[jira] [Commented] (AMBARI-14228) Ambari Files View ignores alternate HDFS authorization mechanisms

Sat, 05 Dec 2015 00:27:34 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-14228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15042758#comment-15042758
 ] 

DIPAYAN BHOWMICK commented on AMBARI-14228:
-------------------------------------------

Overall, after discussion it was found that Files view was checking permissions 
in the frontend using the POSIX permission that were returned and was 
proactively restricting user to do certain operations depending on his/her 
permission. Hence, other authorization mechanism was completely ignored. So, 
the checks from the UI has to be removed and rather than proactively 
restricting, we need to reactively display error message to the user upon 
failure of his/her action.

> Ambari Files View ignores alternate HDFS authorization mechanisms
> -----------------------------------------------------------------
>
>                 Key: AMBARI-14228
>                 URL: https://issues.apache.org/jira/browse/AMBARI-14228
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-views
>    Affects Versions: 2.1.2
>            Reporter: DIPAYAN BHOWMICK
>            Assignee: DIPAYAN BHOWMICK
>             Fix For: 2.2.0
>
>
> PROBLEM: In the files view Ambari only seems to be looking at user, group, 
> mode which comes back from a GETSTATUS call and making the access decision 
> based on that in the client.
> Doing it this way completely ignores alternate authorization mechanisms like 
> HDFS ACLs and Ranger. Particularly with HDFS' new pluggable interface for 
> authorization in Hadoop 2.7 this problem could get worse down the road.
> Ambari needs to deal with this in a uniform way so the user gets all of the 
> access coming to them.
> BUSINESS IMPACT: Ambari files view is potentially useless to customers who 
> have built an authorization model on anything other than user/group/mode, 
> such as Ranger or HDFS ACLs
> EXPECTED RESULTS: The user should see no difference in their privilege level 
> between Ambari Files View and FSShell.
> ACTUAL RESULTS: Only user/group/mode are considered in files view



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to