Re: Review Request 41107: Role Based Access Control support for Metrics.

Jonathan Hurley Tue, 15 Dec 2015 17:46:06 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41107/#review110599
-----------------------------------------------------------


Ship it!


Ship It!

- Jonathan Hurley


On Dec. 15, 2015, 7:59 p.m., Swapan Shridhar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41107/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 7:59 p.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole, 
> Robert Levas, Sumit Mohanty, and Sid Wagle.
> 
> 
> Bugs: AMBARI-14192
>     https://issues.apache.org/jira/browse/AMBARI-14192
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Role Based Access Control support for Metrics.
> 
> 
> * With the base infrastructure already in place for "Role Based Access 
> Control(RBAC)", this change introduces the RBAC support for AMbari Metrics. 
> Before the doing the metrics population, to be send back, it does an 
> authorization check for the current user in consideration for the VIEW 
> METRICE permissoions.
>   
> 
> * The mapping is as follows :
> 
> Resource.InternalType.Cluster -> CLUSTER_VIEW_METRICS
> Resource.InternalType.HOST -> HOST_VIEW_METRICS
> Resource.InternalType.Component -> SERVICE_VIEW_METRICS
> Resource.InternalType.HostComponent -> SERVICE_VIEW_METRICS
> 
> * For a user requesting Metrics and not having Au`thorization, 
> AuthorizationException is raised.
> 
> 
> NOTE : 
> ----
> As of now the below exist (Will be creating a JIRA for them). 
> 
> - when the VIEW USER logs in, it sees the VIEW listed for which it is 
> entitled for, but clicking on the CAPACITY SCHEDULER (YARN) VIEW results in 
> ERROR :
> 
> "Couldn't connect to the cluster
> RA040 I/O error while requesting Ambari". 
> REASON : This view internally calls meytrics for which it doesn't have the 
> permissions.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractPropertyProvider.java
>  4a0c44f 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProvider.java
>  a1b4f3f 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/jmx/JMXPropertyProvider.java
>  2748dd4 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProvider.java
>  f1c5c81 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProviderProxy.java
>  ac11556 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsReportPropertyProviderProxy.java
>  4d2ce01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProvider.java
>  b32adda 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/ThreadPoolEnabledPropertyProvider.java
>  8a35636 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  0c675b8 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProviderTest.java
>  bb6673c 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/JMXPropertyProviderTest.java
>  f0c1280 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProviderTest.java
>  82b42f2 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/ganglia/GangliaPropertyProviderTest.java
>  6fefffe 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/timeline/AMSPropertyProviderTest.java
>  6b5926b 
> 
> Diff: https://reviews.apache.org/r/41107/diff/
> 
> 
> Testing
> -------
> 
> - Ambari Server Deployment and tested for "View USER (only view 
> permissions)", 'admin' login (all permissions) and SERVICE OPERATOR role.
> - UT : PASSES.
> - UNIT tests modified as part of this change, tested : Success.
> - 
> - API :
> 
> 
> View User :
> ---------
> 
> [root@c6401 ambari-server]# curl -u viewUser:aaa 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
> {
>   "status" : 403,
>   "message" : "The authenticated user does not have authorization to view 
> Host metrics"
> }
> 
> 
> Cluster Administrator Role:
> --------------------------
> 
> [root@c6401 ambari-server]# curl -u clusAdmin:aaa 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
> {
>   "href" : 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
>   "Hosts" : {
>     "cluster_name" : "c1",
>     "host_name" : "c6401.ambari.apache.org"
>   }
> }
> 
> 
> Service Operator:
> ----------------
> 
> [root@c6401 ambari-server]# curl -u servOp:aaa 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
> {
>   "href" : 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
>   "Hosts" : {
>     "cluster_name" : "c1",
>     "host_name" : "c6401.ambari.apache.org"
>   }
> 
> 
> Non-existing User:
> -----------------
> 
> [root@c6401 ambari-server]# curl -u a:aaa 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
> {
>   "status": 403,
>   "message": "Full authentication is required to access this resource"
> }
> 
> 
> Admin User:
> ----------
> 
> [root@c6401 ambari-server]# curl -u admin:admin 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";
> {
>   "href" : 
> "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]";,
>   "Hosts" : {
>     "cluster_name" : "c1",
>     "host_name" : "c6401.ambari.apache.org"
>   }
> }
> 
> 
> Thanks,
> 
> Swapan Shridhar
> 
>

Re: Review Request 41107: Role Based Access Control support for Metrics.

Reply via email to