> On Oct. 3, 2016, 4:17 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java, > > lines 955-960 > > <https://reviews.apache.org/r/52369/diff/3/?file=1518904#file1518904line955> > > > > roles may be set today, but in the future these may be customizabled by > > the user. > > Vishal Ghugare wrote: > -is anyone already working on it? is there any JIRA to track this work? > -How is upgrade handled in this case (upgrade from version which has > predefined roles to version which has configurable roles)? > > Robert Levas wrote: > I am not sure how this will work yet, any there are no JIRA open, but I > would still avoid hard-coding this. That said, I am not sure why there is a > need to make this part of the configuration data. > > Vishal Ghugare wrote: > The hardcoded roles are to help customers make use of the predefined > roles in Ambari (Cluster Admin, Cluster Operator and so on) and bootstrap > their PAM authorization. I understand that the predefined roles (and their > names) may be customizable by the user in the future, but at the minimum, > the "Admin " role will still need to be predefined since the pre-created > "admin" user should be removed in the near future for PAM/LDAP use-case as it > creates a security hole. When the change to make roles configurable happens, > the PAM related code in Users.java & setupSecurity.py will also need to be > changed accordingly (not sure how these customized roles will be defined > initially). Having the choice (which is optional) to create custom groups > (with assigned roles) during PAM setup gives user an entry point to > boot-strap the authorization in Ambari. Also these custom groups are part > of the pam setup (just like any other setup for example setup-ldap) and it > makes sense for the propert ies to be stored into configuration file.
It is not clear to me why we need to preload Ambari with certain groups when PAM authentcation is enabled. We do not do this with other _remote_ authentication facilities - like LDAP. It seems like if this is needed, we might be able to come up with a more generic way to handle it since it could be useful elsewhere. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52369/#review151223 ----------------------------------------------------------- On Oct. 3, 2016, 10:57 p.m., Vishal Ghugare wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52369/ > ----------------------------------------------------------- > > (Updated Oct. 3, 2016, 10:57 p.m.) > > > Review request for Ambari, Alejandro Fernandez, Di Li, and Robert Levas. > > > Bugs: AMBARI-12263 > https://issues.apache.org/jira/browse/AMBARI-12263 > > > Repository: ambari > > > Description > ------- > > Hello Robert, > > How are you doing? > > We have been working on PAM support into Ambari and have something ready for > review. Can you please take a look at the patch and documentation and provide > your feedback. > > Please let me know if you have any questions. > > Note: I have added you as a reviewer as i see some authentication related > commits under your name. > > Thanks, > -Vishal > > > Diffs > ----- > > ambari-server/pom.xml d507b82 > ambari-server/sbin/ambari-server 762ae19 > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > 2e850ef > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > 1fc9dbf > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > 5e498f0 > > ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java > ef28f61 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java > e1aa5ac > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java > bdd73a6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java > e4ed9c6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java > 00e233e > > ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java > 26d4da7 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java > b20df8d > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java > aa9f3e0 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java > e547f05 > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java > 185bd58 > ambari-server/src/main/python/ambari-server.py bb6bc0e > ambari-server/src/main/python/ambari_server/setupActions.py 697bc1d > ambari-server/src/main/python/ambari_server/setupSecurity.py 119a7d8 > ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 1d55515 > ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 49f3e2f > ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql 7aa52ef > ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql 0c95471 > ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 631b5c4 > ambari-server/src/main/resources/properties.json eb27878 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 500c0bf > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java > a80cd03 > > ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java > 7b6c3ad > > Diff: https://reviews.apache.org/r/52369/diff/ > > > Testing > ------- > > No test cases added at this point. > > > File Attachments > ---------------- > > AMBARI-12263_trunk.patch > > https://reviews.apache.org/media/uploaded/files/2016/09/30/80254a19-7d51-46f0-80f9-07e664b814ec__AMBARI-12263_trunk.patch > > > Thanks, > > Vishal Ghugare > >
