[ https://issues.apache.org/jira/browse/AMBARI-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tuong Truong updated AMBARI-11350: ---------------------------------- Assignee: Robert Levas (was: Tuong Truong) > Finer-grained role AuthZ for Ambari Users > ----------------------------------------- > > Key: AMBARI-11350 > URL: https://issues.apache.org/jira/browse/AMBARI-11350 > Project: Ambari > Issue Type: Improvement > Components: ambari-server > Affects Versions: 2.0.0 > Reporter: Jeff Sposetti > Assignee: Robert Levas > > Ambari currently integrates with external authentication systems and is able > to authenticate users using enterprise-wide LDAP systems, such as Active > Directory, OpenLDAP, and Apache Directory Service. However, more flexibility > is now needed to allow for those authenticated users to be segmented into > more granular roles. These roles allow Ambari-level administrators to create > different levels of cluster-level administrators to manage certain > administrative operations that need to be performed on a cluster. This > effectively spreads out the responsibilities of managing a cluster while not > handing over total control of the Ambari management facility. > Ambari to provide role-based access controls beyond today's Ambari Admin, > Operator and Read-Only permissions. > || Role || Description || > | Read-only | This exists as of Ambari 1.7.0. Read-only view of cluster > information, including configurations, service status and health alerts| > | *Service Administrator* | Provides control of service lifecycle > (start/stop/restart/decomm/recom) | > | *Service Operator* | Service Admin + ability to re-configure > (change/compare/revert), configure HA | > | *Cluster Administrator* | Service Operator + add/remove hosts and > components (for existing services) | > | *Cluster Operator* | Cluster Administrator + enable/disable kerberos, > modify alerts, add service, perform upgrade (renamed from Operator) | > | Ambari Admin | This exists as of Ambari 1.7.0. Full cluster control + > manage user, groups and views and this flag is applicable to any user > regardless of Role | > Each role is to have permissions as shown below: > || > ||Read-Only||Service\\Administrator||Service\\Operator||Cluster\\Administrator||Cluster\\Operator||Administrator|| > ||Service-level Permissions|| > |View metrics |(+)|(+)|(+)|(+)|(+)|(+)| > |View status information |(+)|(+)|(+)|(+)|(+)|(+)| > |View configurations |(+)|(+)|(+)|(+)|(+)|(+)| > |Compare configurations |(+)|(+)|(+)|(+)|(+)|(+)| > |Start/Stop/Restart Service | |(+)|(+)|(+)|(+)|(+)| > |Decommission/recommission | |(+)|(+)|(+)|(+)|(+)| > |Run service checks | |(+)|(+)|(+)|(+)|(+)| > |Turn on/off maintenance mode | |(+)|(+)|(+)|(+)|(+)| > |Perform service-specific tasks| |(+)|(+)|(+)|(+)|(+)| > |Modify configurations | | |(+)|(+)|(+)|(+)| > |Manage configuration groups | | |(+)|(+)|(+)|(+)| > |Move to another host | | |(+)|(+)|(+)|(+)| > |Enable HA | | |(+)|(+)|(+)|(+)| > |Add Service to cluster | | | | |(+)|(+)| > ||*Host-level Permissions*|| > |View metrics |(+)|(+)|(+)|(+)|(+)|(+)| > |View status information |(+)|(+)|(+)|(+)|(+)|(+)| > |View configuration |(+)|(+)|(+)|(+)|(+)|(+)| > |Turn on/off maintenance mode | | | |(+)|(+)|(+)| > |Install components | | | |(+)|(+)|(+)| > |Add/Delete hosts | | | |(+)|(+)|(+)| > ||Cluster-level Permissions|| > |View metrics |(+)|(+)|(+)|(+)|(+)|(+)| > |View status information |(+)|(+)|(+)|(+)|(+)|(+)| > |View configuration |(+)|(+)|(+)|(+)|(+)|(+)| > |View stack version details |(+)|(+)|(+)|(+)|(+)|(+)| > |View alerts |(+)|(+)|(+)|(+)|(+)|(+)| > |Enable/disable alerts | | | | |(+)|(+)| > |Enable/disable Kerberos | | | | |(+)|(+)| > |Upgrade/downgrade stack | | | | |(+)|(+)| > ||Ambari-level Permissions|| > |Create new clusters | | | | | |(+)| > |Set service users and groups | | | | | |(+)| > |Rename clusters | | | | | |(+)| > |Manage users | | | | | |(+)| > |Manage groups | | | | | |(+)| > |Manage Ambari Views | | | | | |(+)| > |Assign permissions/roles | | | | | |(+)| > |Manage stack versions | | | | | |(+)| > |Edit stack repository URLs | | | | | |(+)| -- This message was sent by Atlassian JIRA (v6.3.4#6332)