[jira] [Updated] (ATLAS-1508) Make AtlasADAuthenticationProvider like Ranger ADLdap Methods

Tue, 07 Feb 2017 11:27:07 -0800 

     [ 
https://issues.apache.org/jira/browse/ATLAS-1508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Senia updated ATLAS-1508:
------------------------------
    Attachment: ATLAS-1508.2.patch

> Make AtlasADAuthenticationProvider like Ranger ADLdap Methods
> -------------------------------------------------------------
>
>                 Key: ATLAS-1508
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1508
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-webui
>    Affects Versions: 0.7-incubating, 0.7.1-incubating
>         Environment: Active Directory with Global Catalog
> HDP 2.5.3.x
>            Reporter: Greg Senia
>            Assignee: Nixon Rodrigues
>         Attachments: ATLAS-1508.patch
>
>
> After upgrading to HDP 2.5.3.x from HDP 2.4.x we noticed kerberos 
> authentication for the UI no  longer works.  So we switched to utilize Active 
> Directory and noticed that with ActiveDirectory it was attempting use UPN 
> which is risky in a large Active Directory environment instead samAccountName 
> should be used like in https://issues.apache.org/jira/browse/RANGER-457. I 
> worked on a previous JIRA with Zeppelin 
> https://issues.apache.org/jira/browse/ZEPPELIN-1472. So this has been 
> addressed in Knox, Ranger, and Zeppelin. I propose the attached fix to 
> address this issue as the Ranger folks addressed this issue. Without this 
> Atlas will not function in a Large multi-forest Active Directory environment.
> Details behind this change:
> In our environment we attempted to use the ActiveDirectory and LDAP 
> configuration but unfortunately those implementations  do not support ADLDAP 
> Global Catalog correctly. Also searching on "userPrincipalName" is risky in 
> an AD environment since the explicit UPN vs Implicit UPN can be different. 
> And the LDAP userPrincipalName attribute is the explicit UPN which can be 
> defined by the directory administrator to any value and it can be 
> duplicated.. SamAccountName is unique per domain and Microsoft states best 
> practice is to not allow duplicate samAccountName's in the forest. I have 
> attached a working modified AtlasADAuthenticationProvider which works against 
> samAccountName and global catalog for auth as it is currently working against 
> HDP 2.5.3.x and Atlas 0.7.x.
> Info about IUPN/EUPN
> http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
> https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to