Rather than testing authorization using roles, we test authorization using privileges (or authorizations - RoleAuthorization). Privileges are assigned to roles and therefore new roles can be added without needing to update the code.
There are two cases here... one for Ambari-level requests and one for cluster-level requests. Ambari-level requests have no resource associated with them, where as cluster-level requests have a cluster resource associated with them. For the **Ambari-level** case, a new authorization should be created... AMBARI.VIEW_REQUEST_DETAILS (or something like that). This privilege should be added to the AMBARI.ADMINISTRATOR role. Once this is done, the authorization check would look something like: ``` AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_VIEW_REQUEST_DETAILS) ``` For the **cluster-level** case, a new set of authorizations should be created... CLUSTER.VIEW_REQUEST_DETAILS, SERVICE.VIEW_REQUEST_DETAILS, and HOST.VIEW_REQUEST_DETAILS (or something like that). This privileges should be added to the following roles: - AMBARI.ADMINISTRATOR - CLUSTER.ADMINISTRATOR - CLUSTER.OPERATOR - SERVICE.ADMINISTRATOR - SERVICE.OPERATOR - CLUSTER.USER Once this is done, the authorization check would look something like: ``` AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, <cluster resource id>, Enum.setOf(RoleAuthorization.CLUSTER_VIEW_REQUEST_DETAILS, RoleAuthorization.SERVICE_VIEW_REQUEST_DETAILS, and RoleAuthorization.HOST_VIEW_REQUEST_DETAILS)) ``` [ Full content available at: https://github.com/apache/ambari/pull/2198 ] This message was relayed via gitbox.apache.org for [email protected]
