Olivér Szabó created AMBARI-19822:
-------------------------------------
Summary: Add infra-solr-plugin for authorization (with Kerberos)
Key: AMBARI-19822
URL: https://issues.apache.org/jira/browse/AMBARI-19822
Project: Ambari
Issue Type: Bug
Components: ambari-logsearch, ambari-server
Affects Versions: 2.5.0
Reporter: Olivér Szabó
Assignee: Olivér Szabó
Fix For: 2.5.0
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr,
we need (default) authorizations as well to make sure only the specific service
users (ranger, atlas, logsearch) can access their collections (and solr user as
well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map
default users to default permissions, unfortunately, permissions and roles
using principal name for mapping (not username) from the authentication tokens.
Also Solr name rules applied on the username and not on the principal,
therefore we need the fully qualified hostname as well in the role-permission
mapping. In order to avoid that issue, I added an own plugin
({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}), to
map users with {{<name>@<DOMAIN>}} format.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
