-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62064/
-----------------------------------------------------------
(Updated Sept. 4, 2017, 1:47 p.m.)
Review request for Ambari, Attila Doroszlai, Attila Magyar, and Robert Levas.
Bugs: AMBARI-21873
https://issues.apache.org/jira/browse/AMBARI-21873
Repository: ambari
Description (updated)
-------
This feature adds the possibility to handle users belonging to a defined LDAP
groups as ambari administrators during the LDAP sync.
The list of the groups that need to be considered is stored in the ambari
property:
```java
authorization.ldap.adminGroupMappingRules
```
The solution is to grant admin privileges to users belonging to these groups on
LDPA sync.
Warning:
* changes in the LDAP group memberships will not be reflected in Ambari after
the sync (eg.: administrator privileges won't be automatically revoked if users
are removed from the groups listed in the property)
* administrator privileges can be granted/removed by another administrator
using the ambari UI, thus these actions can interfere
* if groups are not synced, this property is not taken into account
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
7d8c683
Diff: https://reviews.apache.org/r/62064/diff/1/
Testing
-------
Manually:
ambari-server sync-ldap —all
- all users made admin
ambari-server sync-ldap --users /tmp/users.csv
- user imported, property not taken into account
ambari-server sync-ldap —groups /tmp/groups.csv
- the csv contains a group in the mapping rule, all users in LDAP belonging to
the group imported and made admin
ambari-server sync-ldap —groups /tmp/groups.csv
- manually modified the admin (revoked admin provileges)
- the ldap sync didn’t override the manual setting
Unit tests ... in progress
Thanks,
Laszlo Puskas
