Add a config option to block the Oozie server port
Oozie workflows may sometimes contain sensitive information in the form of arguments or configuration parameters to jobs.
Quoting the docs, Oozie does not screen jobs by user. All users can read all jobs:
"Oozie has a basic authorization model:
Users have read access to all jobs
Users have write access to their own jobs
Users have write access to jobs based on an Access Control List (list of users and groups)
Users have read access to admin operations
Admin users have write access to all jobs
Admin users have write access to admin operations
If security is disabled all users are admin users."
http://
Oozie can support kerberos authentication, or custom authentication, but even so users' jobs will be readable by all users.
This is a proposal to protect against exposure of sensitive config/arg values by blocking access to the Oozie server via iptables. Essentially, all access to the Oozie server via the web UI or the client would be limited to acccess from the localhost where the Oozie server is running, or the Sahara host. This would prevent anyone else from accessing the workflows through the Oozie interfaces.
The option to block the Oozie server port(s) would be off by default. Turing it on would cause the addition of iptable entries on the Oozie server host during cluster creation.
Pros for this solution:
* simple
* lightweight
* quick to implement
* doesn't handcuff Sahara to a solution in the future
* easily adjusted by admins. In fact, a documentation-only fix is possible (just make admins aware of the issue and let them set up the firewall)
(spec in progress)
Blueprint information
- Status:
- Complete
- Approver:
- Sergey Lukjanov
- Priority:
- Undefined
- Drafter:
- Trevor McKay
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Telles Mota Vidal Nóbrega
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add a config option to block the Oozie server port