> On Sept. 10, 2015, 7:43 a.m., pavan kumar kolamuri wrote: > > common/src/main/java/org/apache/falcon/service/ProxyUserService.java, line > > 149 > > <https://reviews.apache.org/r/37771/diff/3/?file=1056558#file1056558line149> > > > > falcon.service.ProxyUserService.proxyuser." + proxyUser + ".groups. Is > > it Ok if this property not present also ? But doc says both should be > > present if i am not wrong ? > > Sowmya Ramesh wrote: > If you look at ProxyUserService.init it excepts both > falcon.service.ProxyUserService.proxyuser." + proxyUser + ".groups and > falcon.service.ProxyUserService.proxyuser." + proxyUser + ".hosts. If they > are missing it throws "FalconException: property not set in startup > properties. Please add it."
Ok got it. thanks! > On Sept. 10, 2015, 7:43 a.m., pavan kumar kolamuri wrote: > > prism/src/main/java/org/apache/falcon/resource/proxy/SchedulableEntityManagerProxy.java, > > line 490 > > <https://reviews.apache.org/r/37771/diff/3/?file=1056569#file1056569line490> > > > > Why doAs option is added only for entitySummary and entityList ? Why > > not for other entity operations. But in CLI we are taking doAs for all > > entity operations won't it cause exceptions ? Please correct me if i am > > missing something. > > Sowmya Ramesh wrote: > doAs user is used in FalconAuthenticationFilter if passed - in the > doFilter handling if doAs user is passed in the request then it is set as the > proxy user. FalconAuthenticationFilter will be called for every REST API/CLI > request. Reason behind doAs queryParam added only for entitySummary a nd > entityList is because tryProxy expects the doAS user. In tryProxy if ACL is > present in the entity and ACL Owner and doAsUser are different then exception > is thrown. > > Only code paths in entitySummary and entityList call tryProxy and hence > doAs quesy param is required to pass it down to tryProxy. For all other Rest > API doAs user is set as proxy user in doFilter of FalconAuthenticationFilter. > Hope I answered your query. Thanks Soumya for nice clarification. - pavan kumar ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37771/#review98356 ----------------------------------------------------------- On Aug. 31, 2015, 11:05 p.m., Sowmya Ramesh wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37771/ > ----------------------------------------------------------- > > (Updated Aug. 31, 2015, 11:05 p.m.) > > > Review request for Falcon. > > > Bugs: FALCON-1027 > https://issues.apache.org/jira/browse/FALCON-1027 > > > Repository: falcon-git > > > Description > ------- > > Today, Falcon doesn’t have doAs capability i.e. it doesn’t support > impersonation. Support for impersonation or proxyuser functionality > (identical to Hadoop proxyuser capabilities and conceptually similar to Unix > 'sudo') needs to be added to REST API’s and CLI(Command > line). > > > Diffs > ----- > > client/src/main/java/org/apache/falcon/cli/FalconCLI.java 11dfe72 > client/src/main/java/org/apache/falcon/cli/FalconMetadataCLI.java 2f57c7d > client/src/main/java/org/apache/falcon/client/AbstractFalconClient.java > 282b41b > client/src/main/java/org/apache/falcon/client/FalconClient.java 44436d2 > common/src/main/java/org/apache/falcon/security/CurrentUser.java 4aed5d7 > common/src/main/java/org/apache/falcon/security/SecurityUtil.java 861f80f > common/src/main/java/org/apache/falcon/service/GroupsService.java > PRE-CREATION > common/src/main/java/org/apache/falcon/service/ProxyUserService.java > PRE-CREATION > common/src/main/resources/startup.properties c48188c > common/src/test/java/org/apache/falcon/security/CurrentUserTest.java > 9a3f365 > common/src/test/java/org/apache/falcon/security/SecurityUtilTest.java > 6e77462 > common/src/test/java/org/apache/falcon/service/GroupsServiceTest.java > PRE-CREATION > common/src/test/java/org/apache/falcon/service/ProxyUserServiceTest.java > PRE-CREATION > docs/src/site/twiki/FalconCLI.twiki 9203699 > docs/src/site/twiki/FalconDocumentation.twiki 29d93f7 > prism/src/main/java/org/apache/falcon/resource/AbstractEntityManager.java > 78964dd > > prism/src/main/java/org/apache/falcon/resource/AbstractSchedulableEntityManager.java > 5b415a2 > prism/src/main/java/org/apache/falcon/resource/channel/HTTPChannel.java > 78f68ba > > prism/src/main/java/org/apache/falcon/resource/proxy/SchedulableEntityManagerProxy.java > ceabb06 > > prism/src/main/java/org/apache/falcon/security/FalconAuthenticationFilter.java > df64b44 > > prism/src/main/java/org/apache/falcon/security/FalconAuthorizationFilter.java > 15e94cd > prism/src/main/java/org/apache/falcon/security/HostnameFilter.java > PRE-CREATION > prism/src/main/webapp/WEB-INF/web.xml 551bf56 > prism/src/test/java/org/apache/falcon/resource/EntityManagerTest.java > cce8737 > > prism/src/test/java/org/apache/falcon/security/FalconAuthenticationFilterTest.java > 9e8c76a > prism/src/test/java/org/apache/falcon/security/HostnameFilterTest.java > PRE-CREATION > src/conf/startup.properties 9925373 > unit/src/main/java/org/apache/falcon/unit/FalconUnitClient.java eb65cb3 > unit/src/test/java/org/apache/falcon/unit/FalconUnitTestBase.java 997b301 > webapp/pom.xml 5a9e1da > webapp/src/conf/oozie/conf/oozie-site.xml ded4873 > > webapp/src/main/java/org/apache/falcon/resource/SchedulableEntityManager.java > 1f8cc1b > webapp/src/main/webapp/WEB-INF/distributed/web.xml 31d78a2 > webapp/src/main/webapp/WEB-INF/embedded/web.xml fa2db39 > webapp/src/main/webapp/WEB-INF/web.xml 2cfd7de > webapp/src/test/java/org/apache/falcon/cli/FalconCLIIT.java 0062070 > webapp/src/test/java/org/apache/falcon/resource/EntityManagerJerseyIT.java > f0cee61 > > webapp/src/test/java/org/apache/falcon/resource/MetadataResourceJerseyIT.java > eb1dda8 > webapp/src/test/java/org/apache/falcon/resource/TestContext.java 4a25b88 > webapp/src/test/resources/startup.properties PRE-CREATION > > Diff: https://reviews.apache.org/r/37771/diff/ > > > Testing > ------- > > Unit tests and IT tests. > Manual testing : > > * ProxyUSer service not added in startup properties, should throw "Service > ProxyUserService not registered" > * Super user not added in proxy user setting in startup.properties, shoudl > throw "java.security.AccessControlException: User <superuser> not defined as > proxyuser" > > CLI: > * Add doAs option in CLI and verify command succeeds > * Commands should succeed without doAs as is an optional arg > > REST API: > * pass doAs query param and verify REST requests succeeds > * REST requests should succeed without doAs query param as it is optional > > > * Perform schedule using doAs user. For other requests if doAs user is not > passed (say suspend, resume etc.) should get "User <superuser> not authorized > for Coord job <bundleId>" > > > Thanks, > > Sowmya Ramesh > >
