Robert Levas created AMBARI-18635: ------------------------------------- Summary: Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals Key: AMBARI-18635 URL: https://issues.apache.org/jira/browse/AMBARI-18635 Project: Ambari Issue Type: Bug Components: ambari-server Affects Versions: 2.4.0 Reporter: Robert Levas Assignee: Robert Levas Fix For: 2.5.0
Authorizations given to roles, should use generic role-based principals rather than hard-coded resource types. Access to views can be assigned to all users with a given role. The implementation for this lead to the creation of hard-coded principals that represent the current set of roles. This is not dynamic enough for possibly future enhancements where new roles may be created by administrators. This needs to be changed such that rather that using the hard-coded pseudo-role-principals, the dynamically generated role-principals are to be used. The hard-coded pseudo-role-principals have the following {{adminprincipaltype}} values as opposed to "ROLE": * ALL.CLUSTER.ADMINISTRATOR * ALL.CLUSTER.OPERATOR * ALL.SERVICE.ADMINISTRATOR * ALL.SERVICE.OPERATOR * ALL.CLUSTER.USER These should be removed along with the associated {{adminprincipal}} records. Also, the FE should be updated to set permissions using the dynamic role-principals. Finally, code should be cleaned up to remove unneeded code in * org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper * org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources * org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity * org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources * org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized * org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions * ... -- This message was sent by Atlassian JIRA (v6.3.4#6332)