Robert Levas created AMBARI-18635:
-------------------------------------
Summary: Authorizations given to roles, should use generic
role-based principals rather than hard-coded pseudo-role-based principals
Key: AMBARI-18635
URL: https://issues.apache.org/jira/browse/AMBARI-18635
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.4.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.5.0
Authorizations given to roles, should use generic role-based principals rather
than hard-coded resource types.
Access to views can be assigned to all users with a given role. The
implementation for this lead to the creation of hard-coded principals that
represent the current set of roles. This is not dynamic enough for possibly
future enhancements where new roles may be created by administrators.
This needs to be changed such that rather that using the hard-coded
pseudo-role-principals, the dynamically generated role-principals are to be
used.
The hard-coded pseudo-role-principals have the following {{adminprincipaltype}}
values as opposed to "ROLE":
* ALL.CLUSTER.ADMINISTRATOR
* ALL.CLUSTER.OPERATOR
* ALL.SERVICE.ADMINISTRATOR
* ALL.SERVICE.OPERATOR
* ALL.CLUSTER.USER
These should be removed along with the associated {{adminprincipal}} records.
Also, the FE should be updated to set permissions using the dynamic
role-principals.
Finally, code should be cleaned up to remove unneeded code in
*
org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
*
org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
*
org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
*
org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
*
org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
* org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
* ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
