atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Senia (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ATLAS-1508) Make AtlasADAuthenticationProvider like Ranger ADLdap Methods
Date Tue, 07 Feb 2017 19:26:42 GMT

     [ https://issues.apache.org/jira/browse/ATLAS-1508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Greg Senia updated ATLAS-1508:
------------------------------
    Attachment:     (was: ATLAS-1508.2.patch)

> Make AtlasADAuthenticationProvider like Ranger ADLdap Methods
> -------------------------------------------------------------
>
>                 Key: ATLAS-1508
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1508
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-webui
>    Affects Versions: 0.7-incubating, 0.7.1-incubating
>         Environment: Active Directory with Global Catalog
> HDP 2.5.3.x
>            Reporter: Greg Senia
>            Assignee: Nixon Rodrigues
>         Attachments: ATLAS-1508.patch
>
>
> After upgrading to HDP 2.5.3.x from HDP 2.4.x we noticed kerberos authentication for
the UI no  longer works.  So we switched to utilize Active Directory and noticed that with
ActiveDirectory it was attempting use UPN which is risky in a large Active Directory environment
instead samAccountName should be used like in https://issues.apache.org/jira/browse/RANGER-457.
I worked on a previous JIRA with Zeppelin https://issues.apache.org/jira/browse/ZEPPELIN-1472.
So this has been addressed in Knox, Ranger, and Zeppelin. I propose the attached fix to address
this issue as the Ranger folks addressed this issue. Without this Atlas will not function
in a Large multi-forest Active Directory environment.
> Details behind this change:
> In our environment we attempted to use the ActiveDirectory and LDAP configuration but
unfortunately those implementations  do not support ADLDAP Global Catalog correctly. Also
searching on "userPrincipalName" is risky in an AD environment since the explicit UPN vs Implicit
UPN can be different. And the LDAP userPrincipalName attribute is the explicit UPN which can
be defined by the directory administrator to any value and it can be duplicated.. SamAccountName
is unique per domain and Microsoft states best practice is to not allow duplicate samAccountName's
in the forest. I have attached a working modified AtlasADAuthenticationProvider which works
against samAccountName and global catalog for auth as it is currently working against HDP
2.5.3.x and Atlas 0.7.x.
> Info about IUPN/EUPN
> http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
> https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message