Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-11350

Finer-grained role AuthZ for Ambari Users

    XMLWordPrintableJSON

Details

    • Ambari role-based access control

    Description

      Ambari currently integrates with external authentication systems and is able to authenticate users using enterprise-wide LDAP systems, such as Active Directory, OpenLDAP, and Apache Directory Service. However, more flexibility is now needed to allow for those authenticated users to be segmented into more granular roles. These roles allow Ambari-level administrators to create different levels of cluster-level administrators to manage certain administrative operations that need to be performed on a cluster. This effectively spreads out the responsibilities of managing a cluster while not handing over total control of the Ambari management facility.

      Ambari to provide role-based access controls beyond today's Ambari Admin, Operator and Read-Only permissions.

      Role Description
      Cluster User (was Read-only) This exists as of Ambari 1.7.0. Read-only view of cluster information, including configurations, service status and health alerts
      Service Operator Provides control of service lifecycle (start/stop/restart/decomm/recom)
      Service Administrator Service Operator + ability to re-configure (change/compare/revert), configure HA
      Cluster Operator Service Administrator + add/remove hosts and components (for existing services)
      Cluster Administrator Cluster Operator + enable/disable kerberos, modify alerts, add service, perform upgrade (renamed from Operator)
      Administrator This exists as of Ambari 1.7.0. Full cluster control + manage user, groups and views and this flag is applicable to any user regardless of Role

      Each role is to have permissions as shown below:

        Cluster
      User
      Service
      Operator
      Service
      Administrator
      Cluster
      Operator
      Cluster
      Administrator
      Administrator
      Service-level Permissions
      View metrics
      View status information
      View configurations
      Compare configurations
      View alerts
      Start/Stop/Restart Service  
      Decommission/recommission  
      Run service checks  
      Turn on/off maintenance mode  
      Perform service-specific tasks  
      Modify configurations    
      Manage configuration groups    
      Move to another host    
      Enable/disable alerts    
      Enable HA    
      Add Service to cluster        
      Host-level Permissions
      View metrics
      View status information
      View configuration
      Turn on/off maintenance mode      
      Install components      
      Add/Delete hosts      
      Cluster-level Permissions
      View metrics
      View status information
      View configuration
      View stack version details
      View alerts
      Enable/disable alerts        
      Enable/disable Kerberos        
      Upgrade/downgrade stack        
      Ambari-level Permissions
      Create new clusters          
      Set service users and groups          
      Rename clusters          
      Manage users          
      Manage groups          
      Manage Ambari Views          
      Assign permissions/roles          
      Manage stack versions          
      Edit stack repository URLs          

      NOTE: AmbariRole-basedAccessControl.pdf claims the RBAC update is available in Ambari 2.2.0, however it was not implemented until Ambari 2.3.0 and further.

      Attachments

        1. AmbariRole-basedAccessControl.pdf
          420 kB
          Robert Levas

        Activity

          People

            rlevas Robert Levas
            sposetti Jeff Sposetti
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: