[AMBARI-16247] Authorizations given to role-based principals must be dereferenced upon user login - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.4.0
Component/s: ambari-server
Labels:
- rbac

Description

Authorizations given to role-based principals must be dereferenced upon user login. These authorizations are dynamically determined based on the user's set of roles.

In org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername, the set of GrantedAuthorities the authenticated user is calculated. During this process, using the set of cluster-level roles a user is granted, any permissions given to matching role-based principals should be given to the user.

This essentially work like giving privileges to a group of users calculated at runtime.

A use-case to support the need for this is to assign access to a view to all users with some specific role. Currently we can assign access to a view to a specific user or group by assigning that user or group the VIEW.USER role applied to the specific view. To assign access a view to users who have a specific role, a role will need to behave like a principal.