[jira] [Resolved] (AMBARI-24351) Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property

Mon, 20 Aug 2018 23:59:04 -0700 


     [ 
https://issues.apache.org/jira/browse/AMBARI-24351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jayush Luniya resolved AMBARI-24351.
------------------------------------
    Resolution: Fixed

> Logic and declaration used to determine if SSO is enabled for a service needs 
> to be able to handle more than a boolean property
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24351
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24351
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.1
>
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> Logic and declaration used to determine if SSO is enabled for a service needs 
> to be able to handle more than a boolean property.
> The current way Ambari determines whether SSO is enabled for a service or not 
> is by getting the value of the property indicated in 
> {{sso/enabledConfiguration}} property in the service's metadata:
> {code:java|title=Example}
>       <sso>
>         <supported>true</supported>
>         
> <enabledConfiguration>service-properties/sso.knox.enabled</enabledConfiguration>
>       </sso>
> {code}
> Using the above example, the {{service-properties/sso.knox.enabled}} is 
> checked to see if its value is "true" or "false".
> This method works for a few services, but other services require more 
> elaborate checks. For example Oozie relies on the value of 
> {{oozie-site/oozie.authentication.type}}. If the value is 
> "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler",
>  then SSO is enabled; otherwise it is not. This is different that just a 
> Boolean value.
> *Solution*
> To support a more robust method to determine whether SSO is enabled or not, a 
> new attribute should be added - {{ssoEnabledTest}}. The existing attribute, 
> {{enabledConfiguration}}, should be available for backward compatibility - 
> but converted on the backend.
> The {{ssoEnabledTest}} attribute is to contain a JSON document that can be 
> _compiled_ into a {{org.apache.commons.collections.Predicate}} (ideally using 
> {{org.apache.ambari.server.collections.PredicateUtils#fromJSON}}). For example
> {code:java}
>       <sso>
>         <supported>true</supported>
>         <ssoEnabledTest>
>           {
>             "equals": [
>               "service-properties/sso.knox.enabled",
>               "true"
>             ]
>           }
>       </sso>
> {code}
> {code:java}
>       <sso>
>         <supported>true</supported>
>         <ssoEnabledTest>
>           {
>             "equals": [
>               "oozie-site/oozie.authentication.type",
>               
> "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler"
>             ]
>           }
>         </ssoEnabledTest>
>       </sso>{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to