[
https://issues.apache.org/jira/browse/AMBARI-15552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15257268#comment-15257268
]
Keta Patel commented on AMBARI-15552:
-------------------------------------
The issue can be divided into 2 parts:
1. List View
2. Block View
Since we are able to add multiple privileges for the same user/group on the
Block View page, the List View page
does not give a complete understanding of what privileges the user/group has.
Though the List view shows the effective
privilege for a user/group, it is not clear for the Ambari user why the other
privileges are overridden by the current
one or why he can not assign a lower privilege to the user/group.
LIST VIEW:
=========
ISSUE:
A group containing a few members is assigned some privilege. In the List View,
the Ambari user is able to see the
group's privilege for every user it contains. This is correct behavior. But if
the Ambari user tries to change the
privilege of one of the group users, then that user gets updated with the new
privilege but all the other group members
loose their privilege and show "None" as their current privilege. Even the
group looses it's privilege and shows "None"
as its current privilege.
CAUSE:
A group member has the same privileges as the group to which it belongs to. As
a result, the Database stores only
1 entry for a group privilege and doesn't add new entries for the group
members. As a result, the database contained
only one entry for the group privilege in the table "adminprivilege". When the
Ambari user selected a different
privilege for the group member, the entry that belonged to the group was
deleted from the table and a new entry for the
new privilege was added. This new entry belonged to the group member. As a
result of these steps, the group and all the
remaining group members lost their privilege and showed "None" as their
effective privilege.
FIX:
Since this issue is observed for users alone, the groups are updated in the
same original way with a few changes to
address some other issue as explained below.
For Users in the List View, whenever the the privilege is updated, a check is
made to see if this update is for a
user or a group. If it is for a user, then a server call is made to retrieve
all the privileges of this user. This
includes all the privileges the user has individually as well as the privileges
from the groups it belongs to.
NOTE: We do not want to keep multiple individual privileges for the user in the
database. This is because the higher
privileges themselves are inclusive of all the privileges lower than itself.
There is no need for some user "abc" to
have both "Cluster User" and "Cluster Administrator" privileges as "Cluster
Administrator" covers all "Cluster User"
privilege also. Regarding the privileges the user gets from the groups it
belongs to, we can not control that number.
So, a user will ultimately have one effective privilege coming from the
individual and all the group privileges taken
into account. This effective privilege will be the highest of all its
privileges.
Now, there are 2 cases that can arise:
1. The Ambari user wants to assign a privilege to the user that is greater than
or equal to its current effective privilege coming from its groups.
2. The Ambari user wants to assign a privilege that is lower than the effective
privilege coming from its groups.
Note: The reason we are comparing the effective privilege from its groups in
the 2 cases is that even if the user had
some individual privilege, on selecting some other privilege in the List view,
we would be replacing that individual
privilege since we want to keep only one individual privilege. Hence, the
comparison now would be between the chosen
privilege and the effective privilege from its groups.
The 1st case is handled by allowing the new privilege to be assigned as the
individual user privilege. This would also
be the user's effective privilege as it is greater than the group's effective
privilege. Any individual privileges the
user had are deleted from the database.
The 2nd case is handled by not allowing the update to go through. This is
because the Ambari use wants to assign a
privilege that would be lower than the group's effective privilege. Even if we
had gone through with the update, we
would have deleted any individual privileges the user had, and added the new
selected privilege which would still be
lower than the effective privilege coming from its groups. The List view would
still show the groups' effective
privilege instead of what the Ambari user had selected. So, the fix simply
shows an Alert saying that that this
change was not successful due to the effective privilege from groups being
higher than the selected privilege.
> Role selection in List view of Manage Ambari page does not work correctly
> -------------------------------------------------------------------------
>
> Key: AMBARI-15552
> URL: https://issues.apache.org/jira/browse/AMBARI-15552
> Project: Ambari
> Issue Type: Bug
> Components: ambari-admin
> Reporter: Keta Patel
> Assignee: Keta Patel
> Attachments: block_view_after_step3.tiff, block_view_original.tiff,
> list_view_add_role_to_user_step1.tiff, list_view_add_role_to_user_step2.tiff,
> list_view_add_role_to_user_step3.tiff, list_view_users.tiff, mygroup.tiff,
> user1.tiff
>
>
> Reproduction Steps:
> 1. Go to Admin->Manage Ambari
> 2. Create a group with a few users belonging to it.
> (I have created "mygroup" with "user1", "user2", "user3")
> (attachments "user1.tiff", "mygroup.tiff" shows samples)
> 3. Go to Clusters->Roles on the left navigation menu.
> 4. The default view is the "Block" view for the roles. Assign "mygroup" a
> role, say "Cluster User".
> (attachment "block_view_original.tiff")
> 5. Click on "List" view, it will show Users by default. It correctly shows
> the role "Cluster User" for each user in "mygroup".
> (attachment "list_view_users.tiff")
> 6. Now, try adding a new Role, say "Service Operator", to one of the users,
> say "user3".
> (attachments "list_view_add_role_to_user_step1.tiff",
> "list_view_add_role_to_user_step2.tiff")
> 7. After making this change, the role gets added for that user (in our case
> "user3"), but the roles from other users in its group gets removed. Also, the
> previous role for the user ("user3") is replaced by the new Role.
> (attachment "list_view_add_role_to_user_step3.tiff")
> 8. You can confirm this from the the "Block" view.
> (attachment "block_view_after_step3.tiff")
> So, the problem here lies with the List view where it is not able to process
> the changes in the Roles correctly.
> There is no provision to add a role. Any change in the Roles of the User from
> the List view only replaces the role that was displayed in the selection box
> while also removing all the Roles for the remaining users in its group.
> Expected results:
> 1. The selection box must be able to show all the selected Roles for
> Users/Groups.
> 2. Adding a Role must not replace existing Role of the user.
> 3. Adding a Role to a user must not affect the Roles of other users in its
> group.
> 4. Multiple Role selection must be allowed from the selection box in the List
> view.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
