You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/05/04 12:19:12 UTC
[jira] [Created] (AMBARI-16246) Allow roles to be treated like
principals in Ambari DB
Robert Levas created AMBARI-16246:
-------------------------------------
Summary: Allow roles to be treated like principals in Ambari DB
Key: AMBARI-16246
URL: https://issues.apache.org/jira/browse/AMBARI-16246
Project: Ambari
Issue Type: Bug
Components: ambari-server
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.4.0
To support assigning privileges to users based on their roles provide support in the Ambari database to allow a {{role}} to be referenced as a {{principal}} similar in the way a {{user}} and a {{group}} a referenced as a {principal}}.
A use-case to support the need for this is to assign access to a view to all users with some specific role. Currently we can assign access to a view to a specific user or group by assigning that user or group the {{VIEW.USER}} role applied to the specific view. To assign access a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.
The following changes need to be made to the database:
* Add {{principal_id}} column to the {{adminpermission}} table
* Create a {{principaltype}} record where the {{principal_type_name}} is '{{ROLE}}'
* Add records to the {{adminprincpal}} table to represent each role in {{adminpermission}}
* Update {{adminpermission.principal_id}} to match the relevant records from {{adminprincipal}}
After this is complete, {{adminprivilege}} records can be created using roles as principals.
NOTE: special handling will need to be done in the authorization logic to dereference the role associations with the authenticated user, similar in the way this is done for groups.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)