[AMBARI-16247] Authorizations given to role-based principals must be dereferenced upon user login - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.4.0
Component/s: ambari-server
Labels:
- rbac

Description

Authorizations given to role-based principals must be dereferenced upon user login. These authorizations are dynamically determined based on the user's set of roles.

In org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername, the set of GrantedAuthorities the authenticated user is calculated. During this process, using the set of cluster-level roles a user is granted, any permissions given to matching role-based principals should be given to the user.

This essentially work like giving privileges to a group of users calculated at runtime.

A use-case to support the need for this is to assign access to a view to all users with some specific role. Currently we can assign access to a view to a specific user or group by assigning that user or group the VIEW.USER role applied to the specific view. To assign access a view to users who have a specific role, a role will need to behave like a principal.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-16247_branch-2.4_01.patch
08/Jun/16 13:48
12 kB
Robert Levas
AMBARI-16247_trunk_01.patch
08/Jun/16 13:48
12 kB
Robert Levas

Issue Links

blocks

AMBARI-16229 Generalize the backend code for supporting cluster inherited permission for view instances

Resolved

is blocked by

AMBARI-16177 Views: User should be able to assign permission of a view instance to cluster roles

Resolved

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/May/16 12:32

Updated:: 08/Jun/16 19:17

Resolved:: 08/Jun/16 15:55