This is an automatically generated e-mail. To reply, visit:

Review request for Ambari, DIPAYAN BHOWMICK, Jonathan Hurley, Nate Cole, and 
Sebastian Toader.

Bugs: AMBARI-16246

Repository: ambari


To support assigning privileges to users based on their roles provide support 
in the Ambari database to allow a `role` to be referenced as a `principal` 
similar in the way a `user` and a `group` a referenced as a `principal`.

A use-case to support the need for this is to assign access to a view to all 
users with some specific role. Currently we can assign access to a view to a 
specific user or group by assigning that user or group the `VIEW.USER` role 
applied to the specific view.  To assign access a view to users who have a 
specific role, a `role` will need to behave like a `principal`.

The following changes need to be made to the database:

* Add `principal_id` column to the `adminpermission` table
* Create a `principaltype` record where the `principal_type_name` is '`ROLE`'
* Add records to the `adminprincpal` table to represent each role in 
* Update `adminpermission.principal_id` to match the relevant records from 

After this is complete, `adminprivilege` records can be created using roles as 

NOTE: special handling will need to be done in the authorization logic to 
dereference the role associations with the authenticated user, similar in the 
way this is done for groups.



Diff: https://reviews.apache.org/r/47010/diff/


Manually tested newly created instance and upgrading from 2.2.1.  Focused on 
postgresql and mysql.

# Local test results:
[INFO] ------------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:16:03.148s
[INFO] Finished at: Wed May 04 18:43:11 EDT 2016
[INFO] Final Memory: 60M/1768M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Robert Levas

Reply via email to