-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47010/
-----------------------------------------------------------

Review request for Ambari, DIPAYAN BHOWMICK, Jonathan Hurley, Nate Cole, and 
Sebastian Toader.


Bugs: AMBARI-16246
    https://issues.apache.org/jira/browse/AMBARI-16246


Repository: ambari


Description
-------

To support assigning privileges to users based on their roles provide support 
in the Ambari database to allow a `role` to be referenced as a `principal` 
similar in the way a `user` and a `group` a referenced as a `principal`.

A use-case to support the need for this is to assign access to a view to all 
users with some specific role. Currently we can assign access to a view to a 
specific user or group by assigning that user or group the `VIEW.USER` role 
applied to the specific view.  To assign access a view to users who have a 
specific role, a `role` will need to behave like a `principal`.

The following changes need to be made to the database:

* Add `principal_id` column to the `adminpermission` table
* Create a `principaltype` record where the `principal_type_name` is '`ROLE`'
* Add records to the `adminprincpal` table to represent each role in 
`adminpermission`
* Update `adminpermission.principal_id` to match the relevant records from 
`adminprincipal`

After this is complete, `adminprivilege` records can be created using roles as 
principals. 

NOTE: special handling will need to be done in the authorization logic to 
dereference the role associations with the authenticated user, similar in the 
way this is done for groups.


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
 dc8d9b7 
  
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java
 3773253 

Diff: https://reviews.apache.org/r/47010/diff/


Testing
-------

Manually tested newly created instance and upgrading from 2.2.1.  Focused on 
postgresql and mysql.

# Local test results:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:16:03.148s
[INFO] Finished at: Wed May 04 18:43:11 EDT 2016
[INFO] Final Memory: 60M/1768M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Thanks,

Robert Levas

Reply via email to