You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Nixon Rodrigues (JIRA)" <ji...@apache.org> on 2017/02/06 13:22:42 UTC

[jira] [Assigned] (ATLAS-1508) Make AtlasADAuthenticationProvider like Ranger ADLdap Methods

     [ https://issues.apache.org/jira/browse/ATLAS-1508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nixon Rodrigues reassigned ATLAS-1508:
--------------------------------------

    Assignee: Nixon Rodrigues

> Make AtlasADAuthenticationProvider like Ranger ADLdap Methods
> -------------------------------------------------------------
>
>                 Key: ATLAS-1508
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1508
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-webui
>    Affects Versions: 0.7-incubating, 0.7.1-incubating
>         Environment: Active Directory with Global Catalog
> HDP 2.5.3.x
>            Reporter: Greg Senia
>            Assignee: Nixon Rodrigues
>         Attachments: ATLAS-1508.patch
>
>
> After upgrading to HDP 2.5.3.x from HDP 2.4.x we noticed kerberos authentication for the UI no  longer works.  So we switched to utilize Active Directory and noticed that with ActiveDirectory it was attempting use UPN which is risky in a large Active Directory environment instead samAccountName should be used like in https://issues.apache.org/jira/browse/RANGER-457. I worked on a previous JIRA with Zeppelin https://issues.apache.org/jira/browse/ZEPPELIN-1472. So this has been addressed in Knox, Ranger, and Zeppelin. I propose the attached fix to address this issue as the Ranger folks addressed this issue. Without this Atlas will not function in a Large multi-forest Active Directory environment.
> Details behind this change:
> In our environment we attempted to use the ActiveDirectory and LDAP configuration but unfortunately those implementations  do not support ADLDAP Global Catalog correctly. Also searching on "userPrincipalName" is risky in an AD environment since the explicit UPN vs Implicit UPN can be different. And the LDAP userPrincipalName attribute is the explicit UPN which can be defined by the directory administrator to any value and it can be duplicated.. SamAccountName is unique per domain and Microsoft states best practice is to not allow duplicate samAccountName's in the forest. I have attached a working modified AtlasADAuthenticationProvider which works against samAccountName and global catalog for auth as it is currently working against HDP 2.5.3.x and Atlas 0.7.x.
> Info about IUPN/EUPN
> http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
> https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)