[
https://issues.apache.org/jira/browse/AMBARI-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tuong Truong updated AMBARI-11350:
----------------------------------
Assignee: Robert Levas (was: Tuong Truong)
> Finer-grained role AuthZ for Ambari Users
> -----------------------------------------
>
> Key: AMBARI-11350
> URL: https://issues.apache.org/jira/browse/AMBARI-11350
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Affects Versions: 2.0.0
> Reporter: Jeff Sposetti
> Assignee: Robert Levas
>
> Ambari currently integrates with external authentication systems and is able
> to authenticate users using enterprise-wide LDAP systems, such as Active
> Directory, OpenLDAP, and Apache Directory Service. However, more flexibility
> is now needed to allow for those authenticated users to be segmented into
> more granular roles. These roles allow Ambari-level administrators to create
> different levels of cluster-level administrators to manage certain
> administrative operations that need to be performed on a cluster. This
> effectively spreads out the responsibilities of managing a cluster while not
> handing over total control of the Ambari management facility.
> Ambari to provide role-based access controls beyond today's Ambari Admin,
> Operator and Read-Only permissions.
> || Role || Description ||
> | Read-only | This exists as of Ambari 1.7.0. Read-only view of cluster
> information, including configurations, service status and health alerts|
> | *Service Administrator* | Provides control of service lifecycle
> (start/stop/restart/decomm/recom) |
> | *Service Operator* | Service Admin + ability to re-configure
> (change/compare/revert), configure HA |
> | *Cluster Administrator* | Service Operator + add/remove hosts and
> components (for existing services) |
> | *Cluster Operator* | Cluster Administrator + enable/disable kerberos,
> modify alerts, add service, perform upgrade (renamed from Operator) |
> | Ambari Admin | This exists as of Ambari 1.7.0. Full cluster control +
> manage user, groups and views and this flag is applicable to any user
> regardless of Role |
> Each role is to have permissions as shown below:
> ||
> ||Read-Only||Service\\Administrator||Service\\Operator||Cluster\\Administrator||Cluster\\Operator||Administrator||
> ||Service-level Permissions||
> |View metrics |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configurations |(+)|(+)|(+)|(+)|(+)|(+)|
> |Compare configurations |(+)|(+)|(+)|(+)|(+)|(+)|
> |Start/Stop/Restart Service | |(+)|(+)|(+)|(+)|(+)|
> |Decommission/recommission | |(+)|(+)|(+)|(+)|(+)|
> |Run service checks | |(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode | |(+)|(+)|(+)|(+)|(+)|
> |Perform service-specific tasks| |(+)|(+)|(+)|(+)|(+)|
> |Modify configurations | | |(+)|(+)|(+)|(+)|
> |Manage configuration groups | | |(+)|(+)|(+)|(+)|
> |Move to another host | | |(+)|(+)|(+)|(+)|
> |Enable HA | | |(+)|(+)|(+)|(+)|
> |Add Service to cluster | | | | |(+)|(+)|
> ||*Host-level Permissions*||
> |View metrics |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration |(+)|(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode | | | |(+)|(+)|(+)|
> |Install components | | | |(+)|(+)|(+)|
> |Add/Delete hosts | | | |(+)|(+)|(+)|
> ||Cluster-level Permissions||
> |View metrics |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration |(+)|(+)|(+)|(+)|(+)|(+)|
> |View stack version details |(+)|(+)|(+)|(+)|(+)|(+)|
> |View alerts |(+)|(+)|(+)|(+)|(+)|(+)|
> |Enable/disable alerts | | | | |(+)|(+)|
> |Enable/disable Kerberos | | | | |(+)|(+)|
> |Upgrade/downgrade stack | | | | |(+)|(+)|
> ||Ambari-level Permissions||
> |Create new clusters | | | | | |(+)|
> |Set service users and groups | | | | | |(+)|
> |Rename clusters | | | | | |(+)|
> |Manage users | | | | | |(+)|
> |Manage groups | | | | | |(+)|
> |Manage Ambari Views | | | | | |(+)|
> |Assign permissions/roles | | | | | |(+)|
> |Manage stack versions | | | | | |(+)|
> |Edit stack repository URLs | | | | | |(+)|
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
