ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-16246) Allow roles to be treated like principals in Ambari DB
Date Thu, 05 May 2016 12:20:12 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-16246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-16246:
----------------------------------
    Attachment:     (was: AMBARI-16224_trunk_01.patch)

> Allow roles to be treated like principals in Ambari DB
> ------------------------------------------------------
>
>                 Key: AMBARI-16246
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16246
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.4.0
>
>
> To support assigning privileges to users based on their roles provide support in the
Ambari database to allow a {{role}} to be referenced as a {{principal}} similar in the way
a {{user}} and a {{group}} a referenced as a {principal}}.
> A use-case to support the need for this is to assign access to a view to all users with
some specific role. Currently we can assign access to a view to a specific user or group by
assigning that user or group the {{VIEW.USER}} role applied to the specific view.  To assign
access a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.
> The following changes need to be made to the database:
> * Add {{principal_id}} column to the {{adminpermission}} table
> * Create a {{principaltype}} record where the {{principal_type_name}} is '{{ROLE}}'
> * Add records to the {{adminprincpal}} table to represent each role in {{adminpermission}}
> * Update {{adminpermission.principal_id}} to match the relevant records from {{adminprincipal}}
> After this is complete, {{adminprivilege}} records can be created using roles as principals.

> NOTE: special handling will need to be done in the authorization logic to dereference
the role associations with the authenticated user, similar in the way this is done for groups.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message