[FALCON-1367] Improve the ACL handling in Falcon - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

Currently the ACL element is part of the entity and has the owner and group specified in it. The owner of the entity is used as the proxy user of the entity.

This seems problematic. We don't want to embed authorization of a resource inside a resource. Also, scheduling an entity by a user should be independent of the owner as whom it runs (The proxy user work that sowmyaramesh is adding a doAs capability)

Moving it out of the entity will allow authorization managers like Apache Ranger to manage the authorization of the entities.

We want to

deprecate the use of ACL inside the entity by making it optional
Allow the owner and group of an entity to be managed separately (either by Falcon or controlled via a plugin by Authorization managers)
Identity and fix the permission models (only superuser or owner can change permissions etc)

Attachments

Sub-Tasks

1.	Falcon allows change of entity owner by non-super user		Open	Unassigned
2.	Inconsistent behaviour of entity/instance operations regarding authorization		Open	Unassigned

Activity

People

Assignee:: Unassigned

Reporter:: Venkat Ranganathan

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 04/Aug/15 14:33

Updated:: 04/Aug/15 19:06