## What changes were proposed in this pull request? Protecting the Request resource so that only authorized users may have read-only access the data.
Users with the following roles should have read-only access: - AMBARI.ADMINISTRATOR - CLUSTER.ADMINISTRATOR - CLUSTER.OPERATOR - CLUSTER.USER - SERVICE.ADMINISTRATOR - SERVICE.OPERATOR Users with no role related to the cluster may not view the data. ## How was this patch tested? Executed JUnit tests in `ambari-server`: ``` ``` In addition to unit testing the following E2E test steps have been executed: 1. deployed Ambari 2.7.1-132 and installed a cluster with HDFS only 2. created two new Ambari users: 2.1. viewUser: no user access 2.2. clusterUser: with `Cluster User` user access 3. built the code and replaced the `ambari-server.jar` with the new JAR 4. tested if I can see request related information: 4.1. logged in as`admin` user and hit `http://c7401:8080/api/v1/clusters/cluster1/requests/` - as expected the request list has been displayed in my browser 4.2. logged in as`clusterUser` user and hit `http://c7401:8080/api/v1/clusters/cluster1/requests/` - as expected the request list has been displayed in my browser 4.3. logged in as`viewUser` user and hit `http://c7401:8080/api/v1/clusters/cluster1/requests/` - as expected a 403 has been thrown and the following JSON response arrived: ``` { status: 403, message: "The authenticated user is not authorized to fetch request related information." } ``` [ Full content available at: https://github.com/apache/ambari/pull/2198 ] This message was relayed via gitbox.apache.org for [email protected]
