[jira] [Commented] (AMBARI-15039) Support PAM authentication and Only group base authoritzation in Ambari

Fri, 12 Feb 2016 18:19:19 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-15039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145723#comment-15145723
 ] 

Tuong Truong commented on AMBARI-15039:
---------------------------------------

Some Design Issues:

1.  Enable PAM mode 
2.  Bootstrap group for admin authority
3.  Importing of groups into Ambari? Is it needed?

> Support PAM authentication and Only group base authoritzation in Ambari
> -----------------------------------------------------------------------
>
>                 Key: AMBARI-15039
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15039
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server
>    Affects Versions: 2.1.0, 2.2.0
>            Reporter: Tuong Truong
>              Labels: security-groups
>
> Currently, Ambari users authentication is done via 2 modes:
> 1.  Ambari defined users (not necessarily local OS users) 
> 2.  LDAP users whose group and users have to be imported into Ambari
> In both case,  Ambari predefines the "admin" user that has admin role which 
> is used for managing Ambari cluster and Ambari users.  Furthermore, Ambari 
> maintains a separate user database independent of any other user directory 
> such as the /etc/passwd file.  Even with LDAP integration, Ambari requires 
> synching with the LDAP server users into Ambari's database.    Ambari's 
> maintenance of this private user database is problematic especially  in a 
> large enterprise environment where user management is often done thru group 
> membership as employees change roles frequently. 
> In this JIRA, we propose a two-prong approach to simplify and enable 
> enterprise class authentication support in Ambari.   In this proposal,  
> Ambari will provide support for PAM authentication, and in this PAM mode, it 
> will no longer track individual Ambari users in its own database.  Ambari 
> will only track groups and manage access control by granting access to 
> groups.  When a user attemp to log in,  Ambari will authenticate the user via 
> PAM.  Once authenticated, it will determine the group(s) that the user belong 
> thru.   It then grants user permission based on the group information 
> retrieved from PAM.
> With PAM, LDAP can also be enabled via PAM-LDAP and  customer will no longer 
> need to perform any synching action.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to