Rather than testing authorization using roles, we test authorization using privileges (or authorizations - RoleAuthorization). Privileges are assigned to roles and therefore new roles can be added without needing to update the code.
There are two cases here... one for Ambari-level requests and one for cluster-level requests. Ambari-level requests have no resource associated with them, where as cluster-level requests have a cluster resource associated with them. For the **Ambari-level** case, the a new authorization should be created... `AMBARI.VIEW_STATUS_INFO`. This privilege should be added to the AMBARI.ADMINISTRATOR role. Once this is done, the authorization check would look something like: ``` AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_VIEW_STATUS_INFO) ``` For the **cluster-level** case, the following set of (existing) authorizations should be used... `CLUSTER.VIEW_STATUS_INFO`, `SERVICE.VIEW_STATUS_INFO`, and `HOST.VIEW_STATUS_INFO`. Once this is done, the authorization check would look something like: ``` AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, <cluster resource id>, Enum.setOf(RoleAuthorization.CLUSTER_VIEW_STATUS_INFO, RoleAuthorization.SERVICE_VIEW_STATUS_INFO, and RoleAuthorization.HOST_VIEW_STATUS_INFO)) ``` [ Full content available at: https://github.com/apache/ambari/pull/2198 ] This message was relayed via gitbox.apache.org for [email protected]
