You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Raghavender Rao Guruvannagari (JIRA)" <ji...@apache.org> on 2018/01/23 15:34:00 UTC
[jira] [Comment Edited] (AMBARI-22831) Ambari Hive view 2.0 will
not show Ranger Authorization if logged in AD Usernames are Uppercase
[ https://issues.apache.org/jira/browse/AMBARI-22831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16335922#comment-16335922 ]
Raghavender Rao Guruvannagari edited comment on AMBARI-22831 at 1/23/18 3:33 PM:
---------------------------------------------------------------------------------
-->All the AD users in customer environemt are upper case(eg:B0001234) and ranger privileges are enforced based on this upper case username.
-->Ambari while it syncs the user name from AD will convert to all lowercase while updating the DB. (As per changes with AMBARI-17383)
-->When user B0001234 tries to access hive view 2.0, actual username is fetched from AD which is B0001234.(but ambari user is identified as b0001234).
Due to this behavior, when user who logs in as b0001234 cannot access 'Authorization' tab in Hive view 2.0. Error we see:
{code:java}
Message: User B0001234 does not have privilege to access the table authorization information
Error Code: NOT_OPERATOR_OR_ADMIN
{code}
Ambari API is not able to correctly return the privilege of the user "B0001234" because actul user name synced in Ambari is b0001234 and all privileges are assigned to this user.
Here is the code that handles this behavior
==== Checking the user privileges with "authChecker.isOperator"
/AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/resources/system/ranger/RangerService.java
{code:java}
public class RangerService {
[...]
65 public List<Policy> getPolicies(String database, String table) {
66
67
68 if (context.getCluster() == null) {
69 return getPoliciesFromNonAmbariCluster(database, table);
70 } else {
71 if (!authChecker.isOperator()) {
72 LOG.error("User is not authorized to access the table authorization information");
73 throw new RangerException("User " + context.getUsername() + " does not have privilege to access the table authorization information", "NOT_OPERATOR_OR_ADMIN", 400);
74 }
75 return getPoliciesFromAmbariCluster(database, table);
76 }
77
78 }
{code}
-->"authChecker.isOperator" is using the API defined with "AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL" variable.
AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/utils/AuthorizationChecker.java
{code:java}
public class AuthorizationChecker {
37 protected final Logger LOG = LoggerFactory.getLogger(getClass());
38 private static final String AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL = "/api/v1/users/%s?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|" +
39 "(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=%s)";
40
41 private final ViewContext viewContext;
42 private final AmbariApi ambariApi;
{code}
-->Based on above API, if trying to identify the privileges, for B0001234 we wont get any results. As no privileg info returned for the user B0001234 authorization tab on hive view 2.0 thorws error "NOT_OPERATOR_OR_ADMIN":
{code:java}
$ curl -u admin:admin 'http://sec-lab1.raghav.com:8080/api/v1/users/B0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{code}
-->However same API when used with 'b0001234' user name shows the appropriate privileges for the user b0001234.
{code:java}
$ curl -u admin:admin 'http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{
"href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)",
"Users" : {
"user_name" : "b0001234"
},
"privileges" : [
{
"href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234/privileges/202",
"PrivilegeInfo" : {
"permission_name" : "AMBARI.ADMINISTRATOR",
"privilege_id" : 202,
"user_name" : "b0001234"
}
}
]
{code}
If user table in DB is updated with uppercase username 'B0001234' and assign the roles from Ambari UI then User 'B0001234' can access the authorization tab in hive view 2.0.
was (Author: rguruvannagari):
-->All the AD users in customer environemt are upper case(eg:B0001234) and ranger privileges are enforced based on this upper case username.
-->Ambari while it syncs the user name from AD will convert to all lowercase while updating the DB. (As per changes with AMBARI-17383)
-->When user B0001234 tries to access hive view 2.0, actual username is fetched from AD which is B0001234.(but ambari user is identified as b0001234).
Due to this behavior, when user who logs in as b0001234 cannot access 'Authorization' tab in Hive view 2.0. Error we see:
{code:java}
Message: User B0001234 does not have privilege to access the table authorization information
Error Code: NOT_OPERATOR_OR_ADMIN
{code}
Ambari is not able to map the privilege to the user "B0001234" because actul user name synced in Ambari is b0001234 and all privileges are assigned to this user.
Here is the code that handles this behavior
==== Checking the user privileges with "authChecker.isOperator"
/AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/resources/system/ranger/RangerService.java
{code:java}
public class RangerService {
[...]
65 public List<Policy> getPolicies(String database, String table) {
66
67
68 if (context.getCluster() == null) {
69 return getPoliciesFromNonAmbariCluster(database, table);
70 } else {
71 if (!authChecker.isOperator()) {
72 LOG.error("User is not authorized to access the table authorization information");
73 throw new RangerException("User " + context.getUsername() + " does not have privilege to access the table authorization information", "NOT_OPERATOR_OR_ADMIN", 400);
74 }
75 return getPoliciesFromAmbariCluster(database, table);
76 }
77
78 }
{code}
-->"authChecker.isOperator" is using the API defined with "AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL" variable.
AMBARI-2.5.1.1/ambari/contrib/views/hive20/src/main/java/org/apache/ambari/view/hive20/utils/AuthorizationChecker.java
{code:java}
public class AuthorizationChecker {
37 protected final Logger LOG = LoggerFactory.getLogger(getClass());
38 private static final String AMBARI_OR_CLUSTER_ADMIN_PRIVILEGE_URL = "/api/v1/users/%s?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|" +
39 "(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=%s)";
40
41 private final ViewContext viewContext;
42 private final AmbariApi ambariApi;
{code}
-->Based on above API, if trying to identify the privileges, for B0001234 we wont get any results. As no privileg info returned for the user B0001234 authorization tab on hive view 2.0 thorws error "NOT_OPERATOR_OR_ADMIN":
{code:java}
$ curl -u admin:admin 'http://sec-lab1.raghav.com:8080/api/v1/users/B0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{code}
-->However same API when used with 'b0001234' user name shows the appropriate privileges for the user b0001234.
{code:java}
$ curl -u admin:admin 'http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
{
"href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)",
"Users" : {
"user_name" : "b0001234"
},
"privileges" : [
{
"href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234/privileges/202",
"PrivilegeInfo" : {
"permission_name" : "AMBARI.ADMINISTRATOR",
"privilege_id" : 202,
"user_name" : "b0001234"
}
}
]
{code}
If user table in DB is updated with uppercase username 'B0001234' and assign the roles from Ambari UI then User 'B0001234' can access the authorization tab in hive view 2.0.
> Ambari Hive view 2.0 will not show Ranger Authorization if logged in AD Usernames are Uppercase
> -----------------------------------------------------------------------------------------------
>
> Key: AMBARI-22831
> URL: https://issues.apache.org/jira/browse/AMBARI-22831
> Project: Ambari
> Issue Type: Bug
> Components: ambari-views
> Affects Versions: 2.6.2
> Reporter: Raghavender Rao Guruvannagari
> Priority: Major
>
> In customer environment, all the AD users login with Uppercase and Ranger authorization is set considering Uppercase usernames.
> When AD User(already has Admin privileges) access Ambari hive view 2.0, it errors out with below exception.
> {code:java}
> Message: User B0001234 does not have privilege to access the table authorization information
> Error Code: NOT_OPERATOR_OR_ADMIN
> {code}
> -->Although user B0001234 is admin user.
> {code:java}
> $ curl -u admin:admin 'http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)'
> {
> "href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=seclab)",
> "Users" : {
> "user_name" : "b0001234"
> },
> "privileges" : [
> {
> "href" : "http://sec-lab1.raghav.com:8080/api/v1/users/b0001234/privileges/202",
> "PrivilegeInfo" : {
> "permission_name" : "AMBARI.ADMINISTRATOR",
> "privilege_id" : 202,
> "user_name" : "b0001234"
> }
> }
> ]
> }
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)