ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Sposetti (JIRA)" <>
Subject [jira] [Created] (AMBARI-11437) Improve Ambari LDAP user login process
Date Wed, 27 May 2015 17:47:17 GMT
Jeff Sposetti created AMBARI-11437:

             Summary: Improve Ambari LDAP user login process
                 Key: AMBARI-11437
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-server
    Affects Versions: 1.7.0
            Reporter: Jeff Sposetti

Most enterprise users handle entitlements through LDAP groups. In order to gain access to
enterprise resources, user's request to become a member of a group, and once added, the assumption
is that access is granted immediately.

In Ambari today a user may become a member of Group "HDPAdmins" at 10:00am in LDAP, but will
not have access to their authorized views and capabilities within Ambari until the LDAP sync
process is run.

I'm proposing that we allow a step during the LDAP user login to query for the list of groups
that user is a member of, and if they are a member of a previously sync'd group (as part of
the LDAP query result), but the Ambari Server doesn't see them as a member of a group, we
then should add them and give them access to what they're authorized to see.

The same goes for users leaving groups. If during login we identify that the user is no-longer
a member of a group we had sync'd and thought they were a member of, we should remove them
and not grant them access.

Most enterprises want to sync a hand-full of groups used for authorization, and a hand-full
of individual users. This feature would allow their users to have instant access to authorized
content in Ambari without having to run the LDAP sync process. As soon as a user becomes a
member of a group in LDAP, they can consume the Ambari content that that group membership
entitles them to see as soon as they log in.

This message was sent by Atlassian JIRA

View raw message