[jira] [Commented] (AMBARI-19822) Add infra-solr-plugin for authorization (with Kerberos)

[JIRA]

    [ 
https://issues.apache.org/jira/browse/AMBARI-19822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856167#comment-15856167
 ] 

Olivér Szabó commented on AMBARI-19822:
---------------------------------------

reverted on branch-2.5:
{code:java}
commit cbe35dacbe20b3269a94c73e22f25ab1fbd6c158
Author: oleewere <oleew...@gmail.com>
Date:   Tue Feb 7 15:55:16 2017 +0100

    Revert "AMBARI-19822. Add infra-solr-plugin for authorization (with 
Kerberos) (oleewere)"
    
    This reverts commit 49546afad8ad50495023284defb40211afd2f904.
{code}
recommitted to branch-2.5: 
{code:java}
commit 79e676c2a86f63becc6dba0041ba11102f11cd9a
Author: oleewere <oleew...@gmail.com>
Date:   Wed Feb 1 18:24:10 2017 +0100

    AMBARI-19822. Add infra-solr-plugin for authorization (with Kerberos) 
(oleewere)
{code}

> Add infra-solr-plugin for authorization (with Kerberos)
> -------------------------------------------------------
>
>                 Key: AMBARI-19822
>                 URL: https://issues.apache.org/jira/browse/AMBARI-19822
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-logsearch, ambari-server
>    Affects Versions: 2.5.0
>            Reporter: Olivér Szabó
>            Assignee: Olivér Szabó
>             Fix For: 2.5.0
>
>         Attachments: AMBARI-19822.patch
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, 
> we need (default) authorizations as well to make sure only the specific 
> service users (ranger, atlas, logsearch) can access their collections (and 
> solr user as well)
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to 
> map default users to default permissions, unfortunately, permissions and 
> roles using principal name for mapping (not username) from the authentication 
> tokens. Also Solr name rules applied on the username and not on the 
> principal, therefore we need the fully qualified hostname as well in the 
> role-permission mapping. In order to avoid that issue, I added an own plugin 
> ({{org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin}}), to 
> map users with {{<name>@<DOMAIN>}} format.
> Also we should keep the old behaviour of RuleBasedAuthorizationPlugin, so 
> user can still able to define user-role mappings with fully qualified names.
> In case of we need strict host validations i added 2 new json property for 
> that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
> {{user-host-regex}} has higher precedence than {{user-host}}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)