[jira] [Commented] (AMBARI-11350) Finer-grained role AuthZ for Ambari Users

[Tuong Truong (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14994031#comment-14994031
 ] 

Tuong Truong commented on AMBARI-11350:
---------------------------------------

[~sposetti], [~rlevas],  with the latest update, the admin and operator roles 
are still reversed.  Is this intentional?  This seems to be inconsistent with 
IT standard.

> Finer-grained role AuthZ for Ambari Users
> -----------------------------------------
>
>                 Key: AMBARI-11350
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11350
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Jeff Sposetti
>            Assignee: Robert Levas
>
> Ambari currently integrates with external authentication systems and is able 
> to authenticate users using enterprise-wide LDAP systems, such as Active 
> Directory, OpenLDAP, and Apache Directory Service. However, more flexibility 
> is now needed to allow for those authenticated users to be segmented into 
> more granular roles.  These roles allow Ambari-level administrators to create 
> different levels of cluster-level administrators to manage certain 
> administrative operations that need to be performed on a cluster. This 
> effectively spreads out the responsibilities of managing a cluster while not 
> handing over total control of the Ambari management facility. 
> Ambari to provide role-based access controls beyond today's Ambari Admin, 
> Operator and Read-Only permissions.
> || Role || Description ||
> | View user | This exists as of Ambari 1.7.0. Able to use specific views|
> | Read-only | This exists as of Ambari 1.7.0. Read-only view of cluster 
> information, including configurations, service status and health alerts|
> | *Service Administrator* | Provides control of service lifecycle 
> (start/stop/restart/decomm/recom) |
> | *Service Operator* | Service Admin + ability to re-configure 
> (change/compare/revert), configure HA |
> | *Cluster Administrator* | Service Operator + add/remove hosts and 
> components (for existing services) |
> | *Cluster Operator* | Cluster Administrator + enable/disable kerberos, 
> modify alerts, add service, perform upgrade (renamed from Operator) |
> | Ambari Admin | This exists as of Ambari 1.7.0. Full cluster control + 
> manage user, groups and views and this flag is applicable to any user 
> regardless of Role |
> Each role is to have permissions as shown below:
> || ||View 
> User||Read-Only||Service\\Administrator||Service\\Operator||Cluster\\Administrator||Cluster\\Operator||Administrator||
> ||View-level Permissions||
> |View metrics                  |(+)|   |   |   |   |   |   |
> ||Service-level Permissions||
> |View metrics                  |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configurations           |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Compare configurations        |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Start/Stop/Restart Service    |   |   |(+)|(+)|(+)|(+)|(+)|
> |Decommission/recommission     |   |   |(+)|(+)|(+)|(+)|(+)|
> |Run service checks            |   |   |(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |   |(+)|(+)|(+)|(+)|(+)|
> |Perform service-specific tasks|   |   |(+)|(+)|(+)|(+)|(+)|
> |Modify configurations         |   |   |   |(+)|(+)|(+)|(+)|
> |Manage configuration groups   |   |   |   |(+)|(+)|(+)|(+)|
> |Move to another host          |   |   |   |(+)|(+)|(+)|(+)|
> |Enable HA                     |   |   |   |(+)|(+)|(+)|(+)|
> |Add Service to cluster        |   |   |   |   |   |(+)|(+)|
> ||*Host-level Permissions*||
> |View metrics                  |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |   |   |   |(+)|(+)|(+)|
> |Install components            |   |   |   |   |(+)|(+)|(+)|
> |Add/Delete hosts              |   |   |   |   |(+)|(+)|(+)|
> ||Cluster-level Permissions||
> |View metrics                  |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View stack version details    |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |View alerts                   |   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Enable/disable alerts         |   |   |   |   |   |(+)|(+)|
> |Enable/disable Kerberos       |   |   |   |   |   |(+)|(+)|
> |Upgrade/downgrade stack       |   |   |   |   |   |(+)|(+)|
> ||Ambari-level Permissions||
> |Create new clusters           |   |   |   |   |   |   |(+)|
> |Set service users and groups  |   |   |   |   |   |   |(+)|
> |Rename clusters               |   |   |   |   |   |   |(+)|
> |Manage users                  |   |   |   |   |   |   |(+)|
> |Manage groups                 |   |   |   |   |   |   |(+)|
> |Manage Ambari Views           |   |   |   |   |   |   |(+)|
> |Assign permissions/roles      |   |   |   |   |   |   |(+)|
> |Manage stack versions         |   |   |   |   |   |   |(+)|
> |Edit stack repository URLs    |   |   |   |   |   |   |(+)|



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)