----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47010/ -----------------------------------------------------------
(Updated May 6, 2016, 7:28 a.m.) Review request for Ambari, DIPAYAN BHOWMICK, Jonathan Hurley, Nate Cole, and Sebastian Toader. Changes ------- Addressed reviewer concerns. Cleaned up some DDL code for postgres and MySQL, since I can test them. I left the others as-is since testing was not an option for me at this time. Bugs: AMBARI-16246 https://issues.apache.org/jira/browse/AMBARI-16246 Repository: ambari Description ------- To support assigning privileges to users based on their roles provide support in the Ambari database to allow a `role` to be referenced as a `principal` similar in the way a `user` and a `group` a referenced as a `principal`. A use-case to support the need for this is to assign access to a view to all users with some specific role. Currently we can assign access to a view to a specific user or group by assigning that user or group the `VIEW.USER` role applied to the specific view. To assign access a view to users who have a specific role, a `role` will need to behave like a `principal`. The following changes need to be made to the database: * Add `principal_id` column to the `adminpermission` table * Create a `principaltype` record where the `principal_type_name` is '`ROLE`' * Add records to the `adminprincpal` table to represent each role in `adminpermission` * Update `adminpermission.principal_id` to match the relevant records from `adminprincipal` After this is complete, `adminprivilege` records can be created using roles as principals. NOTE: special handling will need to be done in the authorization logic to dereference the role associations with the authenticated user, similar in the way this is done for groups. Diffs (updated) ----- ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java 5d1a04a ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java 43fd71b ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalEntity.java 25d8d14 ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b94f1ff ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java 17f9fe1 ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java f85a4c7 ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql f5336bc ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql fca3be3 ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql ce0bd84 ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql 7fb8c31 ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql 0f3a2c2 ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b89389c ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 1107c4d ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java ad8cce1 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog240Test.java 7c85ba7 Diff: https://reviews.apache.org/r/47010/diff/ Testing ------- Manually tested newly created instance and upgrading from 2.2.1. Focused on postgresql and mysql. # Local test results: [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1:16:03.148s [INFO] Finished at: Wed May 04 18:43:11 EDT 2016 [INFO] Final Memory: 60M/1768M [INFO] ------------------------------------------------------------------------ # Jenkins test results: PENDING Thanks, Robert Levas