ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-16247) Authorizations given to role-based principals must be dereferenced upon user login
Date Wed, 04 May 2016 12:33:12 GMT
Robert Levas created AMBARI-16247:
-------------------------------------

             Summary: Authorizations given to role-based principals must be dereferenced upon
user login
                 Key: AMBARI-16247
                 URL: https://issues.apache.org/jira/browse/AMBARI-16247
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.4.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.4.0


Authorizations given to role-based principals must be dereferenced upon user login.  These
authorizations are dynamically determined based on the user's set of roles.  

In {{org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername}},
the set of {{GrantedAuthorities}} the authenticated user is calculated.  During this process,
using the set of {{cluster-level roles}} a user is granted, any permissions given to matching
role-based principals should be given to the user. 

This essentially work like giving privileges to a group of users calculated at runtime. 

A use-case to support the need for this is to assign access to a view to all users with some
specific role. Currently we can assign access to a view to a specific user or group by assigning
that user or group the {{VIEW.USER}} role applied to the specific view.  To assign access
a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message