-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41107/
-----------------------------------------------------------

(Updated Dec. 12, 2015, 10:40 a.m.)


Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole, 
Robert Levas, Sumit Mohanty, and Sid Wagle.


Changes
-------

- Updated review suggestions made by Robert and Jonathan.
- Updated the test case "StackDefinedPropertyProviderTest.java", as it also 
required change as part of RBAC metrics changes.


Testing :

- Ambari Server Deployment and tested for "View USER (only view permissions)", 
'admin' login(all permissions) and SERVICE OPERATOR role.
- UT : PASSES.


Bugs: AMBARI-14192
    https://issues.apache.org/jira/browse/AMBARI-14192


Repository: ambari


Description (updated)
-------

Role Based Access Control support for Metrics.


* With the base infrastructure already in place for "Role Based Access 
Control(RBAC)", this change introduces the RBAC support for AMbari Metrics. 
Before the doing the metrics population, to be send back, it does an 
authorization check for the current user in consideration for the VIEW METRICE 
permissoions.
  

* The mapping is as follows :

Resource.InternalType.Cluster -> CLUSTER_VIEW_METRICS
Resource.InternalType.HOST -> HOST_VIEW_METRICS
Resource.InternalType.Component -> SERVICE_VIEW_METRICS
Resource.InternalType.HostComponent -> SERVICE_VIEW_METRICS

* For a user requesting Metrics and not having Au`thorization, 
AuthorizationException is raised.


NOTE : 
----
As of now, the when the VIEW USER logs in, it see the VIEW listed for which it 
is entitled for, but clicking on the VIEW results in ERROR :

"Couldn't connect to the cluster
RA040 I/O error while requesting Ambari". 


Two Screenshots attached.


Diffs (updated)
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractPropertyProvider.java
 4a0c44f 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProvider.java
 a1b4f3f 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/jmx/JMXPropertyProvider.java
 2748dd4 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProvider.java
 f1c5c81 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProviderProxy.java
 ac11556 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsReportPropertyProviderProxy.java
 4d2ce01 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProvider.java
 b32adda 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/ThreadPoolEnabledPropertyProvider.java
 8a35636 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProviderTest.java
 bb6673c 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/JMXPropertyProviderTest.java
 f0c1280 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProviderTest.java
 82b42f2 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/ganglia/GangliaPropertyProviderTest.java
 6fefffe 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/timeline/AMSPropertyProviderTest.java
 6b5926b 

Diff: https://reviews.apache.org/r/41107/diff/


Testing (updated)
-------

- Ambari Server Deployment and tested for "View USER (only view permissions)", 
'admin' login(all permissions) and SERVICE OPERATOR role.
- UT : PASSES.
- UNIT tests modified as part of this change, tested : Success.
- 
- API :


View User :
---------

[root@c6401 ambari-server]# curl -u viewUser:aaa 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
{
  "status" : 403,
  "message" : "The authenticated user does not have authorization to view Host 
metrics"
}


Cluster Administrator Role:
--------------------------

[root@c6401 ambari-server]# curl -u clusAdmin:aaa 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
{
  "href" : 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }
}


Service Operator:
----------------

[root@c6401 ambari-server]# curl -u servOp:aaa 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
{
  "href" : 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }


Non-existing User:
-----------------

[root@c6401 ambari-server]# curl -u a:aaa 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
{
  "status": 403,
  "message": "Full authentication is required to access this resource"
}


Admin User:
----------

[root@c6401 ambari-server]# curl -u admin:admin 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
{
  "href" : 
"http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }
}


File Attachments (updated)
----------------

1. Clicking on VIEW in "VIEW USER" role results in ERROR
  
https://reviews.apache.org/media/uploaded/files/2015/12/12/69a18d68-cb66-4432-965e-5d883ff846ac__1._Clicking_on_VIEW_in_22VIEW_USER22_role_results_in_ERROR.png
2. ERROR on UI after clicking on VIEW as "VIEW USER"
  
https://reviews.apache.org/media/uploaded/files/2015/12/12/212ed873-75a5-4d4d-bfff-c9749938ef9b__2._ERROR_on_UI_after_clicking_on_VIEW_as_22VIEW_USER22.png


Thanks,

Swapan Shridhar

Reply via email to