You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Oliver Szabo <os...@hortonworks.com> on 2017/02/01 17:16:55 UTC
Review Request 56179: Add infra-solr-plugin for authorization (with
Kerberos)
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
Diffs
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Miklos Gergely <mg...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review163963
-----------------------------------------------------------
Ship it!
Ship It!
- Miklos Gergely
On Feb. 1, 2017, 8:46 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 1, 2017, 8:46 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
> On Feb. 6, 2017, 7:51 a.m., Sebastian Toader wrote:
> > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml, line 27
> > <https://reviews.apache.org/r/56179/diff/7/?file=1624272#file1624272line27>
> >
> > Instead of using a hardcoded list of users wouldn't it be better to reference a variable which is populated dynamically based on the configs of the various HDP components. For example the principals can be overriden through custom kerberos descriptors thus this hard coded user list would not apply anymore.
that would meen we will need to restart solr in case of any service added instead of using pre defined roles, (what can be changed manually if needed)
- Oliver
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164319
-----------------------------------------------------------
On Feb. 4, 2017, 5:31 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 4, 2017, 5:31 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164319
-----------------------------------------------------------
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml (line 27)
<https://reviews.apache.org/r/56179/#comment236012>
Instead of using a hardcoded list of users wouldn't it be better to reference a variable which is populated dynamically based on the configs of the various HDP components. For example the principals can be overriden through custom kerberos descriptors thus this hard coded user list would not apply anymore.
- Sebastian Toader
On Feb. 4, 2017, 6:31 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 4, 2017, 6:31 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164416
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Nettleton
On Feb. 6, 2017, 8:32 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 6, 2017, 8:32 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
> On Feb. 7, 2017, 12:23 p.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml, line 27
> > <https://reviews.apache.org/r/56179/diff/11/?file=1625439#file1625439line27>
> >
> > This should be {{default_ranger_audit_users}}
that is resolved from python format string so its in { } not in {{ }}
- Oliver
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164497
-----------------------------------------------------------
On Feb. 6, 2017, 8:32 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 6, 2017, 8:32 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Mugdha Varadkar <mu...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164497
-----------------------------------------------------------
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 (line 30)
<https://reviews.apache.org/r/56179/#comment236265>
The infra_solr_ranger_audit_service_users variable will give {default_ranger_audit_users} instead of calculated list of users in variable default_ranger_audit_users.
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml (line 27)
<https://reviews.apache.org/r/56179/#comment236266>
This should be {{default_ranger_audit_users}}
- Mugdha Varadkar
On Feb. 6, 2017, 8:32 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 6, 2017, 8:32 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 6, 2017, 8:32 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
use kerberos-env instead of cluster-env to get the realm (in cluster-env its using EXAMPLE.COM even if a custom one is used)
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 6, 2017, 8:18 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
more small fixes
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 6, 2017, 8:02 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
some small fixes
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164352
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Feb. 6, 2017, 3:59 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 6, 2017, 3:59 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
> ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 6, 2017, 2:59 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
use default usernames from configurations
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 4, 2017, 5:31 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- added default ranger auidit users
- update unit tests to validate audit users cannot create collections but they can write into them.
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ed623df
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
ambari-server/src/test/python/stacks/2.4/configs/default.json 7a940d3
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 3, 2017, 5:49 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- use cluster-env to get kerberos realm
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review164011
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Nettleton
On Feb. 2, 2017, 4:23 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 2, 2017, 4:23 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review163992
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Feb. 2, 2017, 5:23 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 2, 2017, 5:23 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
> In case of we need strict host validations i added 2 new json properties for that:
> 1. { "user-host" : {"<username>" : [<hostnames array>]} }
> 2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
>
> {{user-host-regex}} has higher precedence then {{user-host}}
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 2, 2017, 4:23 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- its enough to user KerberosName instead of HadoopKerberosName
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 2, 2017, 4:02 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- add a custom hostname validator (in case of hostnames are strict)
- also keep old RuleBasedAuthorizationPlugin behaviour (to get user roles from the userroles map with fully qualified names)
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description (updated)
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
In case of we need strict host validations i added 2 new json properties for that:
1. { "user-host" : {"<username>" : [<hostnames array>]} }
2. {"user-host-regex" : {"<username>" : "hostname-regex"} }
{{user-host-regex}} has higher precedence then {{user-host}}
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraKerberosHostValidator.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraKerberosHostValidatorTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing (updated)
-------
unit tests done, behavior validated with unit tests. FT: validated with logsearch and atlas as well.
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review163965
-----------------------------------------------------------
In my past experience if a service runs on multiple hosts in kerberised environment each service has its own principal. e.g service_name/host1@realm, service_name/host2@realm etc. As these are separate principals authorisation should be granted for each principal separately even though it's the same service. E.g service running on host1 is considered to be secure as host1 is in a trusted domain thus for the service which identifies itself as service/host1@realm more permissions can be granted. If the service is running on host2 which is in an untrusted domain than for the service which identifies itself as service/host2@realm only limited permission is given.
Authorisation enforced based only on the service name and not the fully qualified principal could lead to security breach.
- Sebastian Toader
On Feb. 1, 2017, 9:46 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 1, 2017, 9:46 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 1, 2017, 8:46 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- put plugin jar to the "right" place
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/
-----------------------------------------------------------
(Updated Feb. 1, 2017, 8:19 p.m.)
Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
Changes
-------
- using simple junit instead of solr test case -> it creates a directory on the filesystem, which is not needed at all for this test cases.
- adding noarch to rpm build (safe change: releng checks *.rpm files) -> with that we can build rpms on Mac as well, the build is not needed to be OS specific
Bugs: AMBARI-19822
https://issues.apache.org/jira/browse/AMBARI-19822
Repository: ambari
Description
-------
Problem:
If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
Solution:
Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
to problem is in here in RuleBasedAuthorizationPlugin.java:
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
Diffs (updated)
-----
ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
ambari-logsearch/pom.xml 7aeb4a7
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
Diff: https://reviews.apache.org/r/56179/diff/
Testing
-------
unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
Thanks,
Oliver Szabo
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Oliver Szabo <os...@hortonworks.com>.
> On Feb. 1, 2017, 8 p.m., Robert Nettleton wrote:
> > ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java, line 63
> > <https://reviews.apache.org/r/56179/diff/1/?file=1621369#file1621369line63>
> >
> > Would there be any cases in the future where we might want to make this a pluggable strategy?
> >
> > This current implementation is fine, but I was just wondering if it would be worth the effort to abstract out this operation into an interface, and have the plugin class only handle that.
> >
> > If Solr doesn't provide a way to configure the creation of this plugin instance, then perhaps this wouldn't be helpful anyway.
> >
> > I'm not opening this as an issue, rather I'm just trying to see if this can be more flexible. If there's no benefit to abstracting out the operation, then this code should stay as-is.
1. we still not have ambari-infra module (which would be good idea just the assembly module needs to be splitted, therefore it would be some change on release eng side ... keeping the code in a different project means more change there as well), we build solr rpm/deb in logseaerch assembly module, so for now, the plugin is in "right" place (i put that jar into the rpm/deb mappings).
2. the original file uses apache license, also i mentioed in the javadoc, that is a modified copy of the file.
3. i tried to just extend the real RuleBasedAuthoizationPlugin, but in the end i should almost implement everything, so it would be better to just copy the whole file with a small change.
4. I do not think we should create that strategy pluggable, the reason is why i created that is mainly because then we can see what is the difference between that and a real one. adding pluggable options would be better in the real code itself, but i thhink that is more like a Bug in Solr (with Kerberos).
- Oliver
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review163860
-----------------------------------------------------------
On Feb. 1, 2017, 5:16 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 1, 2017, 5:16 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 56179: Add infra-solr-plugin for authorization
(with Kerberos)
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56179/#review163860
-----------------------------------------------------------
Ship it!
Overall, this patch looks fine to me.
In general, I'd prefer to keep from having a copy of a class like this in a separate project, and would prefer to have the Ambari code just subclass/extend the Solr plugin being reused here. That being said, since the related methods are all private in the Solr auth plugin, that may not be feasible.
Are we sure that the licensing for this plugin makes it ok to add it to a separate project? It looks like an Apache license, but it makes sense to verify this during the review.
Thanks.
ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java (line 63)
<https://reviews.apache.org/r/56179/#comment235342>
Would there be any cases in the future where we might want to make this a pluggable strategy?
This current implementation is fine, but I was just wondering if it would be worth the effort to abstract out this operation into an interface, and have the plugin class only handle that.
If Solr doesn't provide a way to configure the creation of this plugin instance, then perhaps this wouldn't be helpful anyway.
I'm not opening this as an issue, rather I'm just trying to see if this can be more flexible. If there's no benefit to abstracting out the operation, then this code should stay as-is.
- Robert Nettleton
On Feb. 1, 2017, 5:16 p.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56179/
> -----------------------------------------------------------
>
> (Updated Feb. 1, 2017, 5:16 p.m.)
>
>
> Review request for Ambari, Miklos Gergely, Robert Nettleton, and Sebastian Toader.
>
>
> Bugs: AMBARI-19822
> https://issues.apache.org/jira/browse/AMBARI-19822
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> If an ambari cluster is secured and kerberos authentication is used for Solr, we need (default) authorizations as well to make sure only the specific service users (ranger, atlas, logsearch) can access their collections (and solr user as well)
>
> Solution:
> Although RuleBasedAuthorizationPlugin seems to be a good solution here, to map default users to default permissions, unfortunately, permissions and roles using principal name for mapping (not username) from the authentication tokens. Also Solr name rules applied on the username and not on the principal, therefore we need the fully qualified hostname as well in the role-permission mapping. In order to avoid that issue, I added an own plugin (org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin), to map users with <name>@<DOMAIN> format.
>
> to problem is in here in RuleBasedAuthorizationPlugin.java:
> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/5.5.2/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L153
>
> notice that InfraRuleBasedAuthorizationPlugin is only a copy of that file (InfraUserRolesLookupStrategy class which I added and included in the new plugin class)
>
>
> Diffs
> -----
>
> ambari-logsearch/ambari-infra-solr-plugin/pom.xml PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraRuleBasedAuthorizationPlugin.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/main/java/org.apache.ambari.infra.security/InfraUserRolesLookupStrategy.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraRuleBasedAuthorizationPluginTest.java PRE-CREATION
> ambari-logsearch/ambari-infra-solr-plugin/src/test/java/org/apache/ambari/infra/security/InfraUserRolesLookupStrategyTest.java PRE-CREATION
> ambari-logsearch/ambari-logsearch-assembly/pom.xml c486050
> ambari-logsearch/pom.xml 7aeb4a7
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py 526baea
> ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 d8aea24
>
> Diff: https://reviews.apache.org/r/56179/diff/
>
>
> Testing
> -------
>
> unit tests done, behavior validated with unit tests. other tests (FT) with using ranger and atlas are in progress...
>
>
> Thanks,
>
> Oliver Szabo
>
>