[jira] [Commented] (FALCON-11) Add support for security in Falcon

[Srikanth Sundarrajan (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893113#comment-13893113
 ] 

Srikanth Sundarrajan commented on FALCON-11:
--------------------------------------------

Would be useful to add a comment in BasicAuthFilter around
{code}
                if (httpRequest.getMethod().equals("OPTIONS")) {
                    optionsServlet.service(request, response);
{code}
describing how KerberosAuthenticator works and why is the OPTIONS method 
required.

Can the blacklisted users be defaulted to maintain compatibility
{code}
        String blackListedUserConfig = 
StartupProperties.get().getProperty(BLACK_LISTED_USER, <<default-values>>);
{code}

I am assuming that user.name query param is being passed from prism to server 
and since the channel between prism & server is being secured, there is no 
further challenge required from the server to validate prism. Please confirm

One useful thing to document is
* What elements are created by falcon under what location and with what 
permissions & ownership

Am putting down some notes, as I review this patch
{code}
oozie coord/bundle xmls: 
${cluster.staging-location}/workflows/{entity}/{entity-name} - owner: falcon, 
Permission: 644
app logs: ${cluster.staging-location}/workflows/{entity}/{entity-name}/logs - 
owner: falcon, Permission: 777
config-store - owner: falcon, Permission: 750
Shared libs: {cluster.working}/{lib,libext} - owner: falcon, Permission: 755
{code}

LogProvider is creating a proxies file system to retrieve job logs, which are 
actually created by the falcon user. Proxy may be unnecessary.
{code}
            // fs on behalf of the end user.
            FileSystem fs = 
HadoopClientFactory.get().createProxiedFileSystem(conf);
            String resolvedRunId = getResolvedRunId(fs, clusterObj, entity, 
instance, runId);
{code}

Latedata related data is written to 
${cluster.staging-location}/workflows/{entity}/{entity-name}/logs/latedata and 
since this folder is owned by falcon with 777 permissions, there is no need to 
proxy the user in the LateDataHandler. Same thing applies for LateRerunConsumer 
& LateRerunHandler


> Add support for security in Falcon
> ----------------------------------
>
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>         Attachments: FALCON-11.patch
>
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The following is the break up of tasks for Falcon to be secure and work with 
> secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)