[ https://issues.apache.org/jira/browse/OOZIE-2880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Piros updated OOZIE-2880: -------------------------------- Affects Version/s: 5.0.0b1 > Improve documentation on Oozie authentication and authorization configuration > ----------------------------------------------------------------------------- > > Key: OOZIE-2880 > URL: https://issues.apache.org/jira/browse/OOZIE-2880 > Project: Oozie > Issue Type: Improvement > Affects Versions: 5.0.0b1 > Reporter: Attila Sasvari > Priority: Major > > h4. Authentication > [Documentation of Oozie > authentication|https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_User_Authentication_Configuration] > is slightly incorrect. > {quote} > Pseudo/simple authentication requires the user to specify the user name on > the request, this is done by the PseudoAuthenticator class by injecting the > user.name parameter in the query string of all requests. The user.name > parameter value is taken from the client process Java System property > user.name . > {quote} > Actually, when someone performs an Oozie operation using the CLI, a hadoop > auth token is created and saved to {{~/.oozie-auth-token}}. In subsequent > actions, the token is retrieved from this cache file (until the token is > expired). In other words, passing {{user.name}} as system property to the > Oozie CLI in an unsecure environment (or using kinit -kt in a Kerberized > cluster) takes no effect if {{.oozie-auth-token}} is present in the user's > home and the token is still valid. > With {{simple}} authentication type pseudo/simple authentication is used. > However, in an unsecure environment I tested with hadoop 2.4 (default hadoop > version) that > [KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-2.4.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L188] > returns a null token. In turn, admin operations cannot be used if there is > no {{~/.oozie-auth-token}} with a valid token. Note: this was fixed by > [HADOOP-11467|https://github.com/apache/hadoop/commit/875256834b892b574499d5fe68f95a9aed244f7d#diff-28df14cad207bee984f5ca4820bacabcR198]. > h4. Authorization > Regarding [authorization configuration | > https://oozie.apache.org/docs/4.3.0/AG_Install.html#User_Authorization_Configuration] > the current documentation mentions a deprecated configuration property > {{oozie.service.AuthorizationService.security.enabled}}. If a user specifies > it, the following warning is logged in Oozie server log. > {noformat} > 2017-05-02 03:30:59,578 WARN org.apache.oozie.util.ConfigUtils: > SERVER[myserver.com] Using a deprecated configuration property > [oozie.service.Authorization > Service.security.enabled], should use > [oozie.service.AuthorizationService.authorization.enabled]. Please delete > the deprecated property in order for the new property to take effect. > {noformat} > {{oozie.service.AuthorizationService.authorization.enabled}} should be used. > Oozie authorization only make sense if *authentication (kerberos) is > enabled*. Otherwise any user can claim any identity (as "simple" > authentication type uses Pseudo authentication). -- This message was sent by Atlassian JIRA (v7.6.3#76005)