[jira] [Comment Edited] (OOZIE-3196) Authorization: restrict world readability by user

Tue, 20 Mar 2018 09:33:23 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-3196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16406625#comment-16406625
 ] 

Artem Ervits edited comment on OOZIE-3196 at 3/20/18 4:32 PM:
--------------------------------------------------------------

this is a wonderful idea, at the minimum, implementation should be internal to 
Oozie not (Sentry, Ranger) specific. There should be a property file with Oozie 
authorizations and provide an interface for external projects to tap into.

Do we want this for per workflow, per coordinator, per bundle, per action?

feedback I got from customers is that they want jobs to be more private, 
prevent user from seeing a workflow, see job.properties (passwords), job logs, 
etc.


was (Author: dbist13):
this is a wonderful idea, at the minimum, implementation should be internal to 
Oozie not (Sentry, Ranger) specific. There should be a property file with Oozie 
authorizations and provide an interface for external projects to tap into.

Do we want this for per workflow, per coordinator, per bundle, per action?

feedback I got from customers is that they want jobs to be more private, 
prevent user from seeing a workflow, see job.properties (passwords).

> Authorization: restrict world readability by user
> -------------------------------------------------
>
>                 Key: OOZIE-3196
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3196
>             Project: Oozie
>          Issue Type: New Feature
>          Components: bundle, coordinator, workflow
>    Affects Versions: 5.0.0b1
>            Reporter: Andras Piros
>            Priority: Major
>
> The [*current authorization 
> model*|https://issues.apache.org/jira/browse/OOZIE-228] does not fit the 
> enterprise requirements as everything is readable and writable by everyone by 
> default.
> Write access can be restricted using authorization but restricting read 
> rights is only possible via Yarn ACLs and HDFS rights which still does not 
> prevent accessing the workflow, coordinator or bundle job’s configurations 
> for everyone.
> Improve authorization so it’s possible to configure read/write access for 
> workflows, coordinators, and bundles in a more granular way. Could involve 
> Sentry during implementation or create and design a new system that fits the 
> needs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to