Falcon by default coes with authorization turned off.
To turn on set the following through ambari falcon config:
- *.falcon.security.authorization.enabled = true
- *.falcon.security.authorization.superusergroup = <linux group>
- In my example I am using linux group users
In my example oozie,ambari-qa,tez,falcon,hue,guest are in the group "users". The purpose of this group is to only allow users within this group to view, edit, and delete each others material. Any user outside this group should not have access.
Now logging in a falcon who is part of users group:
Falcon user has created a cluster "authTest" and feed "feed1" Lets view it:
Great so falcon is see the feed and cluster. Now lets go in with user hdfs who is NOT part of group users
Logged in as user hdfs who is NOT part of group users. This user will do a simple search for everything cluster/feed entity which exist in falcon.
So hdfs user search does not return anything since the use is not allowed. Now lets log in with user tez who IS part of user group users
User tez will do a simple search for everything cluster/feed entity which exist in falcon.
As you can see tez is able to view what user falcon created since they are part of the same group. user hdfs was not since it is not part of the same group.
