> On Feb. 7, 2017, 12:23 p.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml,
> > line 27
> > <https://reviews.apache.org/r/56179/diff/11/?file=1625439#file1625439line27>
> >
> > This should be {{default_ranger_audit_users}}
that is resolved from python format string so its in { } not in {{ }}
- Oliver
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164497
-----------------------------------------------------------
On Feb. 6, 2017, 8:32 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 6, 2017, 8:32 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian
> Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr,
> we need (default) authorizations as well to make sure only the specific
> service users (ranger, atlas, logsearch) can access their collections (and
> solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to
> map default users to default permissions, unfortunately, permissions and
> roles using principal name for mapping (not username) from the authentication
> tokens. Also Solr name rules applied on the username and not on the
> principal, therefore we need the fully qualified hostname as well in the
> role-permission mapping. In order to avoid that issue, I added an own plugin
> (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map
> users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file
> (InfraUserRolesLookupStrategy class which I added and included in the new
> plugin class)
>
> In case of we need strict host validations i added 2 new json properties for
> that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java
> PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java
> PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java
> PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java
> PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java
> PRE-CREATION
>
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java
> PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
>
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
> ed623df
>
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
> 526baea
>
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
> d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with
> logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
