[
https://issues.apache.org/jira/browse/AMBARI-19822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856026#comment-15856026
]
Hudson commented on AMBARI-19822:
---------------------------------
SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #6660 (See
[https://builds.apache.org/job/Ambari-trunk-Commit/6660/])
AMBARI-19822. Add infra-solr-plugin for authorization (with Kerberos)
(oleewere:
[http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=5ecc858fddfa26ef47129233f9fd5bbcb813ccfd])
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java
* (edit) ambari-logsearch/ambari-logsearch-assembly/pom.xml
* (edit)
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java
* (edit) ambari-logsearch/pom.xml
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java
* (edit)
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java
* (add) ambari-logsearch/ambari-infra-solr-plugin/pom.xml
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java
* (edit)
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
* (add)
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java
* (edit) ambari-server/src/test/python/stacks/2.4/configs/default.json
> Add infra-solr-plugin for authorization (with Kerberos)
> -------------------------------------------------------
>
> Key: AMBARI-19822
> URL: https://issues.apache.org/jira/browse/AMBARI-19822
> Project: Ambari
> Issue Type: Bug
> Components: ambari-logsearch, ambari-server
> Affects Versions: 2.5.0
> Reporter: Olivér Szabó
> Assignee: Olivér Szabó
> Fix For: 2.5.0
>
> Attachments: AMBARI-19822.patch
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr,
> we need (default) authorizations as well to make sure only the specific
> service users (ranger, atlas, logsearch) can access their collections (and
> solr user as well)
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to
> map default users to default permissions, unfortunately, permissions and
> roles using principal name for mapping (not username) from the authentication
> tokens. Also Solr name rules applied on the username and not on the
> principal, therefore we need the fully qualified hostname as well in the
> role-permission mapping. In order to avoid that issue, I added an own plugin
> ({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}), to
> map users with {{<name>@<DOMAIN>}} format.
> Also we should keep the old behaviour of RuleBasedAuthorizationPlugin, so
> user can still able to define user-role mappings with fully qualified names.
> In case of we need strict host validations i added 2 new json property for
> that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
> {{user-host-regex}} has higher precedence than {{user-host}}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
