-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48415/
-----------------------------------------------------------

Review request for Ambari, DIPAYAN BHOWMICK, Jonathan Hurley, Myroslav 
Papirkovskyy, and Nate Cole.


Bugs: AMBARI-16247
    https://issues.apache.org/jira/browse/AMBARI-16247


Repository: ambari


Description
-------

Authorizations given to role-based principals must be dereferenced upon user 
login.  These authorizations are dynamically determined based on the user's set 
of roles.  

In 
`org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername`,
 the set of `GrantedAuthorities` the authenticated user is calculated.  During 
this process, using the set of `cluster-level roles` a user is granted, any 
permissions given to matching role-based principals should be given to the 
user. 

This essentially work like giving privileges to a group of users calculated at 
runtime. 

A use-case to support the need for this is to assign access to a view to all 
users with some specific role. Currently we can assign access to a view to a 
specific user or group by assigning that user or group the `VIEW.USER` role 
applied to the specific view.  To assign access a view to users who have a 
specific role, a `role` will need to behave like a `principal`.


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
 545095d 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/UsersTest.java
 PRE-CREATION 

Diff: https://reviews.apache.org/r/48415/diff/


Testing
-------

Manually tested

# Local test results: PENDING

# Jenkinks test results: PENDING


Thanks,

Robert Levas

Reply via email to