Secure Oozie POST/PUT Request Payload Size Restriction

With one exception there are no know size limits for requests or responses payloads that pass through the gateway. The exception involves POST or PUT request payload sizes for Oozie in a Kerberos secured Hadoop cluster. In this one case there is currently a 4Kb payload size limit for the first request made to the Hadoop cluster. This is a result of how the gateway negotiates a trust relationship between itself and the cluster via SPNego. There is an undocumented configuration setting to modify this limit's value if required. In the future this will be made more easily configuration and at that time it will be documented.

LDAP Groups Acquisition

The LDAP authenticator currently does not “out of the box” support the acquisition of group information. This can be addressed by implementing a custom Shiro Realm extension. Building this into the default implementation is on the roadmap.

Group Membership Propagation

Groups that are acquired via Identity Assertion Group Principal Mapping are not propigated to the Hadoop services. Therefore groups used for Service Level Authorization policy may not match those acquired within the cluster via GroupMappingServiceProvider plugins.