You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@falcon.apache.org by "Nikhil Mulley (JIRA)" <ji...@apache.org> on 2013/05/14 21:01:16 UTC

[jira] [Commented] (FALCON-14) secure falcon daemon

    [ https://issues.apache.org/jira/browse/FALCON-14?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13657383#comment-13657383 ] 

Nikhil Mulley commented on FALCON-14:
-------------------------------------

Hi Venkatesh,

This looks interesting. 

Had a brief look at the patch.

>>
+            String keytabFile = StartupProperties.get().getProperty(
+                    KERBEROS_KEYTAB, System.getProperty("user.home") + "/ivory.service.keytab").trim();
+            if (keytabFile.length() == 0) {
+                throw new FalconException("Missing required configuration property: "
+                        + KERBEROS_KEYTAB);
+            }
>>

Can you also please check on the mode and user permissions of the keytab file before initiating the app authentication? It would be a key intermediate step to read and impose the necessary permissions on the keytab before the startup/initialization of the kerberos methods (although the API, should be able to handle it well and bail out), but application specific user should also have proper permissions on the keytab and impose the necessary mode for operability. For more security, I would suggest you impose another directory called ".krb5" under home directory which should have permissions restricted to the owner of the home directory only. Like what if home directory is mistakenly writeable..although this is more of admin/setup items. Although, in most scenarios, I would store all services related keytabs under single hood  /etc/security/keytabs  

Also, now that we are calling the project 'Falcon' officially, it perhaps makes sense to replace s#ivory#falcon#g :-)


>>
+            UserGroupInformation.setConfiguration(conf);
+            UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
+
+            LOG.info("Got Kerberos ticket, keytab: " + keytabFile
+                    + ", Ivory principal principal: " + principal);
>>

Can you please log where are the credentials cache acquired and stored? I think it can be imposed where to store the credential cache with KRB5CCNAME over the command line with mit-krb5 not sure about the Java API though.


>>
+
+######### Debugging parameters #########
 
 debug.config.store.uri=${user.dir}/target/store
 debug.config.oozie.conf.uri=${user.dir}/target/oozie
@@ -50,16 +53,41 @@ debug.system.lib.location=${user.dir}/webapp/target/falcon-webapp-0.2-SNAPSHOT/W
 debug.broker.url=vm://localhost
 debug.retry.recorder.path=${user.dir}/target/retry
 
>>

why is falcon-webapp-0.2-SNAPSHOT hardcoded?


Nikhil

                
> secure falcon daemon
> --------------------
>
>                 Key: FALCON-14
>                 URL: https://issues.apache.org/jira/browse/FALCON-14
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>         Attachments: FALCON-14.patch
>
>
> Add Authentication to falcon.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira