Jeff Sposetti created AMBARI-11437:
--------------------------------------
Summary: Improve Ambari LDAP user login process
Key: AMBARI-11437
URL: https://issues.apache.org/jira/browse/AMBARI-11437
Project: Ambari
Issue Type: Improvement
Components: ambari-server
Affects Versions: 1.7.0
Reporter: Jeff Sposetti
Most enterprise users handle entitlements through LDAP groups. In order to gain
access to enterprise resources, user's request to become a member of a group,
and once added, the assumption is that access is granted immediately.
In Ambari today a user may become a member of Group "HDPAdmins" at 10:00am in
LDAP, but will not have access to their authorized views and capabilities
within Ambari until the LDAP sync process is run.
I'm proposing that we allow a step during the LDAP user login to query for the
list of groups that user is a member of, and if they are a member of a
previously sync'd group (as part of the LDAP query result), but the Ambari
Server doesn't see them as a member of a group, we then should add them and
give them access to what they're authorized to see.
The same goes for users leaving groups. If during login we identify that the
user is no-longer a member of a group we had sync'd and thought they were a
member of, we should remove them and not grant them access.
Most enterprises want to sync a hand-full of groups used for authorization, and
a hand-full of individual users. This feature would allow their users to have
instant access to authorized content in Ambari without having to run the LDAP
sync process. As soon as a user becomes a member of a group in LDAP, they can
consume the Ambari content that that group membership entitles them to see as
soon as they log in.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
