ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <>
Subject [jira] [Created] (AMBARI-16246) Allow roles to be treated like principals in Ambari DB
Date Wed, 04 May 2016 12:19:12 GMT
Robert Levas created AMBARI-16246:

             Summary: Allow roles to be treated like principals in Ambari DB
                 Key: AMBARI-16246
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.4.0

To support assigning privileges to users based on their roles provide support in the Ambari
database to allow a {{role}} to be referenced as a {{principal}} similar in the way a {{user}}
and a {{group}} a referenced as a {principal}}.

A use-case to support the need for this is to assign access to a view to all users with some
specific role. Currently we can assign access to a view to a specific user or group by assigning
that user or group the {{VIEW.USER}} role applied to the specific view.  To assign access
a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.

The following changes need to be made to the database:

* Add {{principal_id}} column to the {{adminpermission}} table
* Create a {{principaltype}} record where the {{principal_type_name}} is '{{ROLE}}'
* Add records to the {{adminprincpal}} table to represent each role in {{adminpermission}}
* Update {{adminpermission.principal_id}} to match the relevant records from {{adminprincipal}}

After this is complete, {{adminprivilege}} records can be created using roles as principals.

NOTE: special handling will need to be done in the authorization logic to dereference the
role associations with the authenticated user, similar in the way this is done for groups.

This message was sent by Atlassian JIRA

View raw message