[
https://issues.apache.org/jira/browse/AMBARI-22831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16335922#comment-16335922
]
Raghavender Rao Guruvannagari commented on AMBARI-22831:
--------------------------------------------------------
-->All the AD users in customer environemt are upper case(eg:B0001234) and
ranger privileges are enforced based on this upper case username.
-->Ambari while it syncs the user name from AD will convert to all lowercase
while updating the DB. (As per changes with AMBARI-17383)
-->When user B0001234 tries to access hive view 2.0, actual username is fetched
from AD which is B0001234.(but ambari user is identified as b0001234).
Due to this behavior, when user who logs in as b0001234 cannot access
'Authorization' tab in Hive view 2.0. Error we see:
{code:java}
Message: User B0001234 does not have privilege to access the table
authorization information
Error Code: NOT_OPERATOR_OR_ADMIN
{code}
Ambari is not able to map the privilege to the user "B0001234" because actul
user name synced in Ambari is b0001234 and all privileges are assigned to this
user.
Here is the code that handles this behavior
==== Checking the user privileges with "authChecker.isOperator"
/AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/resources/system/ranger/RangerService.java
{code:java}
public class RangerService {
[...]
65 public List<Policy> getPolicies(String database, String table) {
66
67
68 if (context.getCluster() == null) {
69 return getPoliciesFromNonAmbariCluster(database, table);
70 } else {
71 if (!authChecker.isOperator()) {
72 LOG.error("User is not authorized to access the table authorization
information");
73 throw new RangerException("User " + context.getUsername() + " does not have
privilege to access the table authorization information",
"NOT_OPERATOR_OR_ADMIN", 400);
74 }
75 return getPoliciesFromAmbariCluster(database, table);
76 }
77
78 }
{code}
-->"authChecker.isOperator" is using the API defined with
"AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL" variable.
AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/utils/AuthorizationChecker.java
{code:java}
public class AuthorizationChecker {
37 protected final Logger LOG = LoggerFactory.getLogger(getClass());
38 private static final String AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL =
"/api/v1/users/%s?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|"
+
39
"(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=%s)";
40
41 private final ViewContext viewContext;
42 private final AmbariApi ambariApi;
{code}
-->Based on above API, if trying to identify the privileges, for B0001234 we
wont get any results. As no privileg info returned for the user B0001234
authorization tab on hive view 2.0 thorws error "NOT_OPERATOR_OR_ADMIN":
{code:java}
$ curl -u admin:admin
'http://sec-lab1.raghav.com:8080/api/v1/users/B0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{code}
-->However same API when used with 'b0001234' user name shows the appropriate
privileges for the user b0001234.
{code:java}
$ curl -u admin:admin
'http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{
"href" :
"http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)",
"Users" : {
"user_name" : "b0001234"
},
"privileges" : [
{
"href" :
"http://sec-lab1.raghav.com:8080/api/v1/users/b0001234/privileges/202";,
"PrivilegeInfo" : {
"permission_name" : "AMBARI.ADMINISTRATOR",
"privilege_id" : 202,
"user_name" : "b0001234"
}
}
]
{code}
If user table in DB is updated with uppercase username 'B0001234' and assign
the roles from Ambari UI then User 'B0001234' can access the authorization tab
in hive view 2.0.
> Ambari Hive view 2.0 will not show Ranger Authorization if logged in AD
> Usernames are Uppercase
> -----------------------------------------------------------------------------------------------
>
> Key: AMBARI-22831
> URL: https://issues.apache.org/jira/browse/AMBARI-22831
> Project: Ambari
> Issue Type: Bug
> Components: ambari-views
> Affects Versions: 2.6.2
> Reporter: Raghavender Rao Guruvannagari
> Priority: Major
>
> In customer environment, all the AD users login with Uppercase and Ranger
> authorization is set considering Uppercase usernames.
> When AD User(already has Admin privileges) access Ambari hive view 2.0, it
> errors out with below exception.
> {code:java}
> Message: User B0001234 does not have privilege to access the table
> authorization information
> Error Code: NOT_OPERATOR_OR_ADMIN
> {code}
> -->Although user B0001234 is admin user.
> {code:java}
> $ curl -u admin:admin
> 'http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
>
> {
> "href" :
> "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)",
>
> "Users" : {
> "user_name" : "b0001234"
> },
> "privileges" : [
> {
> "href" :
> "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234/privileges/202";,
> "PrivilegeInfo" : {
> "permission_name" : "AMBARI.ADMINISTRATOR",
> "privilege_id" : 202,
> "user_name" : "b0001234"
> }
> }
> ]
> }
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
