[
https://issues.apache.org/jira/browse/AMBARI-20769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16001078#comment-16001078
]
Keta Patel commented on AMBARI-20769:
-------------------------------------
Hello Robert,
I kindly request you to please share your input on this issue of Recommission
of nodes.
I have the following question about the authorization granted to
CLUSTER.ADMINISTRATOR and CLUSTER.USER in the class AmbariAuthorizationFilter
(ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java).
The URI used in the recommission request is "/api/v1/clusters/<cluster
name>/requests".
Please refer to the image attached as "AMBARI-20769-codeSnippet.png". The 2 red
boxes show why the Ambari Admins and users with Cluster Administrator roles are
authorized to Recommission nodes.
For all the other roles, the response returned is "403. You do not have
permissions to access this resource.". Please refer to the screenshot of the
code attached as "AMBARI-20769-codeSnippet-for-error.png".
As per the services that various roles are authorized to perform,
CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR and SERVICE.OPERATOR are must also be
allowed to perform recommission.
1. Then why does the code allow only CLUSTER.ADMINISTRATOR and CLUSTER.USER
roles? Why is CLUSTER.OPERATOR not included in the list to access
API_CLUSTERS_ALL_PATTERN uri?
2. How should we handle the accessibility for SERVICE.ADMINISTRATOR and
SERVICE.OPERATOR roles? Will it be correct to check for these roles under the
API_CLUSTERS_ALL_PATTERN uri umbrella?
Kindly please share your thoughts on my investigation.
Thank you,
Keta
> Recommission fails for Cluster Operators, Service Adminstrators and Service
> Operators
> -------------------------------------------------------------------------------------
>
> Key: AMBARI-20769
> URL: https://issues.apache.org/jira/browse/AMBARI-20769
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: trunk, 2.5.0
> Reporter: Keta Patel
> Assignee: Keta Patel
> Attachments: AMBARI-20769-codeSnippet-for-error.png,
> AMBARI-20769-codeSnippet.png
>
>
> Steps to reproduce:
> 1. Create 4 local users assign one to each of the following roles:
> - Cluster Administrator
> - Cluster Operator
> - Service Administrator
> - Service Operator
> 2. Logout and login back as one of the above created users.
> 3. Decommission a node, the operation is successful with the Background
> Operation pop-up showing the decommissioning operation being performed.
> 4. Recommission that node. Only the Ambari Admin and Cluster Administrator is
> able to successfully perform this step. For the rest of the roles mentioned
> in step-1, you will see the following behavior:
> - The background operation pop-up shows up with "0 Operations" in progress.
> - The background operation pop-up disappears and you see the login page
> momentarily.
> - The main Dashboard is seen immediately after that and the node is still in
> the "Decommissioned" state.
> Desired Behavior:
> All the roles mentioned in step-1 must be able to successfully recommission
> the nodes.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
