Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
5.0.0b1
-
None
-
None
-
None
Description
Authentication
Documentation of Oozie authentication is slightly incorrect.
Pseudo/simple authentication requires the user to specify the user name on the request, this is done by the PseudoAuthenticator class by injecting the user.name parameter in the query string of all requests. The user.name parameter value is taken from the client process Java System property user.name .
Actually, when someone performs an Oozie operation using the CLI, a hadoop auth token is created and saved to ~/.oozie-auth-token. In subsequent actions, the token is retrieved from this cache file (until the token is expired). In other words, passing user.name as system property to the Oozie CLI in an unsecure environment (or using kinit -kt in a Kerberized cluster) takes no effect if .oozie-auth-token is present in the user's home and the token is still valid.
With simple authentication type pseudo/simple authentication is used. However, in an unsecure environment I tested with hadoop 2.4 (default hadoop version) that KerberosAuthenticator returns a null token. In turn, admin operations cannot be used if there is no ~/.oozie-auth-token with a valid token. Note: this was fixed by HADOOP-11467.
Authorization
Regarding authorization configuration the current documentation mentions a deprecated configuration property oozie.service.AuthorizationService.security.enabled. If a user specifies it, the following warning is logged in Oozie server log.
2017-05-02 03:30:59,578 WARN org.apache.oozie.util.ConfigUtils: SERVER[myserver.com] Using a deprecated configuration property [oozie.service.Authorization Service.security.enabled], should use [oozie.service.AuthorizationService.authorization.enabled]. Please delete the deprecated property in order for the new property to take effect.
oozie.service.AuthorizationService.authorization.enabled should be used.
Oozie authorization only make sense if authentication (kerberos) is enabled. Otherwise any user can claim any identity (as "simple" authentication type uses Pseudo authentication).