-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 6, 2017, 8:18 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian
Toader.
Changes
-------
more small fixes
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr,
we need (default) authorizations as well to make sure only the specific service
users (ranger, atlas, logsearch) can access their collections (and solr user as
well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map
default users to default permissions, unfortunately, permissions and roles
using principal name for mapping (not username) from the authentication tokens.
Also Solr name rules applied on the username and not on the principal,
therefore we need the fully qualified hostname as well in the role-permission
mapping. In order to avoid that issue, I added an own plugin
(org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map
users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file
(InfraUserRolesLookupStrategy class which I added and included in the new
plugin class)
In case of we need strict host validations i added 2 new json properties for
that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java
PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java
PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java
PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java
PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java
PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java
PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with
logsearch and atlas as well.
Thanks,
Oliver Szabo
