----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56179/#review164497 -----------------------------------------------------------
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 (line 30) <https://reviews.apache.org/r/56179/#comment236265> The infra_solr_ranger_audit_service_users variable will give {default_ranger_audit_users} instead of calculated list of users in variable default_ranger_audit_users. ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml (line 27) <https://reviews.apache.org/r/56179/#comment236266> This should be {{default_ranger_audit_users}} - Mugdha Varadkar On Feb. 6, 2017, 8:32 p.m., Oliver Szabo wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56179/ > ----------------------------------------------------------- > > (Updated Feb. 6, 2017, 8:32 p.m.) > > > Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian > Toader. > > > Bugs: AMBARI-19822 > https://issues.apache.org/jira/browse/AMBARI-19822 > > > Repository: ambari > > > Description > ------- > > Problem: > If an ambari cluster is secured and kerberos authentication is used for Solr, > we need (default) authorizations as well to make sure only the specific > service users (ranger, atlas, logsearch) can access their collections (and > solr user as well) > > Solution: > Although RuleBasedAuthorizationPlugin seems to be a good solution here, to > map default users to default permissions, unfortunately, permissions and > roles using principal name for mapping (not username) from the authentication > tokens. Also Solr name rules applied on the username and not on the > principal, therefore we need the fully qualified hostname as well in the > role-permission mapping. In order to avoid that issue, I added an own plugin > (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map > users with <name>@<DOMAIN> format. > > to problem is in here in RuleBasedAuthorizationPlugin.java: > https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153 > > notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file > (InfraUserRolesLookupStrategy class which I added and included in the new > plugin class) > > In case of we need strict host validations i added 2 new json properties for > that: > 1. { "user-host" : {"<username>" : [<hostnames array>]} } > 2. {"user-host-regex" : {"<username>" : "hostname-regex"} } > > {{user-host-regex}} has higher precedence then {{user-host}} > > > Diffs > ----- > > ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java > PRE-CREATION > > ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java > PRE-CREATION > ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050 > ambari-logsearch/pom.xml 7aeb4a7 > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml > ed623df > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py > 526baea > > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 > d8aea24 > ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3 > > Diff: https://reviews.apache.org/r/56179/diff/ > > > Testing > ------- > > unit tests done, behavior validated with unit tests. FT: validated with > logsearch and atlas as well. > > > Thanks, > > Oliver Szabo > >
