[
https://issues.apache.org/jira/browse/FALCON-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089503#comment-14089503
]
Balu Vellanki commented on FALCON-400:
--------------------------------------
Reviewed subtask patches for Falcon 400. I checked out latest code from master
branch at https://github.com/apache/incubator-falcon on Thursday afternoon PST,
I applied patchs from Jira 279 and ran the following command.
(master)$ mvn clean verify -Phadoop-2,test-patch
The build failed with an error saying
[ERROR]
/Users/bvellanki/SourceCode/apache-falcon/incubator-falcon/webapp/src/test/java/org/apache/falcon/validation/ClusterEntityValidationIT.java:[24,42]
cannot find symbol
[ERROR] symbol : class ACL
[ERROR] location: package org.apache.falcon.entity.v0.cluster
I realized that the code necessary for the build to pass in the patchs in the
remaining subtasks. So I applied patchs from JIRA 462, 463, 464, 466, 468 and
557 in that order. The build still failed with following error.
Tests run: 32, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 2.284 sec <<<
FAILURE! - in org.apache.falcon.entity.parser.FeedEntityParserTest
testValidateACLBadOwner(org.apache.falcon.entity.parser.FeedEntityParserTest)
Time elapsed: 0.021 sec <<< FAILURE!
org.testng.TestException:
Expected exception org.apache.falcon.entity.parser.ValidationException but got
java.lang.AssertionError: Validation exception should have been thrown for
invalid owner
at org.testng.Assert.fail(Assert.java:89) at
org.apache.falcon.entity.parser.FeedEntityParserTest.testValidateACLBadOwner(FeedEntityParserTest.java:609)
testValidateACLBadOwnerAndGroup(org.apache.falcon.entity.parser.FeedEntityParserTest)
Time elapsed: 0.017 sec <<< FAILURE!
org.testng.TestException:
Expected exception org.apache.falcon.entity.parser.ValidationException but got
java.lang.AssertionError: Validation exception should have been thrown for
invalid owner
That said, I went ahead and look at the individual files and I have following
feedback/questions for the patchs.
1) why have the following method in AbstractTestBase.java at Lines 147 :
protected String getGroupName() throws IOException {
return getGroupName(true);
}
I dont see a need for this class.
2) Unit tests in ClusterEntityParserTest.java do not cover the following
methods in ClusterEntityParser.java
validateACL(cluster);
validateLocations(cluster);
The corresponding tests for FeedEntityParser.java and ProcessEntityParser.java
call the parser.validate() method, which in turn calls validateACL(...) and
validateLocations(...)
testValidateACLWithNoACLAndAuthorizationEnabled and
testValidateACLAuthorizationEnabled should call ClusterEntityParser.validate()
3) The method ClusterEntityValidationIT.testValidateLocations() is empty with a
TODO comment in it. Should this be updated before committing in Apache Git.
4) DefaultAuthorizationProvider.authorizeEntity() does not check if the user
who is listed to a entity.getGroups has rwx permission on the Entity. Some
actions like “update” “delete” need the user who is not owner (but belongs to
the group) to have rwx permissions, without which we should not allow edit API
calls.
If this is not supported, I don't see a real need for having permissions as
part of the ACL.
User who is not owner, but belongs to the groups should be able to
- schedule/rerun a process only if the group has +x permission
- update/schedule/delete a process, entity only if the group has +w permission
5) HadoopClientFactoryTest.testCreateFileSystemWithUser() hardcodes username
seetharam ... not sure if this is acceptable.
> Add Authorization for Entities
> ------------------------------
>
> Key: FALCON-400
> URL: https://issues.apache.org/jira/browse/FALCON-400
> Project: Falcon
> Issue Type: New Feature
> Affects Versions: 0.5
> Reporter: Venkatesh Seetharam
> Labels: authorization, security
>
> FALCON-11 addresses authentication as part of security. This should address
> authorization of entities. An entity can only be modified or deleted by the
> user who created this entity.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
