[jira] [Updated] (OOZIE-2880) Improve documentation on Oozie authentication and authorization configuration

[Andras Piros (JIRA)]

     [ 
https://issues.apache.org/jira/browse/OOZIE-2880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andras Piros updated OOZIE-2880:
--------------------------------
    Affects Version/s: 5.0.0b1

> Improve documentation on Oozie authentication and authorization configuration
> -----------------------------------------------------------------------------
>
>                 Key: OOZIE-2880
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2880
>             Project: Oozie
>          Issue Type: Improvement
>    Affects Versions: 5.0.0b1
>            Reporter: Attila Sasvari
>            Priority: Major
>
> h4. Authentication
> [Documentation of Oozie 
> authentication|https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_User_Authentication_Configuration]
>  is slightly incorrect.
> {quote}
> Pseudo/simple authentication requires the user to specify the user name on 
> the request, this is done by the PseudoAuthenticator class by injecting the 
> user.name parameter in the query string of all requests. The user.name 
> parameter value is taken from the client process Java System property 
> user.name .
> {quote}
> Actually, when someone performs an Oozie operation using the CLI, a hadoop 
> auth token is created and saved to {{~/.oozie-auth-token}}. In subsequent 
> actions, the token is retrieved from this cache file (until the token is 
> expired). In other words, passing {{user.name}} as system property to the 
> Oozie CLI in an unsecure environment (or  using kinit -kt in a Kerberized 
> cluster) takes no effect if {{.oozie-auth-token}} is present in the user's 
> home and the token is still valid. 
> With {{simple}} authentication type pseudo/simple authentication is used. 
> However, in an unsecure environment I tested with hadoop 2.4 (default hadoop 
> version) that 
> [KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-2.4.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L188]
>  returns a null token. In turn, admin operations cannot be used if there is 
> no {{~/.oozie-auth-token}} with a valid token. Note: this was fixed by 
> [HADOOP-11467|https://github.com/apache/hadoop/commit/875256834b892b574499d5fe68f95a9aed244f7d#diff-28df14cad207bee984f5ca4820bacabcR198].
> h4. Authorization
> Regarding [authorization configuration | 
> https://oozie.apache.org/docs/4.3.0/AG_Install.html#User_Authorization_Configuration]
>  the current documentation mentions a deprecated configuration property 
> {{oozie.service.AuthorizationService.security.enabled}}. If a user specifies 
> it, the following warning is logged in Oozie server log.
> {noformat}
> 2017-05-02 03:30:59,578 WARN org.apache.oozie.util.ConfigUtils: 
> SERVER[myserver.com] Using a deprecated configuration property 
> [oozie.service.Authorization
> Service.security.enabled], should use 
> [oozie.service.AuthorizationService.authorization.enabled].  Please delete 
> the deprecated property in order for the new property to take effect.
> {noformat}
> {{oozie.service.AuthorizationService.authorization.enabled}} should be used.
> Oozie authorization only make sense if *authentication (kerberos) is 
> enabled*. Otherwise any user can claim any identity (as "simple" 
> authentication type uses Pseudo authentication).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)