Thanks Attila, it works like a charm. Pierre
2018-02-21 17:29 GMT+01:00 Attila Sasvari <asasv...@cloudera.com>: > Hi there, > > Oozie has a basic authorization model: > > - Users have read access to all jobs > - Users have write access to their own jobs > - Users have write access to jobs based on an Access Control List (list > of users and groups) > - Users have read access to admin operations > - Admin users have write access to all jobs > - Admin users have write access to admin operations > > If security is disabled all users are admin users. > > Oozie security is set via the following configuration property (default > value shown): > > oozie.service.AuthorizationService.security.enabled=false > > NOTE: the old ACL model where a group was provided is still supported if > the following property is set in oozie-site.xml : > > oozie.service.AuthorizationService.default.group.as.acl=true > > So you can define Oozie ACL-s similar to Hadoop ACLs using oozie.job.acl > property in your workflows' configuration . > > For more information: > - > https://oozie.apache.org/docs/4.3.0/WorkflowFunctionalSpec. > html#a6_User_Propagation > - > https://oozie.apache.org/docs/4.3.0/AG_Install.html#Oozie_ > Hadoop_Authentication_Configuration > - Hadoop security by Ben Spivey & Joey Echeverria (book published by > O'Reilly Media) > > On Wed, Feb 21, 2018 at 9:46 AM, Pierre Villard < > pierre.villard...@gmail.com > > wrote: > > > Hi, > > > > Wondering if there is a way to define ACLs so that a user can > > start/stop/kill a workflow launched by another user (in kerberized > > cluster)? > > > > The use case is the following: users a, b and c are working on a project > X > > and a business user has been created for project A. This business user is > > used to launch the workflow. Problem is: users are connecting to Hue as > a, > > b, or c and they are not able to control the workflow. Is there a way to > > say, for example, that if a user belongs to the same LDAP group as the > > business user, the user is allowed to stop a workflow? > > > > Thanks > > > > > > -- > -- > Attila Sasvari > Software Engineer > <http://www.cloudera.com/> >
