AMBARI-14141. Enforce granular role-based access control for alert functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f7ec3bc8 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f7ec3bc8 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f7ec3bc8 Branch: refs/heads/branch-rbac-sso Commit: f7ec3bc89d0889792c3397dda5dcee2ae85b6ff4 Parents: 5108e18 Author: Robert Levas <[email protected]> Authored: Thu Dec 17 13:49:58 2015 -0500 Committer: Robert Levas <[email protected]> Committed: Thu Dec 17 13:49:58 2015 -0500 ---------------------------------------------------------------------- .../AbstractControllerResourceProvider.java | 26 +- .../AlertDefinitionResourceProvider.java | 86 ++-- .../internal/AlertGroupResourceProvider.java | 46 ++- .../internal/AlertHistoryResourceProvider.java | 43 ++ .../internal/AlertNoticeResourceProvider.java | 33 +- .../internal/AlertResourceProvider.java | 45 ++- .../internal/AlertResourceProviderUtils.java | 403 +++++++++++++++++++ .../internal/AlertTargetResourceProvider.java | 27 +- .../internal/DefaultProviderModule.java | 2 +- .../AmbariAuthorizationFilter.java | 10 +- .../authorization/RoleAuthorization.java | 2 + .../server/upgrade/UpgradeCatalog230.java | 12 +- .../main/resources/Ambari-DDL-MySQL-CREATE.sql | 18 +- .../main/resources/Ambari-DDL-Oracle-CREATE.sql | 16 +- .../resources/Ambari-DDL-Postgres-CREATE.sql | 16 +- .../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql | 16 +- .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 16 +- .../resources/Ambari-DDL-SQLServer-CREATE.sql | 16 +- .../AlertDefinitionResourceProviderTest.java | 253 ++++++++++-- .../AlertGroupResourceProviderTest.java | 402 ++++++++++++++---- .../AlertHistoryResourceProviderTest.java | 146 ++++++- .../AlertNoticeResourceProviderTest.java | 145 ++++++- .../internal/AlertResourceProviderTest.java | 213 ++++++++-- .../AlertTargetResourceProviderTest.java | 341 +++++++++++++++- .../security/TestAuthenticationFactory.java | 1 + 25 files changed, 2058 insertions(+), 276 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java index d47d8d3..d2f0bc9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java @@ -83,8 +83,32 @@ public abstract class AbstractControllerResourceProvider extends AbstractAuthori * @return the resource id or null if not found * @throws AmbariException if the named cluster does not exist */ + protected Long getClusterId(String clusterName) throws AmbariException { + Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName); + return (cluster == null) ? null : cluster.getClusterId(); + } + + /** + * Gets the resource id for the named cluster + * + * @param clusterName the name of the relevant cluster + * @return the resource id or null if not found + * @throws AmbariException if the named cluster does not exist + */ protected Long getClusterResourceId(String clusterName) throws AmbariException { - Cluster cluster = managementController.getClusters().getCluster(clusterName); + Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName); + return (cluster == null) ? null : cluster.getResourceId(); + } + + /** + * Gets the resource id for the cluster with the specified id + * + * @param clusterId the id of the relevant cluster + * @return the resource id or null if not found + * @throws AmbariException if the cluster does not exist + */ + protected Long getClusterResourceId(Long clusterId) throws AmbariException { + Cluster cluster = (clusterId == null) ? null : managementController.getClusters().getClusterById(clusterId); return (cluster == null) ? null : cluster.getResourceId(); } http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java index bc5f956..263a7b8 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -50,6 +50,7 @@ import org.apache.ambari.server.events.AlertHashInvalidationEvent; import org.apache.ambari.server.events.publishers.AmbariEventPublisher; import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; +import org.apache.ambari.server.security.authorization.AuthorizationException; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.alert.AlertDefinition; @@ -174,7 +175,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP createResources(new Command<Void>() { @Override - public Void invoke() throws AmbariException { + public Void invoke() throws AmbariException, AuthorizationException { createAlertDefinitions(request.getProperties()); return null; } @@ -185,7 +186,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP } private void createAlertDefinitions(Set<Map<String, Object>> requestMaps) - throws AmbariException { + throws AmbariException, AuthorizationException { List<AlertDefinitionEntity> entities = new ArrayList<AlertDefinitionEntity>(); String clusterName = null; @@ -235,6 +236,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP if (null != id) { AlertDefinitionEntity entity = alertDefinitionDAO.findById(Long.parseLong(id)); if (null != entity) { + AlertResourceProviderUtils.verifyViewAuthorization(entity); results.add(toResource(clusterName, entity, requestPropertyIds)); } } else { @@ -245,11 +247,21 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP throw new NoSuchResourceException("Parent Cluster resource doesn't exist", e); } - List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll( - cluster.getClusterId()); + List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll(cluster.getClusterId()); + + // Any service name that is not empty or equal to "AMBARI" indicates a service-level alert + boolean serviceLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("_SERVICE_NAME_", cluster.getResourceId()); + boolean clusterLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("", cluster.getResourceId()); for (AlertDefinitionEntity entity : entities) { - results.add(toResource(clusterName, entity, requestPropertyIds)); + String serviceName = entity.getServiceName(); + + // Include the alert in the results if the authenticated user is authorized to get it + if((StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName)) + ? clusterLevelAuthorization + : serviceLevelAuthorization) { + results.add(toResource(clusterName, entity, requestPropertyIds)); + } } } } @@ -345,6 +357,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP final AlertDefinitionEntity entity = alertDefinitionDAO.findById(definitionId.longValue()); + AlertResourceProviderUtils.verifyManageAuthorization(entity); + modifyResources(new Command<Void>() { @Override public Void invoke() throws AmbariException { @@ -382,7 +396,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP * @throws AmbariException */ private void populateEntity(AlertDefinitionEntity entity, - Map<String, Object> requestMap) throws AmbariException { + Map<String, Object> requestMap) throws AmbariException, AuthorizationException { // some fields are required on creation; on update we keep what's there boolean bCreate = true; @@ -509,56 +523,80 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP throw new IllegalArgumentException("Source must be specified"); } - Cluster cluster = getManagementController().getClusters().getCluster( - clusterName); + Clusters clusters = getManagementController().getClusters(); + Cluster cluster = clusters.getCluster(clusterName); + Long clusterId = cluster.getClusterId(); + + boolean managed = false; + boolean toggled = false; // at this point, we have either validated all required properties or // we are using the exiting entity properties where not defined, so we // can do simply null checks - entity.setClusterId(Long.valueOf(cluster.getClusterId())); + if (!clusterId.equals(entity.getClusterId())) { + entity.setClusterId(clusterId); + managed = true; + } - if (null != componentName) { + if ((null != componentName) && !componentName.equals(entity.getComponentName())) { entity.setComponentName(componentName); + managed = true; } - if (null != definitionName) { + if ((null != definitionName) && !definitionName.equals(entity.getDefinitionName())) { entity.setDefinitionName(definitionName); + managed = true; } - if (null != label) { + if ((null != label) && !label.equals(entity.getLabel())) { entity.setLabel(label); + managed = true; } - if (null != description) { + if ((null != description) && !description.equals(entity.getDescription())) { entity.setDescription(description); + managed = true; } - if (null != enabled) { - entity.setEnabled(enabled.booleanValue()); + if ((null != enabled) && !enabled.equals(entity.getEnabled())) { + entity.setEnabled(enabled); + toggled = true; } - if (null != ignoreHost) { - entity.setHostIgnored(ignoreHost.booleanValue()); + if ((null != ignoreHost) && !ignoreHost.equals(entity.isHostIgnored())) { + entity.setHostIgnored(ignoreHost); + managed = true; } - if (null != interval) { + if ((null != interval) && !interval.equals(entity.getScheduleInterval())) { entity.setScheduleInterval(interval); + managed = true; } - if (null != serviceName) { + if ((null != serviceName) && !serviceName.equals(entity.getServiceName())) { entity.setServiceName(serviceName); + managed = true; } - if (null != sourceType) { + if ((null != sourceType) && !sourceType.equals(entity.getSourceType())) { entity.setSourceType(sourceType); + managed = true; } if (null != source) { entity.setSource(source.toString()); + managed = true; } - if (null != scope) { + if ((null != scope) && !scope.equals(entity.getScope())) { entity.setScope(scope); + managed = true; + } + + if (managed) { + AlertResourceProviderUtils.verifyManageAuthorization(entity); + } else if (toggled) { + AlertResourceProviderUtils.verifyToggleAuthorization(entity); } entity.setHash(UUID.randomUUID().toString()); @@ -677,7 +715,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP * * @param propertyMap */ - private void scheduleImmediateAlert(Map<String, Object> propertyMap) { + private void scheduleImmediateAlert(Map<String, Object> propertyMap) throws AuthorizationException { Clusters clusters = getManagementController().getClusters(); String stringId = (String) propertyMap.get(ALERT_DEF_ID); long id = Long.parseLong(stringId); @@ -697,6 +735,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP return; } + AlertResourceProviderUtils.verifyExecuteAuthorization(entity); + Set<String> hostNames = alertDefinitionHash.getAssociatedHosts(cluster, entity.getSourceType(), entity.getDefinitionName(), entity.getServiceName(), http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java index 215bc8e..36469c1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -45,6 +45,7 @@ import org.apache.ambari.server.orm.dao.AlertDispatchDAO; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; import org.apache.ambari.server.orm.entities.AlertGroupEntity; import org.apache.ambari.server.orm.entities.AlertTargetEntity; +import org.apache.ambari.server.security.authorization.AuthorizationException; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.alert.AlertTarget; import org.apache.commons.lang.StringUtils; @@ -124,7 +125,7 @@ public class AlertGroupResourceProvider extends createResources(new Command<Void>() { @Override - public Void invoke() throws AmbariException { + public Void invoke() throws AmbariException, AuthorizationException { createAlertGroups(request.getProperties()); return null; } @@ -153,6 +154,11 @@ public class AlertGroupResourceProvider extends if (null != id) { AlertGroupEntity entity = s_dao.findGroupById(Long.parseLong(id)); if (null != entity) { + try { + AlertResourceProviderUtils.verifyViewAuthorization(entity, getClusterResourceId(entity.getClusterId())); + } catch (AmbariException e) { + throw new SystemException(e.getMessage(), e); + } results.add(toResource(clusterName, entity, requestPropertyIds)); } } else { @@ -167,7 +173,13 @@ public class AlertGroupResourceProvider extends List<AlertGroupEntity> entities = s_dao.findAllGroups(cluster.getClusterId()); for (AlertGroupEntity entity : entities) { - results.add(toResource(clusterName, entity, requestPropertyIds)); + try { + if (AlertResourceProviderUtils.hasViewAuthorization(entity, getClusterResourceId(entity.getClusterId()))) { + results.add(toResource(clusterName, entity, requestPropertyIds)); + } + } catch (AmbariException e) { + throw new SystemException(e.getMessage(), e); + } } } } @@ -183,7 +195,7 @@ public class AlertGroupResourceProvider extends modifyResources(new Command<Void>() { @Override - public Void invoke() throws AmbariException { + public Void invoke() throws AmbariException, AuthorizationException { updateAlertGroups(request.getProperties()); return null; } @@ -201,17 +213,25 @@ public class AlertGroupResourceProvider extends Set<Resource> resources = getResources(new RequestImpl(null, null, null, null), predicate); - Set<Long> groupIds = new HashSet<Long>(); + Map<Long, AlertGroupEntity> entities = new HashMap<Long, AlertGroupEntity>(); for (final Resource resource : resources) { Long id = (Long) resource.getPropertyValue(ALERT_GROUP_ID); - groupIds.add(id); + if (!entities.containsKey(id)) { + AlertGroupEntity entity = s_dao.findGroupById(id); + + try { + AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId())); + entities.put(id, entity); + } catch (AmbariException e) { + LOG.warn("The default alert group for {} cannot be removed", entity.getServiceName(), e); + } + } } - for (Long groupId : groupIds) { - LOG.info("Deleting alert target {}", groupId); + for (final AlertGroupEntity entity : entities.values()) { + LOG.info("Deleting alert group {}", entity.getGroupId()); - final AlertGroupEntity entity = s_dao.findGroupById(groupId.longValue()); if (entity.isDefault()) { // default groups cannot be removed LOG.warn("The default alert group for {} cannot be removed", @@ -246,7 +266,7 @@ public class AlertGroupResourceProvider extends */ @SuppressWarnings("unchecked") private void createAlertGroups(Set<Map<String, Object>> requestMaps) - throws AmbariException { + throws AmbariException, AuthorizationException { List<AlertGroupEntity> entities = new ArrayList<AlertGroupEntity>(); for (Map<String, Object> requestMap : requestMaps) { @@ -290,6 +310,8 @@ public class AlertGroupResourceProvider extends entity.setAlertDefinitions(definitions); } + AlertResourceProviderUtils.verifyManageAuthorization(entity, cluster.getResourceId()); + entities.add(entity); } @@ -306,7 +328,7 @@ public class AlertGroupResourceProvider extends */ @SuppressWarnings("unchecked") private void updateAlertGroups(Set<Map<String, Object>> requestMaps) - throws AmbariException { + throws AmbariException, AuthorizationException { for (Map<String, Object> requestMap : requestMaps) { String stringId = (String) requestMap.get(ALERT_GROUP_ID); @@ -323,6 +345,8 @@ public class AlertGroupResourceProvider extends throw new AmbariException(message); } + AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId())); + String name = (String) requestMap.get(ALERT_GROUP_NAME); // empty arrays are deserialized as HashSet while populated arrays http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java index 89ee69a..f52ee62 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java @@ -18,6 +18,7 @@ package org.apache.ambari.server.controller.internal; import java.util.Arrays; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedHashSet; @@ -25,6 +26,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.StaticallyInject; import org.apache.ambari.server.controller.AlertHistoryRequest; import org.apache.ambari.server.controller.AmbariManagementController; @@ -39,12 +41,18 @@ import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException; import org.apache.ambari.server.controller.spi.SystemException; import org.apache.ambari.server.controller.spi.UnsupportedPropertyException; +import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; import org.apache.ambari.server.orm.dao.AlertsDAO; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; import org.apache.ambari.server.orm.entities.AlertHistoryEntity; import org.apache.ambari.server.orm.entities.ClusterEntity; import com.google.inject.Inject; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; +import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; +import org.apache.commons.lang.StringUtils; +import sun.net.www.protocol.http.AuthenticationHeader; /** * ResourceProvider for Alert History @@ -75,6 +83,9 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple @Inject private static AlertsDAO s_dao = null; + @Inject + private static AlertDefinitionDAO alertDefinitionDAO = null; + /** * The property ids for an alert history resource. */ @@ -161,6 +172,38 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { + // Verify authorization to retrieve the requested data + Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate); + for(Map<String, Object> propertyMap: propertyMaps) { + try { + String clusterName = (String) propertyMap.get(ALERT_HISTORY_CLUSTER_NAME); + Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName); + String definitionName = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_NAME); + String definitionId = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_ID); + + if(clusterId == null) { + // Make sure the user has administrative access by using -1 as the cluster id + AlertResourceProviderUtils.verifyViewAuthorization("", -1L); + } + else if(!StringUtils.isEmpty(definitionName)) { + // Make sure the user has access to the alert + AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName); + AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition); + } + else if(StringUtils.isNumeric(definitionId)) { + // Make sure the user has access to the alert + AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId)); + AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition); + } + else { + // Make sure the user has the ability to view cluster-level alerts + AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName)); + } + } catch (AmbariException e) { + throw new SystemException(e.getMessage(), e); + } + } + Set<Resource> results = new LinkedHashSet<Resource>(); Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate); http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java index 8f0e526..f19bea9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java @@ -18,6 +18,7 @@ package org.apache.ambari.server.controller.internal; import java.util.Arrays; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedHashSet; @@ -25,8 +26,10 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.StaticallyInject; import org.apache.ambari.server.controller.AlertNoticeRequest; +import org.apache.ambari.server.controller.AmbariManagementController; import org.apache.ambari.server.controller.spi.ExtendedResourceProvider; import org.apache.ambari.server.controller.spi.NoSuchParentResourceException; import org.apache.ambari.server.controller.spi.NoSuchResourceException; @@ -46,12 +49,16 @@ import org.apache.ambari.server.orm.entities.AlertTargetEntity; import org.apache.ambari.server.orm.entities.ClusterEntity; import com.google.inject.Inject; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; +import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; +import org.apache.commons.lang.StringUtils; /** * ResourceProvider for Alert History */ @StaticallyInject -public class AlertNoticeResourceProvider extends AbstractResourceProvider implements ExtendedResourceProvider { +public class AlertNoticeResourceProvider extends AbstractControllerResourceProvider implements ExtendedResourceProvider { public static final String ALERT_NOTICE_ID = "AlertNotice/id"; public static final String ALERT_NOTICE_STATE = "AlertNotice/notification_state"; @@ -101,8 +108,8 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem /** * Constructor. */ - AlertNoticeResourceProvider() { - super(PROPERTY_IDS, KEY_PROPERTY_IDS); + AlertNoticeResourceProvider(AmbariManagementController managementController) { + super(PROPERTY_IDS, KEY_PROPERTY_IDS, managementController); } /** @@ -151,6 +158,26 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { + // Verify authorization to retrieve the requested data + Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate); + for (Map<String, Object> propertyMap : propertyMaps) { + try { + String clusterName = (String) propertyMap.get(ALERT_NOTICE_CLUSTER_NAME); + Long clusterResourceId = (StringUtils.isEmpty(clusterName)) ? null : getClusterResourceId(clusterName); + String serviceName = (String) propertyMap.get(ALERT_NOTICE_SERVICE_NAME); + + if (clusterResourceId == null) { + // Make sure the user had administrative access by using -1 as the cluster id + clusterResourceId = -1L; + } + + // Make sure the user had access to the alert + AlertResourceProviderUtils.verifyViewAuthorization(serviceName, clusterResourceId); + } catch (AmbariException e) { + throw new SystemException(e.getMessage(), e); + } + } + Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate); Set<Resource> results = new LinkedHashSet<Resource>(); http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java index 4dc4dcf..0492860 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java @@ -25,6 +25,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.StaticallyInject; import org.apache.ambari.server.controller.AlertCurrentRequest; import org.apache.ambari.server.controller.AmbariManagementController; @@ -37,12 +38,14 @@ import org.apache.ambari.server.controller.spi.Request; import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.controller.spi.SystemException; import org.apache.ambari.server.controller.spi.UnsupportedPropertyException; +import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; import org.apache.ambari.server.orm.dao.AlertsDAO; import org.apache.ambari.server.orm.entities.AlertCurrentEntity; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; import org.apache.ambari.server.orm.entities.AlertHistoryEntity; import com.google.inject.Inject; +import org.apache.commons.lang.StringUtils; /** * ResourceProvider for Alert instances @@ -75,6 +78,9 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements @Inject private static AlertsDAO alertsDAO; + @Inject + private static AlertDefinitionDAO alertDefinitionDAO = null; + /** * The property ids for an alert defintion resource. */ @@ -159,17 +165,46 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements AlertCurrentEntity entity = alertsDAO.findCurrentById(Long.parseLong(id)); if (null != entity) { + AlertResourceProviderUtils.verifyViewAuthorization(entity); results.add(toResource(false, clusterName, entity, requestPropertyIds)); } } else { + // Verify authorization to retrieve the requested data + try { + Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName); + String definitionName = (String) propertyMap.get(ALERT_DEFINITION_NAME); + String definitionId = (String) propertyMap.get(ALERT_DEFINITION_ID); + + if(clusterId == null) { + // Make sure the user has administrative access by using -1 as the cluster id + AlertResourceProviderUtils.verifyViewAuthorization("", -1L); + } + else if(!StringUtils.isEmpty(definitionName)) { + // Make sure the user has access to the alert + AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName); + AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition); + } + else if(StringUtils.isNumeric(definitionId)) { + // Make sure the user has access to the alert + AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId)); + AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition); + } + else { + // Make sure the user has the ability to view cluster-level alerts + AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName)); + } + } catch (AmbariException e) { + throw new SystemException(e.getMessage(), e); + } + List<AlertCurrentEntity> entities = null; - AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest(); - alertCurrentRequest.Predicate = predicate; - alertCurrentRequest.Pagination = request.getPageRequest(); - alertCurrentRequest.Sort = request.getSortRequest(); + AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest(); + alertCurrentRequest.Predicate = predicate; + alertCurrentRequest.Pagination = request.getPageRequest(); + alertCurrentRequest.Sort = request.getSortRequest(); - entities = alertsDAO.findAll(alertCurrentRequest); + entities = alertsDAO.findAll(alertCurrentRequest); if (null == entities) { entities = Collections.emptyList(); http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java new file mode 100644 index 0000000..3fac049 --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java @@ -0,0 +1,403 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.controller.internal; + +import org.apache.ambari.server.orm.entities.AlertCurrentEntity; +import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; +import org.apache.ambari.server.orm.entities.AlertGroupEntity; +import org.apache.ambari.server.orm.entities.AlertHistoryEntity; +import org.apache.ambari.server.orm.entities.ClusterEntity; +import org.apache.ambari.server.orm.entities.ResourceEntity; +import org.apache.ambari.server.security.authorization.AuthorizationException; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; +import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; +import org.apache.commons.lang.StringUtils; + +import java.util.EnumSet; +import java.util.Set; + +/** + * AlertResourceProviderUtils provides utility methods used to help perform tasks within alert-specific + * resource providers. + */ +public class AlertResourceProviderUtils { + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to view + * cluster-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_VIEW_ALERTS, + RoleAuthorization.CLUSTER_TOGGLE_ALERTS, + RoleAuthorization.CLUSTER_MANAGE_ALERTS); + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to view + * service-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_SERVICE_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_VIEW_ALERTS, + RoleAuthorization.CLUSTER_TOGGLE_ALERTS, + RoleAuthorization.CLUSTER_MANAGE_ALERTS, + RoleAuthorization.SERVICE_VIEW_ALERTS, + RoleAuthorization.SERVICE_TOGGLE_ALERTS, + RoleAuthorization.SERVICE_MANAGE_ALERTS); + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to execute + * cluster-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS = AUTHORIZATIONS_VIEW_CLUSTER_ALERTS; + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to execute + * service-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS = AUTHORIZATIONS_VIEW_SERVICE_ALERTS; + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to toggle + * cluster-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_TOGGLE_ALERTS, + RoleAuthorization.CLUSTER_MANAGE_ALERTS); + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to toggle + * service-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_TOGGLE_ALERTS, + RoleAuthorization.CLUSTER_MANAGE_ALERTS, + RoleAuthorization.SERVICE_TOGGLE_ALERTS, + RoleAuthorization.SERVICE_MANAGE_ALERTS); + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to create, update, + * and delete cluster-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_MANAGE_ALERTS); + + /** + * A set of RoleAuthorizations where one is required in order to be authorized to create, update, + * and delete service-level alerts + */ + private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_SERVICE_ALERTS = EnumSet.of( + RoleAuthorization.CLUSTER_MANAGE_ALERTS, + RoleAuthorization.SERVICE_MANAGE_ALERTS); + + + /* ------------------------------------------------------------------------------------------ + * Checks for VIEWING Alerts + * ------------------------------------------------------------------------------------------ */ + + /** + * Tests if the authenticated user is authorized to view the requested alert data + * + * @param entity an AlertGroupEntity + * @param clusterResourceId the resource id of the relevant cluster + * @return true if the authenticated user is authorized; otherwise false + */ + public static boolean hasViewAuthorization(AlertGroupEntity entity, Long clusterResourceId) { + return (null != entity) && + hasViewAuthorization(entity.getServiceName(), clusterResourceId); + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @return true if the authenticated user is authorized; otherwise false + */ + public static boolean hasViewAuthorization(String serviceName, Long clusterResourceId) { + return hasAuthorization(serviceName, clusterResourceId, + AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS); + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertCurrentEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyViewAuthorization(AlertCurrentEntity entity) + throws AuthorizationException { + if (entity != null) { + verifyViewAuthorization(entity.getAlertHistory()); + } + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertHistoryEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyViewAuthorization(AlertHistoryEntity entity) + throws AuthorizationException { + if (entity != null) { + verifyViewAuthorization(entity.getAlertDefinition()); + } + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertGroupEntity + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyViewAuthorization(AlertGroupEntity entity, Long clusterResourceId) + throws AuthorizationException { + if (entity != null) { + verifyViewAuthorization(entity.getServiceName(), clusterResourceId); + } + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertDefinitionEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyViewAuthorization(AlertDefinitionEntity entity) throws AuthorizationException { + verifyAuthorization(entity, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view"); + } + + /** + * Tests if the authenticated user is authorized to view service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyViewAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException { + verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view"); + } + + + /* ------------------------------------------------------------------------------------------ + * Checks for EXECUTING Alerts + * ------------------------------------------------------------------------------------------ */ + + /** + * Tests if the authenticated user is authorized to execute service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertDefinitionEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyExecuteAuthorization(AlertDefinitionEntity entity) throws AuthorizationException { + verifyAuthorization(entity, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute"); + } + + /** + * Tests if the authenticated user is authorized to execute service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyExecuteAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException { + verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute"); + } + + + /* ------------------------------------------------------------------------------------------ + * Checks for TOGGLING Alerts + * ------------------------------------------------------------------------------------------ */ + + /** + * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertDefinitionEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyToggleAuthorization(AlertDefinitionEntity entity) throws AuthorizationException { + verifyAuthorization(entity, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute"); + } + + /** + * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyToggleAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException { + verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute"); + } + + + /* ------------------------------------------------------------------------------------------ + * Checks for MANAGING Alerts + * ------------------------------------------------------------------------------------------ */ + + /** + * Tests if the authenticated user is authorized to manage service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertGroupEntity + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyManageAuthorization(AlertGroupEntity entity, Long clusterResourceId) throws AuthorizationException { + if (entity != null) { + verifyManageAuthorization(entity.getServiceName(), clusterResourceId); + } + } + + /** + * Tests if the authenticated user is authorized to manage service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param entity an AlertDefinitionEntity + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyManageAuthorization(AlertDefinitionEntity entity) throws AuthorizationException { + verifyAuthorization(entity, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage"); + } + + /** + * Tests if the authenticated user is authorized to manage service- or cluster-level alert data. + * An authorization failure results in a thrown {@link AuthorizationException}. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyManageAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException { + verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage"); + } + + + /* ------------------------------------------------------------------------------------------ + * Generic checks + * ------------------------------------------------------------------------------------------ */ + + /** + * Tests if the authenticated user is authorized to for either service- or cluster-level access to + * alert data. + * <p/> + * If the service name is null or empty, the alert is considered to be a cluster-level alert, + * else it is considered to be a service-level alert. + * <p/> + * If the clusterResourceId is null, no cluster is assume and the alert is considered to be an + * Ambari-level alert. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for + * @param serviceLevelAuthorizations the set of service-level authorizations to check for + * @return true if the authenticated user is authorized; otherwise false + */ + public static boolean hasAuthorization(String serviceName, Long clusterResourceId, + Set<RoleAuthorization> clusterLevelAuthorizations, + Set<RoleAuthorization> serviceLevelAuthorizations) { + if (null == clusterResourceId) { + // Do not let clusterResourceId be null because that indicates we don't care about which cluster + // we are checking authorization for, but we do. Setting this to -1 ensures that no cluster + // will match will will give only Ambari administrators access to this. + clusterResourceId = -1L; + } + + return AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId, + (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName)) + ? clusterLevelAuthorizations + : serviceLevelAuthorizations); + } + + /** + * Tests if the authenticated user is authorized to for either service- or cluster-level access to + * alert data. An authorization failure results in a thrown {@link AuthorizationException}. + * <p/> + * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to + * be a cluster-level alert, else it is considered to be a service-level alert. + * + * @param entity an AlertDefinitionEntity + * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for + * @param serviceLevelAuthorizations the set of service-level authorizations to check for + * @param operation the name of the operation being tested for (used in error and logging messages) + * @throws AuthorizationException if the authenticated user is not authorized + * @see #verifyAuthorization(String, Long, Set, Set, String) + */ + public static void verifyAuthorization(AlertDefinitionEntity entity, + Set<RoleAuthorization> clusterLevelAuthorizations, + Set<RoleAuthorization> serviceLevelAuthorizations, + String operation) throws AuthorizationException { + ClusterEntity clusterEntity = (null == entity) ? null : entity.getCluster(); + ResourceEntity resourceEntity = (null == clusterEntity) ? null : clusterEntity.getResource(); + Long resourceId = (null == resourceEntity) ? null : resourceEntity.getId(); + + verifyAuthorization((null == entity) ? null : entity.getServiceName(), resourceId, + clusterLevelAuthorizations, serviceLevelAuthorizations, operation); + } + + /** + * Tests if the authenticated user is authorized to for either service- or cluster-level access to + * alert data. An authorization failure results in a thrown {@link AuthorizationException}. + * <p/> + * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to + * be a cluster-level alert, else it is considered to be a service-level alert. + * + * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert + * @param clusterResourceId the resource id of the relevant cluster + * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for + * @param serviceLevelAuthorizations the set of service-level authorizations to check for + * @param operation the name of the operation being tested for (used in error and logging messages) + * @throws AuthorizationException if the authenticated user is not authorized + */ + public static void verifyAuthorization(String serviceName, Long clusterResourceId, + Set<RoleAuthorization> clusterLevelAuthorizations, + Set<RoleAuthorization> serviceLevelAuthorizations, + String operation) throws AuthorizationException { + if (null == clusterResourceId) { + // Do not let clusterResourceId be null because that indicates we don't care about which cluster + // we are checking authorization for, but we do. Setting this to -1 ensures that no cluster + // will match will will give only Ambari administrators access to this. + clusterResourceId = -1L; + } + + // If the service name is AMBARI, than the alert is for the cluster + if (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName)) { + if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId, + clusterLevelAuthorizations)) { + throw new AuthorizationException(String.format("The authenticated user is not authorized to %s cluster-level alerts", operation)); + } + } else { + if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId, + serviceLevelAuthorizations)) { + throw new AuthorizationException(String.format("The authenticated user is not authorized to %s service-level alerts", operation)); + } + } + } +} + http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java index a310259..d28987d 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -48,6 +48,8 @@ import org.apache.ambari.server.notifications.NotificationDispatcher; import org.apache.ambari.server.orm.dao.AlertDispatchDAO; import org.apache.ambari.server.orm.entities.AlertGroupEntity; import org.apache.ambari.server.orm.entities.AlertTargetEntity; +import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.state.AlertState; import org.apache.ambari.server.state.alert.AlertGroup; import org.apache.ambari.server.state.alert.AlertTarget; @@ -63,7 +65,7 @@ import com.google.inject.Inject; */ @StaticallyInject public class AlertTargetResourceProvider extends - AbstractResourceProvider { + AbstractAuthorizedResourceProvider { protected static final String ALERT_TARGET = "AlertTarget"; protected static final String ALERT_TARGET_ID = "AlertTarget/id"; @@ -122,10 +124,18 @@ public class AlertTargetResourceProvider extends */ AlertTargetResourceProvider() { super(PROPERTY_IDS, KEY_PROPERTY_IDS); + + // For now only allow an Ambari administrator to create, update, and manage Alert Targets. + // If an alert target can associated with a particular cluster, than a cluster administrator + // should be able to do this as well. + EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.CLUSTER_MANAGE_ALERTS); + setRequiredCreateAuthorizations(requiredAuthorizations); + setRequiredUpdateAuthorizations(requiredAuthorizations); + setRequiredDeleteAuthorizations(requiredAuthorizations); } @Override - public RequestStatus createResources(final Request request) + protected RequestStatus createResourcesAuthorized(final Request request) throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException { @@ -173,7 +183,7 @@ public class AlertTargetResourceProvider extends } @Override - public RequestStatus updateResources(final Request request, + protected RequestStatus updateResourcesAuthorized(final Request request, Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { @@ -202,7 +212,7 @@ public class AlertTargetResourceProvider extends } @Override - public RequestStatus deleteResources(Predicate predicate) + protected RequestStatus deleteResourcesAuthorized(Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { @@ -239,6 +249,11 @@ public class AlertTargetResourceProvider extends return PK_PROPERTY_IDS; } + @Override + protected ResourceType getResourceType(Request request, Predicate predicate) { + return ResourceType.AMBARI; + } + /** * Create and persist {@link AlertTargetEntity} from the map of properties. * @@ -341,7 +356,7 @@ public class AlertTargetResourceProvider extends /** * Updates existing {@link AlertTargetEntity}s with the specified properties. * - * @param requestMaps + * @param requestMap * a set of property maps, one map for each entity. * @throws AmbariException * if the entity could not be found. http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java index dde934d..3801cc3 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java @@ -95,7 +95,7 @@ public class DefaultProviderModule extends AbstractProviderModule { case AlertGroup: return new AlertGroupResourceProvider(managementController); case AlertNotice: - return new AlertNoticeResourceProvider(); + return new AlertNoticeResourceProvider(managementController); case Upgrade: return new UpgradeResourceProvider(managementController); case UpgradeGroup: http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java index d817ad7..20ce7fa 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java @@ -72,9 +72,11 @@ public class AmbariAuthorizationFilter implements Filter { private static final String API_CREDENTIALS_AMBARI_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*"; private static final String API_CLUSTER_REQUESTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/requests.*"; private static final String API_CLUSTER_SERVICES_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/services.*"; - private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*"; + private static final String API_CLUSTER_ALERT_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/alert.*"; + private static final String API_CLUSTER_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*"; private static final String API_STACK_VERSIONS_PATTERN = API_VERSION_PREFIX + "/stacks/.*?/versions/.*"; - private static final String API_HOSTS_ALL = API_VERSION_PREFIX + "/hosts.*"; + private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/hosts.*"; + private static final String API_ALERT_TARGETS_ALL_PATTERN = API_VERSION_PREFIX + "/alert_targets.*"; protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI="; @@ -252,13 +254,15 @@ public class AmbariAuthorizationFilter implements Filter { requestURI.matches(API_PRIVILEGES_ALL_PATTERN) || requestURI.matches(API_CLUSTER_REQUESTS_ALL_PATTERN) || requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) || + requestURI.matches(API_CLUSTER_ALERT_ALL_PATTERN) || requestURI.matches(API_CLUSTERS_PATTERN) || requestURI.matches(API_STACK_VERSIONS_PATTERN) || requestURI.matches(API_VIEWS_ALL_PATTERN) || requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) || requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) || + requestURI.matches(API_CLUSTER_HOSTS_ALL_PATTERN) || requestURI.matches(API_HOSTS_ALL_PATTERN) || - requestURI.matches(API_HOSTS_ALL) || + requestURI.matches(API_ALERT_TARGETS_ALL_PATTERN) || requestURI.matches(API_PRIVILEGES_ALL_PATTERN); } http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java index 795db77..6d74f97 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java @@ -41,6 +41,7 @@ public enum RoleAuthorization { CLUSTER_MANAGE_CREDENTIALS("CLUSTER.MANAGE_CREDENTIALS"), CLUSTER_MODIFY_CONFIGS("CLUSTER.MODIFY_CONFIGS"), CLUSTER_MANAGE_CONFIG_GROUPS("CLUSTER.MANAGE_CONFIG_GROUPS"), + CLUSTER_MANAGE_ALERTS("CLUSTER.MANAGE_ALERTS"), CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"), CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"), CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"), @@ -60,6 +61,7 @@ public enum RoleAuthorization { SERVICE_DECOMMISSION_RECOMMISSION("SERVICE.DECOMMISSION_RECOMMISSION"), SERVICE_ENABLE_HA("SERVICE.ENABLE_HA"), SERVICE_MANAGE_CONFIG_GROUPS("SERVICE.MANAGE_CONFIG_GROUPS"), + SERVICE_MANAGE_ALERTS("SERVICE.MANAGE_ALERTS"), SERVICE_MODIFY_CONFIGS("SERVICE.MODIFY_CONFIGS"), SERVICE_MOVE("SERVICE.MOVE"), SERVICE_RUN_CUSTOM_COMMAND("SERVICE.RUN_CUSTOM_COMMAND"), http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java index 57eafa6..38b3c6b 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java @@ -170,7 +170,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog { dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_STATUS_INFO'", "'View status information'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_CONFIGS'", "'View configurations'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.COMPARE_CONFIGS'", "'Compare configurations'"}, false); - dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service alerts'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service-level alerts'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.START_STOP'", "'Start/Stop/Restart Service'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.DECOMMISSION_RECOMMISSION'", "'Decommission/recommission'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_SERVICE_CHECK'", "'Run service checks'"}, false); @@ -178,9 +178,10 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog { dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_CUSTOM_COMMAND'", "'Perform service-specific tasks'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MODIFY_CONFIGS'", "'Modify configurations'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_CONFIG_GROUPS'", "'Manage configuration groups'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_ALERTS'", "'Manage service-level alerts'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MOVE'", "'Move to another host'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ENABLE_HA'", "'Enable HA'"}, false); - dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service alerts'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service-level alerts'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ADD_DELETE_SERVICES'", "'Add Service to cluster'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_METRICS'", "'View metrics'"}, false); @@ -194,10 +195,11 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog { dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STATUS_INFO'", "'View status information'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false); - dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View cluster-level alerts'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_CREDENTIALS'", "'Manage external credentials'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MODIFY_CONFIGS'", "'Modify cluster configurations'"}, false); - dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_ALERTS'", "'Manage cluster-level alerts'"}, false); + dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable cluster-level alerts'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false); dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false); @@ -274,6 +276,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog { map.put("SERVICE.MODIFY_CONFIGS", serviceAdministratorAndUp); map.put("SERVICE.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp); map.put("CLUSTER.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp); + map.put("SERVICE.MANAGE_ALERTS", serviceAdministratorAndUp); map.put("SERVICE.MOVE", serviceAdministratorAndUp); map.put("SERVICE.ENABLE_HA", serviceAdministratorAndUp); map.put("SERVICE.TOGGLE_ALERTS", serviceAdministratorAndUp); @@ -291,6 +294,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog { map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp); map.put("CLUSTER.MANAGE_CREDENTIALS", clusterAdministratorAndUp); map.put("CLUSTER.MODIFY_CONFIGS", clusterAdministratorAndUp); + map.put("CLUSTER.MANAGE_ALERTS", clusterAdministratorAndUp); map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp); map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp); map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp); http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql index 4a980ec..f40a8fd 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql @@ -1024,7 +1024,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL - SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL + SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' UNION ALL SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL @@ -1032,9 +1032,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL + SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' UNION ALL SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL - SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL + SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' UNION ALL SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL @@ -1046,11 +1047,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL - SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL + SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' UNION ALL SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' UNION ALL - SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL + SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' UNION ALL + SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' UNION ALL SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL @@ -1118,6 +1120,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL @@ -1145,6 +1148,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL @@ -1174,7 +1178,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL - SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL @@ -1193,6 +1197,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR'; @@ -1211,7 +1216,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL - SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL @@ -1230,6 +1235,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql index 60bbd30..4305a4c 100644 --- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql +++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql @@ -1016,7 +1016,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' FROM dual UNION ALL SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' FROM dual UNION ALL - SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' FROM dual UNION ALL + SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' FROM dual UNION ALL SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' FROM dual UNION ALL SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' FROM dual UNION ALL SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' FROM dual UNION ALL @@ -1024,9 +1024,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' FROM dual UNION ALL SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' FROM dual UNION ALL SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' FROM dual UNION ALL + SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' from dual UNION ALL SELECT 'SERVICE.MOVE', 'Move to another host' FROM dual UNION ALL SELECT 'SERVICE.ENABLE_HA', 'Enable HA' FROM dual UNION ALL - SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' FROM dual UNION ALL + SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' FROM dual UNION ALL SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' FROM dual UNION ALL SELECT 'HOST.VIEW_METRICS', 'View metrics' FROM dual UNION ALL SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL @@ -1038,11 +1039,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name) SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL - SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL + SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' FROM dual UNION ALL SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' from dual UNION ALL SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' from dual UNION ALL SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' from dual UNION ALL - SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL + SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' from dual UNION ALL + SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' FROM dual UNION ALL SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' FROM dual UNION ALL @@ -1110,6 +1112,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL @@ -1137,6 +1140,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL @@ -1167,6 +1171,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL @@ -1185,6 +1190,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR'; @@ -1204,6 +1210,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL @@ -1222,6 +1229,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id) SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL + SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
