Robert Levas created AMBARI-25062:
-------------------------------------
Summary: Optionally execute the post user creation hook on
existing users during LDAP sync
Key: AMBARI-25062
URL: https://issues.apache.org/jira/browse/AMBARI-25062
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.8.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.8.0
Optionally execute the post user creation hook on existing users during LDAP
sync.
The post user creation hook is executed on users when created or imported into
Ambari. This hook is executed given the following criteria is met:
# The post user creation hook is enabled (ambari.properties -
{{ambari.post.user.creation.hook.enabled = true}}, default: {{false}})
# The post user creation hook is set and available (ambari.properties -
{{ambari.post.user.creation.hook = <path to script>}}, default:
{{/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh}})
# HDFS is installed and running.
It is possible to have executed the LDAP sync process before all of the
criteria has been met. Therefore, it would be beneficial to trigger the post
user creation hook to be executed on these users when the criteria has been
met.
To do this, an optional property should be set on the LDAP sync request -
{{post_process_existing_users}}. The {{post_process_existing_users}} property
is part of a "spec" object and should be set to either "true" or "false", if
set at all. If set to "true", the post user creation hook will be executed on
all user's that come back from the LDAP query that also exist in the Ambari
database as LDAP users.
Example REST API calls:
{noformat:title=Sync All Users and Groups}
POST /api/v1/ldap_sync_events
[
{
"Event": {
"specs": [
{
"principal_type": "users",
"sync_type": "all",
"post_process_existing_users" : "true"
},
{
"principal_type": "groups",
"sync_type": "all",
"post_process_existing_users" : "true"
}
]
}
}
]
{noformat}
{noformat:title=Sync Specific Users}
POST /api/v1/ldap_sync_events
[
{
"Event": {
"specs": [
{
"principal_type": "users",
"sync_type": "specific",
"names" : "user1, user2, user3",
"post_process_existing_users" : "true"
}
]
}
}
]
{noformat}
{noformat:title=Sync Specific Groups}
POST /api/v1/ldap_sync_events
[
{
"Event": {
"specs": [
{
"principal_type": "groups",
"sync_type": "specific",
"names" : "hadoop_users, hadoop_admins",
"post_process_existing_users" : "true"
}
]
}
}
]
{noformat}
Using the Ambari sync-ldap CLI, an optional argument named
"--post-process-existing-users" may be added to enable this feature.
Example CLI calls:
{noformat:title=Sync All Users and Groups}
ambari-server sync-ldap --all --post-process-existing-users
{noformat}
{noformat:title=Sync Specific Users}
ambari-server sync-ldap --users users.txt --post-process-existing-users
{noformat}
{noformat:title=Sync Specific Groups}
ambari-server sync-ldap --groups groups.txt --post-process-existing-users
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
