Re: Review Request 62064: Support for handling ldap admin group mappings

Mon, 04 Sep 2017 14:29:22 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62064/#review184506
-----------------------------------------------------------


Ship it!




Ship It!

- Attila Magyar


On Sept. 4, 2017, 1:47 p.m., Laszlo Puskas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62064/
> -----------------------------------------------------------
> 
> (Updated Sept. 4, 2017, 1:47 p.m.)
> 
> 
> Review request for Ambari, Attila Doroszlai, Attila Magyar, and Robert Levas.
> 
> 
> Bugs: AMBARI-21873
>     https://issues.apache.org/jira/browse/AMBARI-21873
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> This feature adds the possibility to handle users belonging to a defined LDAP 
> groups as ambari administrators during the LDAP sync.
> The list of the groups that need to be considered is stored in the ambari 
> property:
> ```java
> authorization.ldap.adminGroupMappingRules
> ```
> 
> The solution is to grant admin privileges to users belonging to these groups 
> on LDPA sync.
> 
> Warning:
> * changes in the LDAP group memberships will not be reflected in Ambari after 
> the sync (eg.: administrator privileges won't be automatically revoked if 
> users are removed from the groups listed in the property)
> * administrator privileges can be granted/removed by another administrator 
> using the ambari UI, thus these actions can interfere
> * if groups are not synced, this property is not taken into account
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
>  7d8c683 
> 
> 
> Diff: https://reviews.apache.org/r/62064/diff/1/
> 
> 
> Testing
> -------
> 
> Manually:
> 
> ambari-server sync-ldap —all
> - all users made admin
> 
> ambari-server sync-ldap --users /tmp/users.csv
> - user imported, property not taken into account
> 
> ambari-server sync-ldap —groups /tmp/groups.csv
> - the csv contains a group in the mapping rule, all users in LDAP belonging 
> to the group imported and made admin
> 
> ambari-server sync-ldap —groups /tmp/groups.csv
> - manually modified the admin (revoked admin provileges)
> - the ldap sync didn’t override the manual setting
> 
> Unit tests ... in progress
> 
> 
> Thanks,
> 
> Laszlo Puskas
> 
>

Reply via email to