Tuong Truong created AMBARI-15039:
-------------------------------------
Summary: Support PAM authentication and Only group base
authoritzation in Ambari
Key: AMBARI-15039
URL: https://issues.apache.org/jira/browse/AMBARI-15039
Project: Ambari
Issue Type: Epic
Components: ambari-server
Affects Versions: 2.1.0, 2.2.0
Reporter: Tuong Truong
Currently, Ambari users authentication is done via 2 modes:
1. Ambari defined users (not necessarily local OS users)
2. LDAP users whose group and users have to be imported into Ambari
In both case, Ambari predefines the "admin" user that has admin role which is
used for managing Ambari cluster and Ambari users. Furthermore, Ambari
maintains a separate user database independent of any other user directory such
as the /etc/passwd file. Even with LDAP integration, Ambari requires synching
with the LDAP server users into Ambari's database. Ambari's maintenance of
this private user database is problematic especially in a large enterprise
environment where user management is often done thru group membership as
employees change roles frequently.
In this JIRA, we propose a two-prong approach to simplify and enable enterprise
class authentication support in Ambari. In this proposal, Ambari will
provide support for PAM authentication, and in this PAM mode, it will no longer
track individual Ambari users in its own database. Ambari will only track
groups and manage access control by granting access to groups. When a user
attemp to log in, Ambari will authenticate the user via PAM. Once
authenticated, it will determine the group(s) that the user belong thru. It
then grants user permission based on the group information retrieved from PAM.
With PAM, LDAP can also be enabled via PAM-LDAP and customer will no longer
need to perform any synching action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
