----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56179/ -----------------------------------------------------------
(Updated Feb. 6, 2017, 8:18 p.m.) Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader. Changes ------- more small fixes Bugs: AMBARI-19822 https://issues.apache.org/jira/browse/AMBARI-19822 Repository: ambari Description ------- Problem: If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well) Solution: Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format. to problem is in here in RuleBasedAuthorizationPlugin.java: https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153 notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class) In case of we need strict host validations i added 2 new json properties for that: 1. { "user-host" : {"<username>" : [<hostnames array>]} } 2. {"user-host-regex" : {"<username>" : "hostname-regex"} } {{user-host-regex}} has higher precedence then {{user-host}} Diffs (updated) ----- ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050 ambari-logsearch/pom.xml 7aeb4a7 ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24 ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3 Diff: https://reviews.apache.org/r/56179/diff/ Testing ------- unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well. Thanks, Oliver Szabo