You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sandor Molnar (JIRA)" <ji...@apache.org> on 2018/07/25 06:33:00 UTC
[jira] [Created] (AMBARI-24351) Logic and declaration used to
determine if SSO is enabled for a service needs to be able to handle more
than a boolean property
Sandor Molnar created AMBARI-24351:
--------------------------------------
Summary: Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property
Key: AMBARI-24351
URL: https://issues.apache.org/jira/browse/AMBARI-24351
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.7.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 2.7.1
Logic and declaration used to determine if SSO is enabled for a service needs to be able to handle more than a boolean property.
The current way Ambari determines whether SSO is enabled for a service or not is by getting the value of the property indicated in {{sso/enabledConfiguration}} property in the service's metadata:
{code:java|title=Example}
<sso>
<supported>true</supported>
<enabledConfiguration>service-properties/sso.knox.enabled</enabledConfiguration>
</sso>
{code}
Using the above example, the {{service-properties/sso.knox.enabled}} is checked to see if its value is "true" or "false".
This method works for a few services, but other services require more elaborate checks. For example Oozie relies on the value of {{oozie-site/oozie.authentication.type}}. If the value is "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler", then SSO is enabled; otherwise it is not. This is different that just a Boolean value.
*Solution*
To support a more robust method to determine whether SSO is enabled or not, a new attribute should be added - {{ssoEnabledTest}}. The existing attribute, {{enabledConfiguration}}, should be available for backward compatibility - but converted on the backend.
The {{ssoEnabledTest}} attribute is to contain a JSON document that can be _compiled_ into a {{org.apache.commons.collections.Predicate}} (ideally using {{org.apache.ambari.server.collections.PredicateUtils#fromJSON}}). For example
{code:java}
<sso>
<supported>true</supported>
<ssoEnabledTest>
{
"equals": [
"service-properties/sso.knox.enabled",
"true"
]
}
</sso>
{code}
{code:java}
<sso>
<supported>true</supported>
<ssoEnabledTest>
{
"equals": [
"oozie-site/oozie.authentication.type",
"org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler"
]
}
</ssoEnabledTest>
</sso>{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)