Robert Levas created AMBARI-18433:
-------------------------------------

             Summary: Enforce granular role-based access control for custom 
actions
                 Key: AMBARI-18433
                 URL: https://issues.apache.org/jira/browse/AMBARI-18433
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.4.0
            Reporter: Robert Levas
            Assignee: Robert Levas
            Priority: Critical
             Fix For: 2.5.0


Enforce granular role-based access control for custom actions.  Such actions 
are specified in 
{{/var/lib/ambari-server/resources/custom_action_definitions/system_action_definitions.xml}}
 

For example:

{code}
  <actionDefinition>
    <actionName>check_host</actionName>
    <actionType>SYSTEM</actionType>
    <inputs/>
    <targetService/>
    <targetComponent/>
    <defaultTimeout>60</defaultTimeout>
    <description>General check for host</description>
    <targetType>ANY</targetType>
    <permissions>HOST.ADD_DELETE_HOSTS</permissions>
  </actionDefinition>
{code}

The "permissions" element that declare the permissions required to run the 
action.  These permissions must be used to authorize a user to perform the 
operation.  A user needs to have one of the listed permissions in order to be 
authorized. 

The relevant API entry points are:
* {{/api/v1/requests}}
* {{/api/v1/requests/clusters/:CLUSTER_NAME/request}}

Example:  The user executing the following REST API call must be assigned a 
role that has the {{HOST.ADD_DELETE_HOSTS}} authorization for the relevant 
cluster

{noformat}
POST /api/v1/requests
{
  "RequestInfo": {
    "action": "check_host",
    "log_output": "false",
    "context": "Check host",
    "parameters": {
      "check_execute_list": 
"last_agent_env_check,installed_packages,existing_repos,transparentHugePage",
      "jdk_location": "http://host1.example.com:8080/resources/";,
      "threshold": "20"
    }
  },
  "Requests/resource_filters": [
    {
      "hosts": "host1.example.com"
    }
  ]
}
{noformat}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to