Apache Kylin : Analytical Data Warehouse for Big Data
Page History
...
- Convenience for modification(If you not using LDAP)
- Previously, you have to know how to use Spring Security.
- Previously, you have to use linux shell to manipulate user information/credential in xml. Now, you can do these jobs in WEB UI.
- Centralized storage.(If you are not using LDAP)
- Previously, you have to modify all related user information/credential under all kylin instances. Now they are stored in Kylin's metastore.
- Previously, you have to encrypted user password yourself. Now they are encrypted automatically.
- No breaking change, compatibility with LDAP.
- We suguest you continue to use LDAP to do authentication and authorization if you did have such a infrastructure(LDAP service) in your company.
- Code change can be found at
Jira server ASF JIRA serverId 5aa69414-a9e9-3523-82ec-879b028fb15b key KYLIN-4122
Original User Management Implementation
// By Yaqian
New User Management Implementation introduced in 3.0.0-beta
...
User Management
This chapter introduces what a user is and how a user can be managed.
About Users
To use Kyligence EnterpriseKylin, a user must log in to the system using a user name and corresponding password. Every user is unique in a Kyligence Enterprise Kylin Enterprise instance, which is to say, it is not necessary to create the same user for every project in a single instance.
By default, Kyligence Enterprise Kylin Enterprise initializes three users, namely `ADMIN` ADMIN, `MODELER` MODELER and `ANALYST` ANALYST. The user `ADMIN` ADMIN is a built-in system administrator, and the system administrator has all the permissions of the entire system.
...
After the system administrator logs in to Kylin , click the *System* button in the navigation bar to enter the system management page, and click the *User* field to enter the User Management page.
...
On the User Management page, the system administrator can click the *+Users* button to add new users. In the pop-up window, please fill in the user name, password, confirm new password, select whether the user role is a system administrator or a normal user, and click *Ok*.
Edit a user role
On the User Management page, click *Action* --> *...* -->*Edit Role*.In the pop-up window, the system administrator can modify user role.
Delete a user
On the User Management page, click * Action * --> * ... * -->*Drop*>Drop. The system administrator can confirm to delete a user in the prompted window. User can not be restored after deleting, and user's access permission on all projects will be removed.
...
On the User Management page, click * Action * --> * ... * -->*Enable>Enable/Disable*. The system administrator can enable or disable a user, and disabled users cannot login to the system.
Reset password for
...
user
Click <username\>-->Setup
...
On the User Management page, click *Action* -->*Reset Password*.
In the pop-up window, the system administrator can change the password and need to enter the new password twice.
The initial ADMIN account password needs to be modified after the first login. To restore the initial password, you can execute the following command:
```sh
$KYLIN_HOME/bin/kylin.sh admin-password-reset
```
Reset password for non-admin
Click *<username\>*-->*Setup* on the top right corner of the navigation bar. In the pop-up window, user can reset the password, need to provide the old password and repeat the new password twice.
Assign
...
To assign a user to a group, please do the followings:
1. On the User Management page, select a user to be grouped.
2. Click *Action* --> *...* --> *Group Membership*.
3. Select a group to assign the user to under *Group to be selected*, and then click the right arrow. The group will enter *Checked Groups*.
4. Click *Save* and the user will be in the selected group.
& Modify user's group membership
To modify user's group, please do the followings:
1. On the User Management page, select the user to modify the group membership.
2. Click * Action * --> * ... * --> * Group Membership*.
3. Select the group to be modified under * Checked Group*, and then click the left arrow. The group will enter into * Group to be selected*.
4. Click * Save * and the user's group membership will be modified.
...
This chapter provides an overview of what a user group is and how a user group can be managed. User Group is equivalent to ROLE.
About User Group
A user group is a collection of users, and users in a user group share the same ACL. By default, Kyligence Enterprise Kylin initializes four user groups, namely ALL_USERS, ROLE_ADMIN, ROLE_ANALYST, and ROLE_MODELER, and ALL_USERS group is a default user group, all users are included in the ALL_USERS user group. ALL_USERS user group cannot be modified or deleted. System administrators can add or remove users in user groups except ALL_USERS, or add a user to multiple groups except ALL_USERS. User groups cannot be renamed throughout the Kyligence Enterprise instanceKylin instance.
About User Group Permissions
The system administrator can grant the project-level/row-level/table-level/column-level access permissions to a user group. When a user group has been granted the project-level/row-level/table-level /column-level permissions, users in this group will inherit the corresponding permissions from the group.
When both a user and his/her user group are granted with access permissions at project-level, Kyligence Enterprise will Kylin will take the highest permission for this user. For example, if User A is granted with * Query * permission on a project, while his/her user group is granted with * Management * permission, then User A will have management permission on this project.
If row-level/table-level/column-level access permissions of a user group have been revoked, users in this group will lost the corresponding permissions. If a user group is forbidden to access a table/row/column, while a user in this group is allowed to access the table/row/column, then the user is prohibited from accessing the table/row/column, and vice versa.
The permissions set for user and user group the user belongs to will work for the user simultaneously. For instance, a user group is forbidden to access Table A, a user in this group is prohibited to access Table B, then the user is not allowed to access Table A and Table B.
When a user belongs to multiple groups, the user will inherit the project-level permissions from the groups he/she belongs to. The row-level or column-level permissions the user inherits from different groups will be combined with logical operator AND.
For example, if user A belongs to two groups, North_Region and East_Region, and the two groups have been restricted row-level permission Region='North' and Region='East' respectively, then user A will inherit the two row-level permissions and the logical relation between them is AND, i.e. Region='North' AND Region ='East'.
If user A belongs to two groups, North_Region and East_Region, and the two groups have been limited column-level permission, that is, group North_Region cannot access column East_sales and group East_Region cannot access column North_sales, then user A cannot access both columns.
Manage user groups
Click * System * --> * Group * in the navigation bar to enter the User Group Management page.
...
On the User Group Management page, click * + Group * button to create a new group. In the pop-up window, the system administrator can fill in the group name and click * Save * to save a new user group.
...
On the User Group Management page, click * Action * --> * Delete*. In the pop-up window, the system administrator can confirm to delete a user group, once a user group is deleted, users in this user group will not be deleted and permission grant to this user group will be removed.
...
1. On the User Group Management page, select the user group to be assigned users to.
2. Click * Action * --> * Assign Users*.
3. In the pop-up window, check the users who need to be assigned to the group, click the * right arrow ( > )*, the user will be assigned to the * Assigned User*
4. Click * Save * and the user will be assigned to this group.
Discussion
- Password 加密算法的安全性 ? // By Yaqian
Overview
Content Tools
ThemeBuilder
Apps