Re: Review Request 70607: OOZIE-3196 Authorization: restrict world readability by user

Wed, 22 May 2019 04:07:30 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70607/
-----------------------------------------------------------

(Updated May 22, 2019, 11:07 a.m.)


Review request for oozie.


Summary (updated)
-----------------

OOZIE-3196 Authorization: restrict world readability by user


Bugs: OOZIE-3196
    https://issues.apache.org/jira/browse/OOZIE-3196


Repository: oozie-git


Description
-------

The current authorization model does not fit the enterprise requirements as 
everything is readable and writable by everyone by default.

Write access can be restricted using authorization but restricting read rights 
is only possible via Yarn ACLs and HDFS rights which still does not prevent 
accessing the workflow, coordinator or bundle job’s configurations for everyone.

Improve authorization so it’s possible to configure read/write access for 
workflows, coordinators, and bundles in a more granular way. Could involve 
Sentry during implementation or create and design a new system that fits the 
needs.

The main idea was to enhance the code with an AuthorizationInterface and allow 
the current authorization model to be extended with different implementations 
of this interface.


Diffs
-----

  core/src/main/java/org/apache/oozie/BundleJobBean.java e3ba331d2 
  core/src/main/java/org/apache/oozie/CoordinatorJobBean.java 2a936d609 
  core/src/main/java/org/apache/oozie/ErrorCode.java 6b0ce4700 
  core/src/main/java/org/apache/oozie/WorkflowJobBean.java 1e55884cc 
  core/src/main/java/org/apache/oozie/service/AuthorizationPlugin.java 
PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/AuthorizationService.java 
70c0ed7c5 
  core/src/main/java/org/apache/oozie/service/JobContext.java PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/LegacyAuthorizationPlugin.java 
PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/OperationContext.java 
PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/ResourceContext.java PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/StrictAuthorizationPlugin.java 
PRE-CREATION 
  core/src/main/java/org/apache/oozie/service/UserContext.java PRE-CREATION 
  core/src/main/java/org/apache/oozie/servlet/BaseAdminServlet.java 0b873bc62 
  core/src/main/java/org/apache/oozie/servlet/BaseJobServlet.java dad4a10b5 
  core/src/main/java/org/apache/oozie/servlet/BaseJobsServlet.java 95c65fe75 
  core/src/main/java/org/apache/oozie/servlet/SLAServlet.java 8fad98be9 
  core/src/test/java/org/apache/oozie/service/DummyAuthPlugin.java PRE-CREATION 
  core/src/test/java/org/apache/oozie/service/TestAuthorizationService.java 
36e480854 


Diff: https://reviews.apache.org/r/70607/diff/1/


Testing
-------


Thanks,

Mate Juhasz

Reply via email to