THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
State
[progress record]:
Proposed time: 2022/03/01
Discussion time: 2022/04/01
Accept/Reject Time: 2022/04/30
Completion time: 2022/05/21
[issues]:
[email]: At present, discussions must be initiated in the WeChat group [Apache Linkis Community Development Group], and the discussion minutes can be sent to the official dev mailbox of linkis
[release]: linkis 1.1.2
[proposer]:
Motivation & Background
At present, when linkis is executing the task submitted by the user, the main process service of linkis will switch to the corresponding user through sudo -u ${submit user}, and then execute the corresponding engine startup command, which requires each ${submit user} in advance Create the corresponding system user and configure the relevant environment variables. For new users, a series of environment initialization preparations are required. Frequent user changes will increase operation and maintenance costs, and there are too many users, so resources cannot be configured for a single user, and resources cannot be well managed. If the A agent can be executed to the designated agent user, the execution entry can be converged uniformly, and the problem of needing to initialize the environment can be solved.
Basic concept
- Login user: The user who directly logs in to the system through the user name and password
- Proxy user: The user who actually performs the operation as the login user is called the proxy user, and the related operations of the proxy login user
Expect to achieve goals
- Log in user A can choose a proxy user and decide which proxy user to proxy to
- Login user A can delegate tasks to proxy user B for execution
- When logging in to user A as proxy to proxy user B, you can view B-related execution records, task results and other data
- A proxy user can proxy multiple login users at the same time, but a login user can only be associated with a certain proxy user at the same time
Implementation plan
- Modify the cookie processing of the existing interface, which needs to be able to parse out the logged-in user and proxy user in the cookie
The key of the proxy user's cookie is: linkis_user_session_proxy_ticket_id_v1 Cookie for logged in user: linkis_user_session_ticket_id_v1
- The related interface of linkis needs to be able to identify the proxy user information on the basis of the original UserName obtained, and use the proxy user to perform various operations. And record the audit log, including the user's task execution operation, download operation
- When the task is submitted for execution, the entry service needs to modify the user to be the proxy user.
Things to Consider & Note:
- Users are divided into proxy users and non-proxy users. Can proxy users still perform proxy execution to other users?
- It is necessary to control the list of logged-in users and system users who can be proxied, to prohibit the occurrence of arbitrary proxies, and to avoid uncontrollable permissions. It is best to support database tables to configure, and can be directly modified to take effect without restarting the service
- Separately record log files containing proxy user operations, such as proxy execution, function update, etc. All proxy user operations of PublicService are recorded in the log, which is convenient for auditing
Changes
| Modification | Detail | |
|---|---|---|
| 1 | Modification of maven module | |
| 2 | Modification of HTTP interface | |
| 3 | Modification of the client interface | |
| 4 | Modification of database table structure | |
| 5 | Modification of configuration item | |
| 6 | Modification Error code | |
| 7 | Modifications for Third Party Dependencies |
Compatibility, Deprecation, and Migration Plan
- What impact (if any) will there be on existing users?
- If we are changing behavior, how will we phase out the older behavior?
- If we require special migration tools, describe them here.
- When will we remove the existing behavior?