> On Oct. 7, 2016, 10:55 a.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java, > > line 817 > > <https://reviews.apache.org/r/52369/diff/4/?file=1519678#file1519678line817> > > > > Since this is called each time Ambari starts up new groups can be > > _magically_ created each time Ambari is started. This seems like a > > possible issue since it gives a non-Ambari-administrator the ability to > > create groups and assign roles to them. In many cases, the user that has > > write access to the ambari.properties file does not have admin access to > > Ambari. So being able to change something like this becomes a security > > hole. > > > > If we do find a way to do this securely, the solution should be more > > generic since it may not apply only to PAM. > > Vishal Ghugare wrote: > we could possibly do the PAM group creation securely & in a generic way > by invoking a rest api (a new api). > > Robert Levas wrote: > Can this feature be dropped from this patch? We can then create a JIRA > and discuss a more generic and secure way to handle setting roles on imported > or manaully created groups. This will apply to the exists LDAP integration as > well as any other authentication source we may add in the future.
Currently, the only way to create a LDAP group in amabri is by LDAP-sync. Ambari do not have control over LDAP user-group membership. I will open a new JIRA for this work and take out the predefined group creation from this patch for now. - Vishal ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52369/#review151829 ----------------------------------------------------------- On Oct. 20, 2016, 6:01 p.m., Vishal Ghugare wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52369/ > ----------------------------------------------------------- > > (Updated Oct. 20, 2016, 6:01 p.m.) > > > Review request for Ambari, Alejandro Fernandez, Di Li, and Robert Levas. > > > Bugs: AMBARI-12263 > https://issues.apache.org/jira/browse/AMBARI-12263 > > > Repository: ambari > > > Description > ------- > > Hello Robert, > > How are you doing? > > We have been working on PAM support into Ambari and have something ready for > review. Can you please take a look at the patch and documentation and provide > your feedback. > > Please let me know if you have any questions. > > Note: I have added you as a reviewer as i see some authentication related > commits under your name. > > Thanks, > -Vishal > > > Diffs > ----- > > ambari-server/pom.xml d507b82 > ambari-server/sbin/ambari-server 762ae19 > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > 2e850ef > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > 1fc9dbf > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > 5e498f0 > > ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java > ef28f61 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java > e1aa5ac > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java > bdd73a6 > ambari-server/src/main/java/org/apache/ambari/server/orm/dao/GroupDAO.java > 255c5e6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java > e4ed9c6 > > ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java > 00e233e > > ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java > 26d4da7 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java > b20df8d > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java > aa9f3e0 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java > e547f05 > > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java > 185bd58 > ambari-server/src/main/python/ambari-server.py bb6bc0e > ambari-server/src/main/python/ambari_server/setupActions.py 697bc1d > ambari-server/src/main/python/ambari_server/setupSecurity.py 119a7d8 > ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql 1d55515 > ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 49f3e2f > ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql 7aa52ef > ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql 0c95471 > ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 631b5c4 > ambari-server/src/main/resources/properties.json eb27878 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 500c0bf > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java > a80cd03 > > ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java > 7b6c3ad > > Diff: https://reviews.apache.org/r/52369/diff/ > > > Testing > ------- > > No test cases added at this point. > > > File Attachments > ---------------- > > AMBARI-12263.patch_base > > https://reviews.apache.org/media/uploaded/files/2016/10/17/5107a016-3a83-478c-b98c-2f35ecf6cbc5__AMBARI-12263.patch_base > > > Thanks, > > Vishal Ghugare > >