You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/07/26 14:53:00 UTC

[jira] [Updated] (AMBARI-24351) Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property

     [ https://issues.apache.org/jira/browse/AMBARI-24351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated AMBARI-24351:
------------------------------------
    Labels: pull-request-available  (was: )

> Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24351
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24351
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.1
>
>
> Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property.
> The current way Ambari determines whether SSO is enabled for a service or not is by getting the value of the property indicated in {{sso/enabledConfiguration}} property in the service's metadata:
> {code:java|title=Example}
>       <sso>
>         <supported>true</supported>
>         <enabledConfiguration>service-properties/sso.knox.enabled</enabledConfiguration>
>       </sso>
> {code}
> Using the above example, the {{service-properties/sso.knox.enabled}} is checked to see if its value is "true" or "false".
> This method works for a few services, but other services require more elaborate checks. For example Oozie relies on the value of {{oozie-site/oozie.authentication.type}}. If the value is "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler", then SSO is enabled; otherwise it is not. This is different that just a Boolean value.
> *Solution*
> To support a more robust method to determine whether SSO is enabled or not, a new attribute should be added - {{ssoEnabledTest}}. The existing attribute, {{enabledConfiguration}}, should be available for backward compatibility - but converted on the backend.
> The {{ssoEnabledTest}} attribute is to contain a JSON document that can be _compiled_ into a {{org.apache.commons.collections.Predicate}} (ideally using {{org.apache.ambari.server.collections.PredicateUtils#fromJSON}}). For example
> {code:java}
>       <sso>
>         <supported>true</supported>
>         <ssoEnabledTest>
>           {
>             "equals": [
>               "service-properties/sso.knox.enabled",
>               "true"
>             ]
>           }
>       </sso>
> {code}
> {code:java}
>       <sso>
>         <supported>true</supported>
>         <ssoEnabledTest>
>           {
>             "equals": [
>               "oozie-site/oozie.authentication.type",
>               "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler"
>             ]
>           }
>         </ssoEnabledTest>
>       </sso>{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)