Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Date: Sat, 13 Feb 2016 02:23:18 +0000 (UTC)
From: "Tuong Truong (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12938992.1455329336000.44224.1455330198157@Atlassian.JIRA>
In-Reply-To: <JIRA.12938992.1455329336000@Atlassian.JIRA>
References: <JIRA.12938992.1455329336000@Atlassian.JIRA>
 <JIRA.12938992.1455329336140@arcas>
Subject: [jira] [Updated] (AMBARI-15039) Support PAM authentication and Only
 group base authoritzation in Ambari
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/AMBARI-15039?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tuong Truong updated AMBARI-15039:
----------------------------------
    Description: 
Currently, Ambari user authentication is done via 2 modes:

1.  Ambari defined users (not necessarily local OS users) 
2.  LDAP users whose group and users have to be imported into Ambari

In both cases,  Ambari predefines the "admin" user that has admin role which is used for managing Ambari cluster and Ambari users.  Furthermore, Ambari maintains a separate user database independent of any other user directory such as the /etc/passwd file.  Even with LDAP integration, Ambari requires synching with the LDAP server users into Ambari's database.    Ambari's maintenance of this private user database is problematic especially  in a large enterprise environment where user management is often done thru group membership as employees change roles frequently. 

In this JIRA, we propose a two-prongs approach to simplify and enable enterprise class authentication support in Ambari.   In this proposal,  Ambari will provide support for PAM authentication, and in this PAM mode, it will no longer track individual Ambari users in its own database.  Ambari will only track groups and manage access control by granting access to groups.  When a user attemp to log in,  Ambari will authenticate the user via PAM.  Once authenticated, it will determine the group(s) that the user belong thru.   It then grants user permission based on the group information retrieved from PAM.

With PAM, LDAP can also be enabled via PAM-LDAP and  customer will no longer need to perform any synching action.


  was:
Currently, Ambari user authentication is done via 2 modes:

1.  Ambari defined users (not necessarily local OS users) 
2.  LDAP users whose group and users have to be imported into Ambari

In both cases,  Ambari predefines the "admin" user that has admin role which is used for managing Ambari cluster and Ambari users.  Furthermore, Ambari maintains a separate user database independent of any other user directory such as the /etc/passwd file.  Even with LDAP integration, Ambari requires synching with the LDAP server users into Ambari's database.    Ambari's maintenance of this private user database is problematic especially  in a large enterprise environment where user management is often done thru group membership as employees change roles frequently. 

In this JIRA, we propose a two-prong approach to simplify and enable enterprise class authentication support in Ambari.   In this proposal,  Ambari will provide support for PAM authentication, and in this PAM mode, it will no longer track individual Ambari users in its own database.  Ambari will only track groups and manage access control by granting access to groups.  When a user attemp to log in,  Ambari will authenticate the user via PAM.  Once authenticated, it will determine the group(s) that the user belong thru.   It then grants user permission based on the group information retrieved from PAM.

With PAM, LDAP can also be enabled via PAM-LDAP and  customer will no longer need to perform any synching action.


> Support PAM authentication and Only group base authoritzation in Ambari
> -----------------------------------------------------------------------
>
>                 Key: AMBARI-15039
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15039
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server
>    Affects Versions: 2.1.0, 2.2.0
>            Reporter: Tuong Truong
>              Labels: security-groups
>
> Currently, Ambari user authentication is done via 2 modes:
> 1.  Ambari defined users (not necessarily local OS users) 
> 2.  LDAP users whose group and users have to be imported into Ambari
> In both cases,  Ambari predefines the "admin" user that has admin role which is used for managing Ambari cluster and Ambari users.  Furthermore, Ambari maintains a separate user database independent of any other user directory such as the /etc/passwd file.  Even with LDAP integration, Ambari requires synching with the LDAP server users into Ambari's database.    Ambari's maintenance of this private user database is problematic especially  in a large enterprise environment where user management is often done thru group membership as employees change roles frequently. 
> In this JIRA, we propose a two-prongs approach to simplify and enable enterprise class authentication support in Ambari.   In this proposal,  Ambari will provide support for PAM authentication, and in this PAM mode, it will no longer track individual Ambari users in its own database.  Ambari will only track groups and manage access control by granting access to groups.  When a user attemp to log in,  Ambari will authenticate the user via PAM.  Once authenticated, it will determine the group(s) that the user belong thru.   It then grants user permission based on the group information retrieved from PAM.
> With PAM, LDAP can also be enabled via PAM-LDAP and  customer will no longer need to perform any synching action.


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)