Re: Review Request 56179: Add infra-solr-plugin for authorization (with Kerberos)

Wed, 01 Feb 2017 12:20:12 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------

(Updated Feb. 1, 2017, 8:19 p.m.)


Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian 
Toader.


Changes
-------

- using simple junit instead of solr test case -> it creates a directory on the 
filesystem, which is not needed at all for this test cases.
- adding noarch to rpm build (safe change: releng checks *.rpm files) -> with 
that we can build rpms on Mac as well, the build is not needed to be OS specific


Bugs: AMBARI-19822
    https://issues.apache.org/jira/browse/AMBARI-19822


Repository: ambari


Description
-------

Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, 
we need (default) authorizations as well to make sure only the specific service 
users (ranger, atlas, logsearch) can access their collections (and solr user as 
well)

Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map 
default users to default permissions, unfortunately, permissions and roles 
using principal name for mapping (not username) from the authentication tokens. 
Also Solr name rules applied on the username and not on the principal, 
therefore we need the fully qualified hostname as well in the role-permission 
mapping. In order to avoid that issue, I added an own plugin 
(org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map 
users with <name>@<DOMAIN> format.

to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153

notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file 
(InfraUserRolesLookupStrategy class which I added and included in the new 
plugin class)


Diffs (updated)
-----

  ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION 
  
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java
 PRE-CREATION 
  
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java
 PRE-CREATION 
  
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java
 PRE-CREATION 
  
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java
 PRE-CREATION 
  ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050 
  ambari-logsearch/pom.xml 7aeb4a7 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
 526baea 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
 d8aea24 

Diff: https://reviews.apache.org/r/56179/diff/


Testing
-------

unit tests done, behavior validated with unit tests. other tests (FT) with 
using ranger and atlas are in progress...


Thanks,

Oliver Szabo

Reply via email to