read access to admin operations
>    - Admin users have write access to all jobs
>    - Admin users have write access to admin operations
>
> If security is disabled all users are admin users.
>
> Oozie security is set via the following configuration property (default
> value shown):
>
>   oozie.service.AuthorizationService.security.enabled=false
>
> NOTE: the old ACL model where a group was provided is still supported if
> the following property is set in oozie-site.xml :
>
>   oozie.service.AuthorizationService.default.group.as.acl=true
>
> So you can define Oozie ACL-s similar to Hadoop ACLs using oozie.job.acl
> property in your workflows' configuration .
>
> For more information:
> -
> https://oozie.apache.org/docs/4.3.0/WorkflowFunctionalSpec.
> html#a6_User_Propagation
> -
> https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_
> Hadoop_Authentication_Configuration
> - Hadoop security by Ben Spivey & Joey Echeverria (book published by
> O'Reilly Media)
>
> On Wed, Feb 21, 2018 at 9:46 AM, Pierre Villard <
> pierre.villard.fr@gmail.com
> > wrote:
>
> > Hi,
> >
> > Wondering if there is a way to define ACLs so that a user can
> > start/stop/kill a workflow launched by another user (in kerberized
> > cluster)?
> >
> > The use case is the following: users a, b and c are working on a project
> X
> > and a business user has been created for project A. This business user is
> > used to launch the workflow. Problem is: users are connecting to Hue as
> a,
> > b, or c and they are not able to control the workflow. Is there a way to
> > say, for example, that if a user belongs to the same LDAP group as the
> > business user, the user is allowed to stop a workflow?
> >
> > Thanks
> >
>
>
>
> --
> --
> Attila Sasvari
> Software Engineer
> <http://www.cloudera.com/>
>

Re: ACLs

Posted by Attila Sasvari <as...@cloudera.com>.

Hi there,

Oozie has a basic authorization model:

   - Users have read access to all jobs
   - Users have write access to their own jobs
   - Users have write access to jobs based on an Access Control List (list
   of users and groups)
   - Users have read access to admin operations
   - Admin users have write access to all jobs
   - Admin users have write access to admin operations

If security is disabled all users are admin users.

Oozie security is set via the following configuration property (default
value shown):

  oozie.service.AuthorizationService.security.enabled=false

NOTE: the old ACL model where a group was provided is still supported if
the following property is set in oozie-site.xml :

  oozie.service.AuthorizationService.default.group.as.acl=true

So you can define Oozie ACL-s similar to Hadoop ACLs using oozie.job.acl
property in your workflows' configuration .

For more information:
-
https://oozie.apache.org/docs/4.3.0/WorkflowFunctionalSpec.html#a6_User_Propagation
-
https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_Hadoop_Authentication_Configuration
- Hadoop security by Ben Spivey & Joey Echeverria (book published by
O'Reilly Media)

On Wed, Feb 21, 2018 at 9:46 AM, Pierre Villard <pierre.villard.fr@gmail.com
> wrote:

> Hi,
>
> Wondering if there is a way to define ACLs so that a user can
> start/stop/kill a workflow launched by another user (in kerberized
> cluster)?
>
> The use case is the following: users a, b and c are working on a project X
> and a business user has been created for project A. This business user is
> used to launch the workflow. Problem is: users are connecting to Hue as a,
> b, or c and they are not able to control the workflow. Is there a way to
> say, for example, that if a user belongs to the same LDAP group as the
> business user, the user is allowed to stop a workflow?
>
> Thanks
>



-- 
-- 
Attila Sasvari
Software Engineer
<http://www.cloudera.com/>