Jeff Sposetti created AMBARI-11437: -------------------------------------- Summary: Improve Ambari LDAP user login process Key: AMBARI-11437 URL: https://issues.apache.org/jira/browse/AMBARI-11437 Project: Ambari Issue Type: Improvement Components: ambari-server Affects Versions: 1.7.0 Reporter: Jeff Sposetti
Most enterprise users handle entitlements through LDAP groups. In order to gain access to enterprise resources, user's request to become a member of a group, and once added, the assumption is that access is granted immediately. In Ambari today a user may become a member of Group "HDPAdmins" at 10:00am in LDAP, but will not have access to their authorized views and capabilities within Ambari until the LDAP sync process is run. I'm proposing that we allow a step during the LDAP user login to query for the list of groups that user is a member of, and if they are a member of a previously sync'd group (as part of the LDAP query result), but the Ambari Server doesn't see them as a member of a group, we then should add them and give them access to what they're authorized to see. The same goes for users leaving groups. If during login we identify that the user is no-longer a member of a group we had sync'd and thought they were a member of, we should remove them and not grant them access. Most enterprises want to sync a hand-full of groups used for authorization, and a hand-full of individual users. This feature would allow their users to have instant access to authorized content in Ambari without having to run the LDAP sync process. As soon as a user becomes a member of a group in LDAP, they can consume the Ambari content that that group membership entitles them to see as soon as they log in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)