ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-16247) Authorizations given to role-based principals must be dereferenced upon user login
Date Wed, 08 Jun 2016 15:55:21 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-16247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-16247:
----------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

Committed to trunk
{noformat}
commit 8c1564e083169196cf53b8c1a570bcf3c5f65e68
Author: Robert Levas <rlevas@hortonworks.com>
Date:   Wed Jun 8 11:52:01 2016 -0400
{noformat}

Committed to branch-2.4
{noformat}
commit 6ffa3f8fa86b258e09cf83c91b7dbe650c3ea41e
Author: Robert Levas <rlevas@hortonworks.com>
Date:   Wed Jun 8 11:53:04 2016 -0400
{noformat}


> Authorizations given to role-based principals must be dereferenced upon user login
> ----------------------------------------------------------------------------------
>
>                 Key: AMBARI-16247
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16247
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16247_branch-2.4_01.patch, AMBARI-16247_trunk_01.patch
>
>
> Authorizations given to role-based principals must be dereferenced upon user login. 
These authorizations are dynamically determined based on the user's set of roles.  
> In {{org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername}},
the set of {{GrantedAuthorities}} the authenticated user is calculated.  During this process,
using the set of {{cluster-level roles}} a user is granted, any permissions given to matching
role-based principals should be given to the user. 
> This essentially work like giving privileges to a group of users calculated at runtime.

> A use-case to support the need for this is to assign access to a view to all users with
some specific role. Currently we can assign access to a view to a specific user or group by
assigning that user or group the {{VIEW.USER}} role applied to the specific view.  To assign
access a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message