You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2018/07/27 18:19:00 UTC
[jira] [Commented] (AMBARI-24351) Logic and declaration used to
determine if SSO is enabled for a service needs to be able to handle more
than a boolean property
[ https://issues.apache.org/jira/browse/AMBARI-24351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560097#comment-16560097 ]
Hudson commented on AMBARI-24351:
---------------------------------
SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #9691 (See [https://builds.apache.org/job/Ambari-trunk-Commit/9691/])
[AMBARI-24351] Using Predicate based evaluation when determining if SSO (github: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=c43f3c6b93666876874479dce0b98cd93a8dfc28])
* (edit) ambari-server/src/main/java/org/apache/ambari/server/state/ServiceInfo.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/state/ServiceImpl.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/state/ConfigHelper.java
* (edit) ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/state/SingleSignOnInfo.java
> Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-24351
> URL: https://issues.apache.org/jira/browse/AMBARI-24351
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.7.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.1
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property.
> The current way Ambari determines whether SSO is enabled for a service or not is by getting the value of the property indicated in {{sso/enabledConfiguration}} property in the service's metadata:
> {code:java|title=Example}
> <sso>
> <supported>true</supported>
> <enabledConfiguration>service-properties/sso.knox.enabled</enabledConfiguration>
> </sso>
> {code}
> Using the above example, the {{service-properties/sso.knox.enabled}} is checked to see if its value is "true" or "false".
> This method works for a few services, but other services require more elaborate checks. For example Oozie relies on the value of {{oozie-site/oozie.authentication.type}}. If the value is "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler", then SSO is enabled; otherwise it is not. This is different that just a Boolean value.
> *Solution*
> To support a more robust method to determine whether SSO is enabled or not, a new attribute should be added - {{ssoEnabledTest}}. The existing attribute, {{enabledConfiguration}}, should be available for backward compatibility - but converted on the backend.
> The {{ssoEnabledTest}} attribute is to contain a JSON document that can be _compiled_ into a {{org.apache.commons.collections.Predicate}} (ideally using {{org.apache.ambari.server.collections.PredicateUtils#fromJSON}}). For example
> {code:java}
> <sso>
> <supported>true</supported>
> <ssoEnabledTest>
> {
> "equals": [
> "service-properties/sso.knox.enabled",
> "true"
> ]
> }
> </sso>
> {code}
> {code:java}
> <sso>
> <supported>true</supported>
> <ssoEnabledTest>
> {
> "equals": [
> "oozie-site/oozie.authentication.type",
> "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler"
> ]
> }
> </ssoEnabledTest>
> </sso>{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)