> On Oct. 3, 2016, 1:17 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java, > > lines 955-960 > > <https://reviews.apache.org/r/52369/diff/3/?file=1518904#file1518904line955> > > > > roles may be set today, but in the future these may be customizabled by > > the user. > > Vishal Ghugare wrote: > -is anyone already working on it? is there any JIRA to track this work? > -How is upgrade handled in this case (upgrade from version which has > predefined roles to version which has configurable roles)? > > Robert Levas wrote: > I am not sure how this will work yet, any there are no JIRA open, but I > would still avoid hard-coding this. That said, I am not sure why there is a > need to make this part of the configuration data.
The hardcoded roles are to help customers make use of the predefined roles in Ambari (Cluster Admin, Cluster Operator and so on) and bootstrap their PAM authorization. I understand that the predefined roles (and their names) may be customizable by the user in the future, but at the minimum, the "Admin " role will still need to be predefined since the pre-created "admin" user should be removed in the near future for PAM/LDAP use-case as it creates a security hole. When the change to make roles configurable happens, the PAM related code in Users.java & setupSecurity.py will also need to be changed accordingly (not sure how these customized roles will be defined initially). Having the choice (which is optional) to create custom groups (with assigned roles) during PAM setup gives user an entry point to boot-strap the authorization in Ambari. Also these custom groups are part of the pam setup (just like any other setup for example setup-ldap) and it makes sense for the properties to be stored into configuration file. > On Oct. 3, 2016, 1:17 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java, > > lines 64-70 > > <https://reviews.apache.org/r/52369/diff/3/?file=1518897#file1518897line64> > > > > Is both `ldapGroup` and `groupType` necessary... wouldn't only > > `groupType` be needed? > > Vishal Ghugare wrote: > I tried to keep the groups table consistent with the existing users table > functionality (which also has ldap_user column). > > Robert Levas wrote: > I dont like it, but I will drop this issue. We should create a JIRA to > fix it though. A new JIRA is opened to address this issue: AMBARI-18533. - Vishal ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52369/#review151223 ----------------------------------------------------------- On Oct. 3, 2016, 7:57 p.m., Vishal Ghugare wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52369/ > ----------------------------------------------------------- > > (Updated Oct. 3, 2016, 7:57 p.m.) > > > Review request for Ambari, Alejandro Fernandez, Di Li, and Robert Levas. > > > Bugs: AMBARI-12263 > https://issues.apache.org/jira/browse/AMBARI-12263 > > > Repository: ambari > > > Description > ------- > > Hello Robert, > > How are you doing? > > We have been working on PAM support into Ambari and have something ready for > review. Can you please take a look at the patch and documentation and provide > your feedback. > > Please let me know if you have any questions. > > Note: I have added you as a reviewer as i see some authentication related > commits under your name. > > Thanks, > -Vishal > > > Diffs > ----- > > ambari-server/pom.xml d507b82 > ambari-server/sbin/ambari-server 762ae19 > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > 2e850ef > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > 1fc9dbf > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > 5e498f0 > > ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java > ef28f61 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java > e1aa5ac > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java > bdd73a6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java > e4ed9c6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java > 00e233e > > ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java > 26d4da7 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java > b20df8d > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java > aa9f3e0 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java > e547f05 > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java > 185bd58 > ambari-server/src/main/python/ambari-server.py bb6bc0e > ambari-server/src/main/python/ambari_server/setupActions.py 697bc1d > ambari-server/src/main/python/ambari_server/setupSecurity.py 119a7d8 > ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 1d55515 > ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 49f3e2f > ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql 7aa52ef > ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql 0c95471 > ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 631b5c4 > ambari-server/src/main/resources/properties.json eb27878 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 500c0bf > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java > a80cd03 > > ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java > 7b6c3ad > > Diff: https://reviews.apache.org/r/52369/diff/ > > > Testing > ------- > > No test cases added at this point. > > > File Attachments > ---------------- > > AMBARI-12263_trunk.patch > > https://reviews.apache.org/media/uploaded/files/2016/09/30/80254a19-7d51-46f0-80f9-07e664b814ec__AMBARI-12263_trunk.patch > > > Thanks, > > Vishal Ghugare > >
