----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56179/#review164319 -----------------------------------------------------------
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml (line 27) <https://reviews.apache.org/r/56179/#comment236012> Instead of using a hardcoded list of users wouldn't it be better to reference a variable which is populated dynamically based on the configs of the various HDP components. For example the principals can be overriden through custom kerberos descriptors thus this hard coded user list would not apply anymore. - Sebastian Toader On Feb. 4, 2017, 6:31 p.m., Oliver Szabo wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56179/ > ----------------------------------------------------------- > > (Updated Feb. 4, 2017, 6:31 p.m.) > > > Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian > Toader. > > > Bugs: AMBARI-19822 > https://issues.apache.org/jira/browse/AMBARI-19822 > > > Repository: ambari > > > Description > ------- > > Problem: > If an ambari cluster is secured and kerberos authentication is used for Solr, > we need (default) authorizations as well to make sure only the specific > service users (ranger, atlas, logsearch) can access their collections (and > solr user as well) > > Solution: > Although RuleBasedAuthorizationPlugin seems to be a good solution here, to > map default users to default permissions, unfortunately, permissions and > roles using principal name for mapping (not username) from the authentication > tokens. Also Solr name rules applied on the username and not on the > principal, therefore we need the fully qualified hostname as well in the > role-permission mapping. In order to avoid that issue, I added an own plugin > (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map > users with <name>@<DOMAIN> format. > > to problem is in here in RuleBasedAuthorizationPlugin.java: > https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153 > > notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file > (InfraUserRolesLookupStrategy class which I added and included in the new > plugin class) > > In case of we need strict host validations i added 2 new json properties for > that: > 1. { "user-host" : {"<username>" : [<hostnames array>]} } > 2. {"user-host-regex" : {"<username>" : "hostname-regex"} } > > {{user-host-regex}} has higher precedence then {{user-host}} > > > Diffs > ----- > > ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java > PRE-CREATION > ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050 > ambari-logsearch/pom.xml 7aeb4a7 > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml > ed623df > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py > 526baea > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 > d8aea24 > ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3 > > Diff: https://reviews.apache.org/r/56179/diff/ > > > Testing > ------- > > unit tests done, behavior validated with unit tests. FT: validated with > logsearch and atlas as well. > > > Thanks, > > Oliver Szabo > >
