[
https://issues.apache.org/jira/browse/AMBARI-16246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Nechiporenko reopened AMBARI-16246:
----------------------------------------
> Allow roles to be treated like principals in Ambari DB
> ------------------------------------------------------
>
> Key: AMBARI-16246
> URL: https://issues.apache.org/jira/browse/AMBARI-16246
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Reporter: Robert Levas
> Assignee: Robert Levas
> Labels: rbac
> Fix For: 2.4.0
>
> Attachments: AMBARI-16246_trunk_01.patch, AMBARI-16246_trunk_02.patch
>
>
> To support assigning privileges to users based on their roles provide support
> in the Ambari database to allow a {{role}} to be referenced as a
> {{principal}} similar in the way a {{user}} and a {{group}} a referenced as a
> {principal}}.
> A use-case to support the need for this is to assign access to a view to all
> users with some specific role. Currently we can assign access to a view to a
> specific user or group by assigning that user or group the {{VIEW.USER}} role
> applied to the specific view. To assign access a view to users who have a
> specific role, a {{role}} will need to behave like a {{principal}}.
> The following changes need to be made to the database:
> * Add {{principal_id}} column to the {{adminpermission}} table
> * Create a {{principaltype}} record where the {{principal_type_name}} is
> '{{ROLE}}'
> * Add records to the {{adminprincpal}} table to represent each role in
> {{adminpermission}}
> * Update {{adminpermission.principal_id}} to match the relevant records from
> {{adminprincipal}}
> After this is complete, {{adminprivilege}} records can be created using roles
> as principals.
> NOTE: special handling will need to be done in the authorization logic to
> dereference the role associations with the authenticated user, similar in the
> way this is done for groups.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
