[jira] [Commented] (AMBARI-16247) Authorizations given to role-based principals must be dereferenced upon user login

Wed, 08 Jun 2016 12:18:47 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-16247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15321275#comment-15321275
 ] 

Hudson commented on AMBARI-16247:
---------------------------------

FAILURE: Integrated in Ambari-trunk-Commit #5035 (See 
[https://builds.apache.org/job/Ambari-trunk-Commit/5035/])
AMBARI-16247. Authorizations given to role-based principals must be (rlevas: 
[http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=8c1564e083169196cf53b8c1a570bcf3c5f65e68])
* 
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/UsersTest.java
* 
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java


> Authorizations given to role-based principals must be dereferenced upon user 
> login
> ----------------------------------------------------------------------------------
>
>                 Key: AMBARI-16247
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16247
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16247_branch-2.4_01.patch, 
> AMBARI-16247_trunk_01.patch
>
>
> Authorizations given to role-based principals must be dereferenced upon user 
> login.  These authorizations are dynamically determined based on the user's 
> set of roles.  
> In 
> {{org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername}},
>  the set of {{GrantedAuthorities}} the authenticated user is calculated.  
> During this process, using the set of {{cluster-level roles}} a user is 
> granted, any permissions given to matching role-based principals should be 
> given to the user. 
> This essentially work like giving privileges to a group of users calculated 
> at runtime. 
> A use-case to support the need for this is to assign access to a view to all 
> users with some specific role. Currently we can assign access to a view to a 
> specific user or group by assigning that user or group the {{VIEW.USER}} role 
> applied to the specific view.  To assign access a view to users who have a 
> specific role, a {{role}} will need to behave like a {{principal}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to