ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-19822) Add infra-solr-plugin for authorization (with Kerberos)
Date Tue, 07 Feb 2017 13:55:42 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-19822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856026#comment-15856026
] 

Hudson commented on AMBARI-19822:
---------------------------------

SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #6660 (See [https://builds.apache.org/job/Ambari-trunk-Commit/6660/])
AMBARI-19822. Add infra-solr-plugin for authorization (with Kerberos) (oleewere: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=5ecc858fddfa26ef47129233f9fd5bbcb813ccfd])
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java
* (edit) ambari-logsearch/ambari-logsearch-assembly/pom.xml
* (edit) ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java
* (edit) ambari-logsearch/pom.xml
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java
* (edit) ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java
* (add) ambari-logsearch/ambari-infra-solr-plugin/pom.xml
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java
* (edit) ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
* (add) ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java
* (edit) ambari-server/src/test/python/stacks/2.4/configs/default.json


> Add infra-solr-plugin for authorization (with Kerberos)
> -------------------------------------------------------
>
>                 Key: AMBARI-19822
>                 URL: https://issues.apache.org/jira/browse/AMBARI-19822
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-logsearch, ambari-server
>    Affects Versions: 2.5.0
>            Reporter: Olivér Szabó
>            Assignee: Olivér Szabó
>             Fix For: 2.5.0
>
>         Attachments: AMBARI-19822.patch
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need
(default) authorizations as well to make sure only the specific service users (ranger, atlas,
logsearch) can access their collections (and solr user as well)
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default
users to default permissions, unfortunately, permissions and roles using principal name for
mapping (not username) from the authentication tokens. Also Solr name rules applied on the
username and not on the principal, therefore we need the fully qualified hostname as well
in the role-permission mapping. In order to avoid that issue, I added an own plugin ({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}),
to map users with {{<name>@<DOMAIN>}} format.
> Also we should keep the old behaviour of RuleBasedAuthorizationPlugin, so user can still
able to define user-role mappings with fully qualified names.
> In case of we need strict host validations i added 2 new json property for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
> {{user-host-regex}} has higher precedence than {{user-host}}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message