falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkatesh Seetharam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-11) Add support for security in Falcon
Date Fri, 24 May 2013 00:36:19 GMT

    [ https://issues.apache.org/jira/browse/FALCON-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13665877#comment-13665877

Venkatesh Seetharam commented on FALCON-11:

Update: the server starts up with keytabs and client is able to authenticate with spnego.

But, when I add a cluster entity, the NN principal isn't captured and hence throws an exception.
I think we need a credentials element to capture the principal information.

Cluster - needs NN principal
Process - needs both JT and NN principals? Since the oozie workflow is encoded, it might have
all the necessary principals.
Feed - does not need anything I suppose.

One way to avoid this is to use webhdfs for all fs operations. May be this can be enforced
for falcons ConfigStore but not for cluster entities as DistCp would bcome slow. How about
adding a global principal in startup as *.dfs.namenode.kerberos.principal=nn/_HOST@EXAMPLE.COM
and _HOST must be taken care of by the dfs client.

> Add support for security in Falcon
> ----------------------------------
>                 Key: FALCON-11
>                 URL: https://issues.apache.org/jira/browse/FALCON-11
>             Project: Falcon
>          Issue Type: Improvement
>    Affects Versions: 0.3
>            Reporter: Venkatesh Seetharam
>            Assignee: Venkatesh Seetharam
>              Labels: security
>             Fix For: 0.3
>   Original Estimate: 336h
>  Remaining Estimate: 336h
> The following is the break up of tasks for Falcon to be secure and work with secure Hadoop.
> 1. Secure Falcon daemon - needs to login with keytabs
> 2. Secure Hadoop client interface - HDFS
> 3. Secure Oozie client interface
> 4. Secure Falcon Web Interface
> 5. Secure Falcon Client Interface

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message