[
https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13894051#comment-13894051
]
Venkatesh Seetharam commented on FALCON-11:
-------------------------------------------
Thanks [~sriksun] for taking time to review this and much appreciated.
bq. Would be useful to add a comment in BasicAuthFilter around
OK. hadoop-auth has some but will add
bq. Can the blacklisted users be defaulted to maintain compatibility
Its not desirable since the list is not exhaustive, does not have hive, etc.
Also, users can chose to run services under a different name.
[~arpitgupta], can you comment on why this is not desirable? Is it hard to add
it in startup.properties?
bq. I am assuming that user.name query param is being passed from prism to
server and since the channel between prism & server is being secured, there is
no further challenge required from the server to validate prism. Please confirm
Thats the intent but the BasicAuthFilter is configured ofr the sync path which
needs to be removed in FALCON-229.
bq. One useful thing to document is What elements are created by falcon under
what location and with what permissions & ownership
Nothing has changed except that its more tight now. Where should this be
documented?
bq. LogProvider is creating a proxies file system to retrieve job logs, which
are actually created by the falcon user. Proxy may be unnecessary.
This was part of review request and is taken care of. But it all depends on the
default umask. The umask is not inherited from the parent dir but the default
is 755 which should be fine for this.
bq Latedata related data is written to folder is owned by falcon with 777
permissions, there is no need to proxy the user in the LateDataHandler. Same
thing applies for LateRerunConsumer & LateRerunHandler
Yes, taken care of.
bq. Now that we have gone through individual JIRAs, If you provide a revised
merged patch (in this issue) along with individual patches against respective
JIRAs, it might help to review them faster and also commit.
Yes sir. Will test it once and upload the patch. Thanks!
> Add support for security in Falcon
> ----------------------------------
>
> Key: FALCON-11
> URL: https://issues.apache.org/jira/browse/FALCON-11
> Project: Falcon
> Issue Type: Improvement
> Affects Versions: 0.3
> Reporter: Venkatesh Seetharam
> Assignee: Venkatesh Seetharam
> Labels: security
> Attachments: FALCON-11.patch
>
> Original Estimate: 336h
> Remaining Estimate: 336h
>
> The following is the break up of tasks for Falcon to be secure and work with
> secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface
> ..etc.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
