----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62064/#review184506 -----------------------------------------------------------
Ship it! Ship It! - Attila Magyar On Sept. 4, 2017, 1:47 p.m., Laszlo Puskas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/62064/ > ----------------------------------------------------------- > > (Updated Sept. 4, 2017, 1:47 p.m.) > > > Review request for Ambari, Attila Doroszlai, Attila Magyar, and Robert Levas. > > > Bugs: AMBARI-21873 > https://issues.apache.org/jira/browse/AMBARI-21873 > > > Repository: ambari > > > Description > ------- > > This feature adds the possibility to handle users belonging to a defined LDAP > groups as ambari administrators during the LDAP sync. > The list of the groups that need to be considered is stored in the ambari > property: > ```java > authorization.ldap.adminGroupMappingRules > ``` > > The solution is to grant admin privileges to users belonging to these groups > on LDPA sync. > > Warning: > * changes in the LDAP group memberships will not be reflected in Ambari after > the sync (eg.: administrator privileges won't be automatically revoked if > users are removed from the groups listed in the property) > * administrator privileges can be granted/removed by another administrator > using the ambari UI, thus these actions can interfere > * if groups are not synced, this property is not taken into account > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java > 7d8c683 > > > Diff: https://reviews.apache.org/r/62064/diff/1/ > > > Testing > ------- > > Manually: > > ambari-server sync-ldap —all > - all users made admin > > ambari-server sync-ldap --users /tmp/users.csv > - user imported, property not taken into account > > ambari-server sync-ldap —groups /tmp/groups.csv > - the csv contains a group in the mapping rule, all users in LDAP belonging > to the group imported and made admin > > ambari-server sync-ldap —groups /tmp/groups.csv > - manually modified the admin (revoked admin provileges) > - the ldap sync didn’t override the manual setting > > Unit tests ... in progress > > > Thanks, > > Laszlo Puskas > >