ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-11350) Finer-grained role AuthZ for Ambari Users
Date Tue, 10 Nov 2015 02:05:10 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-11350:
----------------------------------
    Attachment: AmbariRole-basedAccessControl.pdf

> Finer-grained role AuthZ for Ambari Users
> -----------------------------------------
>
>                 Key: AMBARI-11350
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11350
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Jeff Sposetti
>            Assignee: Robert Levas
>              Labels: permissions, rbac, roles
>         Attachments: AmbariRole-basedAccessControl.pdf
>
>
> Ambari currently integrates with external authentication systems and is able to authenticate
users using enterprise-wide LDAP systems, such as Active Directory, OpenLDAP, and Apache Directory
Service. However, more flexibility is now needed to allow for those authenticated users to
be segmented into more granular roles.  These roles allow Ambari-level administrators to create
different levels of cluster-level administrators to manage certain administrative operations
that need to be performed on a cluster. This effectively spreads out the responsibilities
of managing a cluster while not handing over total control of the Ambari management facility.

> Ambari to provide role-based access controls beyond today's Ambari Admin, Operator and
Read-Only permissions.
> || Role || Description ||
> | *Cluster User* (was Read-only) | This exists as of Ambari 1.7.0. Read-only view of
cluster information, including configurations, service status and health alerts|
> | *Service Operator* | Provides control of service lifecycle (start/stop/restart/decomm/recom)
|
> | *Service Administrator* | Service Operator + ability to re-configure (change/compare/revert),
configure HA |
> | *Cluster Operator* | Service Administrator + add/remove hosts and components (for existing
services) |
> | *Cluster Administrator* | Cluster Operator + enable/disable kerberos, modify alerts,
add service, perform upgrade (renamed from Operator) |
> | Administrator | This exists as of Ambari 1.7.0. Full cluster control + manage user,
groups and views and this flag is applicable to any user regardless of Role |
> Each role is to have permissions as shown below:
> || || Cluster\\User || Service\\Operator || Service\\Administrator || Cluster\\Operator
|| Cluster\\Administrator || Administrator ||
> ||Service-level Permissions||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configurations           |(+)|(+)|(+)|(+)|(+)|(+)|
> |Compare configurations        |(+)|(+)|(+)|(+)|(+)|(+)|
> |View alerts        |(+)|(+)|(+)|(+)|(+)|(+)|
> |Start/Stop/Restart Service    |   |(+)|(+)|(+)|(+)|(+)|
> |Decommission/recommission     |   |(+)|(+)|(+)|(+)|(+)|
> |Run service checks            |   |(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |(+)|(+)|(+)|(+)|(+)|
> |Perform service-specific tasks|   |(+)|(+)|(+)|(+)|(+)|
> |Modify configurations         |   |   |(+)|(+)|(+)|(+)|
> |Manage configuration groups   |   |   |(+)|(+)|(+)|(+)|
> |Move to another host          |   |   |(+)|(+)|(+)|(+)|
> |Enable/disable alerts          |   |   |(+)|(+)|(+)|(+)|
> |Enable HA                     |   |   |(+)|(+)|(+)|(+)|
> |Add Service to cluster        |   |   |   |   |(+)|(+)|
> ||*Host-level Permissions*||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |(+)|(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |   |   |(+)|(+)|(+)|
> |Install components            |   |   |   |(+)|(+)|(+)|
> |Add/Delete hosts              |   |   |   |(+)|(+)|(+)|
> ||Cluster-level Permissions||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |(+)|(+)|(+)|(+)|(+)|(+)|
> |View stack version details    |(+)|(+)|(+)|(+)|(+)|(+)|
> |View alerts                   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Enable/disable alerts         |   |   |   |   |(+)|(+)|
> |Enable/disable Kerberos       |   |   |   |   |(+)|(+)|
> |Upgrade/downgrade stack       |   |   |   |   |(+)|(+)|
> ||Ambari-level Permissions||
> |Create new clusters           |   |   |   |   |   |(+)|
> |Set service users and groups  |   |   |   |   |   |(+)|
> |Rename clusters               |   |   |   |   |   |(+)|
> |Manage users                  |   |   |   |   |   |(+)|
> |Manage groups                 |   |   |   |   |   |(+)|
> |Manage Ambari Views           |   |   |   |   |   |(+)|
> |Assign permissions/roles      |   |   |   |   |   |(+)|
> |Manage stack versions         |   |   |   |   |   |(+)|
> |Edit stack repository URLs    |   |   |   |   |   |(+)|



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message