[jira] [Created] (OOZIE-2880) Improve documentation on Oozie authentication and authorization configuration

[Attila Sasvari (JIRA)]

Attila Sasvari created OOZIE-2880:
-------------------------------------

             Summary: Improve documentation on Oozie authentication and 
authorization configuration
                 Key: OOZIE-2880
                 URL: https://issues.apache.org/jira/browse/OOZIE-2880
             Project: Oozie
          Issue Type: Improvement
            Reporter: Attila Sasvari


h4. Authentication

[Documentation of Oozie 
authentication|https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_User_Authentication_Configuration]
 is slightly incorrect.

{quote}
Pseudo/simple authentication requires the user to specify the user name on the 
request, this is done by the PseudoAuthenticator class by injecting the 
user.name parameter in the query string of all requests. The user.name 
parameter value is taken from the client process Java System property user.name 
.
{quote}

Actually, when someone performs an Oozie operation using the CLI, a hadoop auth 
token is created and saved to {{~/.oozie-auth-token}}. In subsequent actions, 
the token is retrieved from this cache file (until the token is expired). In 
other words, passing {{user.name}} as system property to the Oozie CLI in an 
unsecure environment (or  using kinit -kt in a Kerberized cluster) takes no 
effect if {{.oozie-auth-token}} is present in the user's home and the token is 
still valid. 

With {{simple}} authentication type pseudo/simple authentication is used. 
However, in an unsecure environment I tested with hadoop 2.4 (default hadoop 
version) that 
[KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-2.4.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L188]
 returns a null token. In turn, admin operations cannot be used if there is no 
{{~/.oozie-auth-token}} with a valid token. Note: this was fixed by 
[HADOOP-11467|https://github.com/apache/hadoop/commit/875256834b892b574499d5fe68f95a9aed244f7d#diff-28df14cad207bee984f5ca4820bacabcR198].


h4. Authorization
Regarding [authorization configuration | 
https://oozie.apache.org/docs/4.3.0/AG_Install.html#User_Authorization_Configuration]
 the current documentation mentions a deprecated configuration property 
{{oozie.service.AuthorizationService.security.enabled}}. If a user specifies 
it, the following warning is logged in Oozie server log.


{noformat}
2017-05-02 03:30:59,578 WARN org.apache.oozie.util.ConfigUtils: 
SERVER[myserver.com] Using a deprecated configuration property 
[oozie.service.Authorization
Service.security.enabled], should use 
[oozie.service.AuthorizationService.authorization.enabled].  Please delete the 
deprecated property in order for the new property to take effect.
{noformat}

{{oozie.service.AuthorizationService.authorization.enabled}} should be used.

Oozie authorization only make sense if *authentication (kerberos) is enabled*. 
Otherwise any user can claim any identity (as "simple" authentication type uses 
Pseudo authentication).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)