[
https://issues.apache.org/jira/browse/AMBARI-19822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Olivér Szabó updated AMBARI-19822:
----------------------------------
Attachment: AMBARI-19822.patch
> Add infra-solr-plugin for authorization (with Kerberos)
> -------------------------------------------------------
>
> Key: AMBARI-19822
> URL: https://issues.apache.org/jira/browse/AMBARI-19822
> Project: Ambari
> Issue Type: Bug
> Components: ambari-logsearch, ambari-server
> Affects Versions: 2.5.0
> Reporter: Olivér Szabó
> Assignee: Olivér Szabó
> Fix For: 2.5.0
>
> Attachments: AMBARI-19822.patch
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr,
> we need (default) authorizations as well to make sure only the specific
> service users (ranger, atlas, logsearch) can access their collections (and
> solr user as well)
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to
> map default users to default permissions, unfortunately, permissions and
> roles using principal name for mapping (not username) from the authentication
> tokens. Also Solr name rules applied on the username and not on the
> principal, therefore we need the fully qualified hostname as well in the
> role-permission mapping. In order to avoid that issue, I added an own plugin
> ({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}), to
> map users with {{<name>@<DOMAIN>}} format.
> Also we should keep the old behaviour of RuleBasedAuthorizationPlugin, so
> user can still able to define user-role mappings with fully qualified names.
> In case of we need strict host validations i added 2 new json property for
> that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
> {{user-host-regex}} has higher precedence than {{user-host}}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
