ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivér Szabó (JIRA) <j...@apache.org>
Subject [jira] [Created] (AMBARI-19822) Add infra-solr-plugin for authorization (with Kerberos)
Date Wed, 01 Feb 2017 17:08:51 GMT
Olivér Szabó created AMBARI-19822:
-------------------------------------

             Summary: Add infra-solr-plugin for authorization (with Kerberos)
                 Key: AMBARI-19822
                 URL: https://issues.apache.org/jira/browse/AMBARI-19822
             Project: Ambari
          Issue Type: Bug
          Components: ambari-logsearch, ambari-server
    Affects Versions: 2.5.0
            Reporter: Olivér Szabó
            Assignee: Olivér Szabó
             Fix For: 2.5.0


Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default)
authorizations as well to make sure only the specific service users (ranger, atlas, logsearch)
can access their collections (and solr user as well)

Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users
to default permissions, unfortunately, permissions and roles using principal name for mapping
(not username) from the authentication tokens. Also Solr name rules applied on the username
and not on the principal, therefore we need the fully qualified hostname as well in the role-permission
mapping. In order to avoid that issue, I added an own plugin ({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}),
to map users with {{<name>@<DOMAIN>}} format.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message