[jira] [Commented] (KYLIN-4781) Provisioning different Roles access to the LDAP Groups

Fri, 09 Oct 2020 19:49:34 -0700 


    [ 
https://issues.apache.org/jira/browse/KYLIN-4781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17211520#comment-17211520
 ] 

Yaqian Zhang commented on KYLIN-4781:
-------------------------------------

Hi:
As you said, kylin does not support directly granting permissions to AD groups 
at present, because kylin does not synchronize groups in LDAP, which means that 
these groups do not exist in kylin. Even if you add these groups to the 
metadata manually, they don't contain any users. 
I think this is indeed a practical requirement. If you are interested, welcome 
to mention PR to make kylin support it!

> Provisioning different Roles access to the LDAP Groups
> ------------------------------------------------------
>
>                 Key: KYLIN-4781
>                 URL: https://issues.apache.org/jira/browse/KYLIN-4781
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: all, v3.0.2
>            Reporter: sundaramoorthy Muthusamy
>            Priority: Major
>              Labels: ActiveDirectory, RolesAllowed, ldap
>
> We have setup the LDAP connectivity using the kylin.properties file and all 
> users we able to login to the server. 
> But apart from the admin ldap User, others are not able to see any projects, 
> So we have proceeded to add user level permissions in admin user and it 
> worked fine. Since the number of users were high we want to grant access at 
> AD group level instead of Users.
>  
> Apart from ROLE_ADMIN, ROLE_ANALYST, ROLE_MODELER, ALL_USER Other groups we 
> are not able to add. 
> *Tried Few options:*
>  # Setting up the below property with AD group names to provide admin access, 
> still not able to grant access to these roles.
>  ** kylin.security.acl.admin-role
>  ** {color:#FF0000}*Error:* {color}operation Failed, Group xxx not exists, 
> Please Add first.
>  # Manually added an entry in the hbase metadata table for key "/user_group" 
> with the group name.
>  ** Now able to add the Role and assign but the Users in that AD group still 
> not able to see the projects whose access has been granted.
>  
> Net-Net we could not grant AD group to different roles at project Level. 
> Kindly help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to