You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/06/09 10:58:00 UTC

[jira] [Updated] (AMBARI-20859) Improve User Account Management Within Ambari

     [ https://issues.apache.org/jira/browse/AMBARI-20859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-20859:
----------------------------------
    Fix Version/s:     (was: 3.0.0)
                   2.7.0

> Improve User Account Management Within Ambari
> ---------------------------------------------
>
>                 Key: AMBARI-20859
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20859
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, ambari-web
>    Affects Versions: 2.7.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: authentication, pull-request-available, security, user_management
>             Fix For: 2.7.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> As of Ambari 2.4, user management is confusing and tends to lead to inconsistent results during synchronization and authentication.  With the addition of new mechanisms such as Kerberos and PAM, this will only get worse.  Therefore, there is a need to rework how Ambari manages users to ensure that new authentication facilities are easily integrated.
> The following problems need to be solved:
> * *Case-sensitivity*
> Some authentication sources are case sensitive and some are not.  Ambari inconsistently handles the case of user names leading to confusing where user metadata is being created or being overwritten.  This issue extends from the front end through the backend and to the database layer.   
> * *Username Collisions*
> There are several cases where username collisions occur.  One is where a username exists as a local user as well as an external user.  For example, the initial administrator account has is a local user account with the username of "admin".  There may also be an external user account with the username "admin". In some cases Ambari will treat both accounts as the same user, converting the local account during synchronization operation to an LDAP account. However in other cases, Ambari will treat the accounts as separate users and create a separate account.  
> * *REST API*
> Due to the implementation of the user resource in the REST API, there is no way to distinguish between user accounts with the same username and different data sources. For example usera/LOCAL vs usera/LDAP.  This is because the primary key for user resources is only the username field.  This make managing users confusing since the REST API entrypoint for user resources is /api/v1/users/:USERNAME and there is no way to retrieve or set the details for a specific user. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)