You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Tuong Truong (JIRA)" <ji...@apache.org> on 2015/10/22 23:33:27 UTC

[jira] [Assigned] (AMBARI-11350) Finer-grained role AuthZ for Ambari Users

     [ https://issues.apache.org/jira/browse/AMBARI-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tuong Truong reassigned AMBARI-11350:
-------------------------------------

    Assignee: Tuong Truong  (was: Robert Levas)

> Finer-grained role AuthZ for Ambari Users
> -----------------------------------------
>
>                 Key: AMBARI-11350
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11350
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Jeff Sposetti
>            Assignee: Tuong Truong
>
> Ambari currently integrates with external authentication systems and is able to authenticate users using enterprise-wide LDAP systems, such as Active Directory, OpenLDAP, and Apache Directory Service. However, more flexibility is now needed to allow for those authenticated users to be segmented into more granular roles.  These roles allow Ambari-level administrators to create different levels of cluster-level administrators to manage certain administrative operations that need to be performed on a cluster. This effectively spreads out the responsibilities of managing a cluster while not handing over total control of the Ambari management facility. 
> Ambari to provide role-based access controls beyond today's Ambari Admin, Operator and Read-Only permissions.
> || Role || Description ||
> | Read-only | This exists as of Ambari 1.7.0. Read-only view of cluster information, including configurations, service status and health alerts|
> | *Service Administrator* | Provides control of service lifecycle (start/stop/restart/decomm/recom) |
> | *Service Operator* | Service Admin + ability to re-configure (change/compare/revert), configure HA |
> | *Cluster Administrator* | Service Operator + add/remove hosts and components (for existing services) |
> | *Cluster Operator* | Cluster Administrator + enable/disable kerberos, modify alerts, add service, perform upgrade (renamed from Operator) |
> | Ambari Admin | This exists as of Ambari 1.7.0. Full cluster control + manage user, groups and views and this flag is applicable to any user regardless of Role |
> Each role is to have permissions as shown below:
> || ||Read-Only||Service\\Administrator||Service\\Operator||Cluster\\Administrator||Cluster\\Operator||Administrator||
> ||Service-level Permissions||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configurations           |(+)|(+)|(+)|(+)|(+)|(+)|
> |Compare configurations        |(+)|(+)|(+)|(+)|(+)|(+)|
> |Start/Stop/Restart Service    |   |(+)|(+)|(+)|(+)|(+)|
> |Decommission/recommission     |   |(+)|(+)|(+)|(+)|(+)|
> |Run service checks            |   |(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |(+)|(+)|(+)|(+)|(+)|
> |Perform service-specific tasks|   |(+)|(+)|(+)|(+)|(+)|
> |Modify configurations         |   |   |(+)|(+)|(+)|(+)|
> |Manage configuration groups   |   |   |(+)|(+)|(+)|(+)|
> |Move to another host          |   |   |(+)|(+)|(+)|(+)|
> |Enable HA                     |   |   |(+)|(+)|(+)|(+)|
> |Add Service to cluster        |   |   |   |   |(+)|(+)|
> ||*Host-level Permissions*||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |(+)|(+)|(+)|(+)|(+)|(+)|
> |Turn on/off maintenance mode  |   |   |   |(+)|(+)|(+)|
> |Install components            |   |   |   |(+)|(+)|(+)|
> |Add/Delete hosts              |   |   |   |(+)|(+)|(+)|
> ||Cluster-level Permissions||
> |View metrics                  |(+)|(+)|(+)|(+)|(+)|(+)|
> |View status information       |(+)|(+)|(+)|(+)|(+)|(+)|
> |View configuration            |(+)|(+)|(+)|(+)|(+)|(+)|
> |View stack version details    |(+)|(+)|(+)|(+)|(+)|(+)|
> |View alerts                   |(+)|(+)|(+)|(+)|(+)|(+)|
> |Enable/disable alerts         |   |   |   |   |(+)|(+)|
> |Enable/disable Kerberos       |   |   |   |   |(+)|(+)|
> |Upgrade/downgrade stack       |   |   |   |   |(+)|(+)|
> ||Ambari-level Permissions||
> |Create new clusters           |   |   |   |   |   |(+)|
> |Set service users and groups  |   |   |   |   |   |(+)|
> |Rename clusters               |   |   |   |   |   |(+)|
> |Manage users                  |   |   |   |   |   |(+)|
> |Manage groups                 |   |   |   |   |   |(+)|
> |Manage Ambari Views           |   |   |   |   |   |(+)|
> |Assign permissions/roles      |   |   |   |   |   |(+)|
> |Manage stack versions         |   |   |   |   |   |(+)|
> |Edit stack repository URLs    |   |   |   |   |   |(+)|



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)