> On Sept. 10, 2015, 7:43 a.m., pavan kumar kolamuri wrote: > > common/src/main/java/org/apache/falcon/service/ProxyUserService.java, line > > 149 > > <https://reviews.apache.org/r/37771/diff/3/?file=1056558#file1056558line149> > > > > falcon.service.ProxyUserService.proxyuser." + proxyUser + ".groups. Is > > it Ok if this property not present also ? But doc says both should be > > present if i am not wrong ?
If you look at ProxyUserService.init it excepts both falcon.service.ProxyUserService.proxyuser." + proxyUser + ".groups and falcon.service.ProxyUserService.proxyuser." + proxyUser + ".hosts. If they are missing it throws "FalconException: property not set in startup properties. Please add it." > On Sept. 10, 2015, 7:43 a.m., pavan kumar kolamuri wrote: > > prism/src/main/java/org/apache/falcon/resource/proxy/SchedulableEntityManagerProxy.java, > > line 490 > > <https://reviews.apache.org/r/37771/diff/3/?file=1056569#file1056569line490> > > > > Why doAs option is added only for entitySummary and entityList ? Why > > not for other entity operations. But in CLI we are taking doAs for all > > entity operations won't it cause exceptions ? Please correct me if i am > > missing something. doAs user is used in FalconAuthenticationFilter if passed - in the doFilter handling if doAs user is passed in the request then it is set as the proxy user. FalconAuthenticationFilter will be called for every REST API/CLI request. Reason behind doAs queryParam added only for entitySummary a nd entityList is because tryProxy expects the doAS user. In tryProxy if ACL is present in the entity and ACL Owner and doAsUser are different then exception is thrown. Only code paths in entitySummary and entityList call tryProxy and hence doAs quesy param is required to pass it down to tryProxy. For all other Rest API doAs user is set as proxy user in doFilter of FalconAuthenticationFilter. Hope I answered your query. > On Sept. 10, 2015, 7:43 a.m., pavan kumar kolamuri wrote: > > common/src/main/java/org/apache/falcon/service/ProxyUserService.java, line > > 147 > > <https://reviews.apache.org/r/37771/diff/3/?file=1056558#file1056558line147> > > > > This is not required since in validateRequestorHost , Comparision is > > done for both hostname and normalize hostname. If we do this won't it fail > > if some one gives only hostnames in properties ? Good catch. Thanks! - Sowmya ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37771/#review98356 ----------------------------------------------------------- On Aug. 31, 2015, 11:05 p.m., Sowmya Ramesh wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37771/ > ----------------------------------------------------------- > > (Updated Aug. 31, 2015, 11:05 p.m.) > > > Review request for Falcon. > > > Bugs: FALCON-1027 > https://issues.apache.org/jira/browse/FALCON-1027 > > > Repository: falcon-git > > > Description > ------- > > Today, Falcon doesn’t have doAs capability i.e. it doesn’t support > impersonation. Support for impersonation or proxyuser functionality > (identical to Hadoop proxyuser capabilities and conceptually similar to Unix > 'sudo') needs to be added to REST API’s and CLI(Command > line). > > > Diffs > ----- > > client/src/main/java/org/apache/falcon/cli/FalconCLI.java 11dfe72 > client/src/main/java/org/apache/falcon/cli/FalconMetadataCLI.java 2f57c7d > client/src/main/java/org/apache/falcon/client/AbstractFalconClient.java > 282b41b > client/src/main/java/org/apache/falcon/client/FalconClient.java 44436d2 > common/src/main/java/org/apache/falcon/security/CurrentUser.java 4aed5d7 > common/src/main/java/org/apache/falcon/security/SecurityUtil.java 861f80f > common/src/main/java/org/apache/falcon/service/GroupsService.java > PRE-CREATION > common/src/main/java/org/apache/falcon/service/ProxyUserService.java > PRE-CREATION > common/src/main/resources/startup.properties c48188c > common/src/test/java/org/apache/falcon/security/CurrentUserTest.java > 9a3f365 > common/src/test/java/org/apache/falcon/security/SecurityUtilTest.java > 6e77462 > common/src/test/java/org/apache/falcon/service/GroupsServiceTest.java > PRE-CREATION > common/src/test/java/org/apache/falcon/service/ProxyUserServiceTest.java > PRE-CREATION > docs/src/site/twiki/FalconCLI.twiki 9203699 > docs/src/site/twiki/FalconDocumentation.twiki 29d93f7 > prism/src/main/java/org/apache/falcon/resource/AbstractEntityManager.java > 78964dd > > prism/src/main/java/org/apache/falcon/resource/AbstractSchedulableEntityManager.java > 5b415a2 > prism/src/main/java/org/apache/falcon/resource/channel/HTTPChannel.java > 78f68ba > > prism/src/main/java/org/apache/falcon/resource/proxy/SchedulableEntityManagerProxy.java > ceabb06 > > prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java > df64b44 > > prism/src/main/java/org/apache/falcon/security/FalconAuthorizationFilter.java > 15e94cd > prism/src/main/java/org/apache/falcon/security/HostnameFilter.java > PRE-CREATION > prism/src/main/webapp/WEB-INF/web.xml 551bf56 > prism/src/test/java/org/apache/falcon/resource/EntityManagerTest.java > cce8737 > > prism/src/test/java/org/apache/falcon/security/FalconAuthenticationFilterTest.java > 9e8c76a > prism/src/test/java/org/apache/falcon/security/HostnameFilterTest.java > PRE-CREATION > src/conf/startup.properties 9925373 > unit/src/main/java/org/apache/falcon/unit/FalconUnitClient.java eb65cb3 > unit/src/test/java/org/apache/falcon/unit/FalconUnitTestBase.java 997b301 > webapp/pom.xml 5a9e1da > webapp/src/conf/oozie/conf/oozie-site.xml ded4873 > > webapp/src/main/java/org/apache/falcon/resource/SchedulableEntityManager.java > 1f8cc1b > webapp/src/main/webapp/WEB-INF/distributed/web.xml 31d78a2 > webapp/src/main/webapp/WEB-INF/embedded/web.xml fa2db39 > webapp/src/main/webapp/WEB-INF/web.xml 2cfd7de > webapp/src/test/java/org/apache/falcon/cli/FalconCLIIT.java 0062070 > webapp/src/test/java/org/apache/falcon/resource/EntityManagerJerseyIT.java > f0cee61 > > webapp/src/test/java/org/apache/falcon/resource/MetadataResourceJerseyIT.java > eb1dda8 > webapp/src/test/java/org/apache/falcon/resource/TestContext.java 4a25b88 > webapp/src/test/resources/startup.properties PRE-CREATION > > Diff: https://reviews.apache.org/r/37771/diff/ > > > Testing > ------- > > Unit tests and IT tests. > Manual testing : > > * ProxyUSer service not added in startup properties, should throw "Service > ProxyUserService not registered" > * Super user not added in proxy user setting in startup.properties, shoudl > throw "java.security.AccessControlException: User <superuser> not defined as > proxyuser" > > CLI: > * Add doAs option in CLI and verify command succeeds > * Commands should succeed without doAs as is an optional arg > > REST API: > * pass doAs query param and verify REST requests succeeds > * REST requests should succeed without doAs query param as it is optional > > > * Perform schedule using doAs user. For other requests if doAs user is not > passed (say suspend, resume etc.) should get "User <superuser> not authorized > for Coord job <bundleId>" > > > Thanks, > > Sowmya Ramesh > >
