Details
-
Epic
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0
-
Ambari role-based access control
Description
Ambari currently integrates with external authentication systems and is able to authenticate users using enterprise-wide LDAP systems, such as Active Directory, OpenLDAP, and Apache Directory Service. However, more flexibility is now needed to allow for those authenticated users to be segmented into more granular roles. These roles allow Ambari-level administrators to create different levels of cluster-level administrators to manage certain administrative operations that need to be performed on a cluster. This effectively spreads out the responsibilities of managing a cluster while not handing over total control of the Ambari management facility.
Ambari to provide role-based access controls beyond today's Ambari Admin, Operator and Read-Only permissions.
| Role | Description |
|---|---|
| Cluster User (was Read-only) | This exists as of Ambari 1.7.0. Read-only view of cluster information, including configurations, service status and health alerts |
| Service Operator | Provides control of service lifecycle (start/stop/restart/decomm/recom) |
| Service Administrator | Service Operator + ability to re-configure (change/compare/revert), configure HA |
| Cluster Operator | Service Administrator + add/remove hosts and components (for existing services) |
| Cluster Administrator | Cluster Operator + enable/disable kerberos, modify alerts, add service, perform upgrade (renamed from Operator) |
| Administrator | This exists as of Ambari 1.7.0. Full cluster control + manage user, groups and views and this flag is applicable to any user regardless of Role |
Each role is to have permissions as shown below:
| Cluster User |
Service Operator |
Service Administrator |
Cluster Operator |
Cluster Administrator |
Administrator | |
|---|---|---|---|---|---|---|
| Service-level Permissions | ||||||
| View metrics |  |
|
|
|
|
|
| View status information | |
|
|
|
|
|
| View configurations | |
|
|
|
|
|
| Compare configurations | |
|
|
|
|
|
| View alerts | |
|
|
|
|
|
| Start/Stop/Restart Service | |
|
|
|
|
|
| Decommission/recommission | |
|
|
|
|
|
| Run service checks | |
|
|
|
|
|
| Turn on/off maintenance mode | |
|
|
|
|
|
| Perform service-specific tasks | |
|
|
|
|
|
| Modify configurations | |
|
|
|
||
| Manage configuration groups | |
|
|
|
||
| Move to another host | |
|
|
|
||
| Enable/disable alerts | |
|
|
|
||
| Enable HA | |
|
|
|
||
| Add Service to cluster | |
|
||||
| Host-level Permissions | ||||||
| View metrics | |
|
|
|
|
|
| View status information | |
|
|
|
|
|
| View configuration | |
|
|
|
|
|
| Turn on/off maintenance mode | |
|
|
|||
| Install components | |
|
|
|||
| Add/Delete hosts | |
|
|
|||
| Cluster-level Permissions | ||||||
| View metrics | |
|
|
|
|
|
| View status information | |
|
|
|
|
|
| View configuration | |
|
|
|
|
|
| View stack version details | |
|
|
|
|
|
| View alerts | |
|
|
|
|
|
| Enable/disable alerts | |
|
||||
| Enable/disable Kerberos | |
|
||||
| Upgrade/downgrade stack | |
|
||||
| Ambari-level Permissions | ||||||
| Create new clusters | |
|||||
| Set service users and groups | |
|||||
| Rename clusters | |
|||||
| Manage users | |
|||||
| Manage groups | |
|||||
| Manage Ambari Views | |
|||||
| Assign permissions/roles | |
|||||
| Manage stack versions | |
|||||
| Edit stack repository URLs | |
NOTE: AmbariRole-basedAccessControl.pdf
claims the RBAC update is available in Ambari 2.2.0, however it was not implemented until Ambari 2.3.0 and further.