Re: Review Request 48844: Operations during upgrade are permitted by all roles

Tue, 21 Jun 2016 08:04:00 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48844/
-----------------------------------------------------------

(Updated June 21, 2016, 2:56 p.m.)


Review request for Ambari, Jonathan Hurley, Nate Cole, and Robert Levas.


Bugs: AMBARI-17292
    https://issues.apache.org/jira/browse/AMBARI-17292


Repository: ambari


Description
-------

ambari-server --hash  
9a2943ba77371f1c20b4f3da900abb7c2e89d22b  
Build# ambari-server-2.4.0.0-591.x86_64

**Steps**

  1. Create user with different roles like Cluster user, Service Administrator 
etc.
  2. Login as Ambari admin user and start Express Upgrade (register version, 
install packages and start EU)
  3. Pause the Upgrade at any step that requires manual intervention (like stop 
YARN queue or backup DB or even at Finalize step)
  4. Logout and login as cluster user

**Result**:  
The logged in user has complete access to Upgrade Wizard and can resume
upgrade  
Also do actions like Downgrade, 'Ignore and Proceed', 'Retry'

The same is true for other roles like service administrator too, both during
upgrade and downgrade

**Expected Result:** Only Ambari Admin and Cluster Admin should be permitted to 
perform actions during cluster upgrade

Screenshots attached for reference while logged in as cluster user role
(cluser)

Another observation: While upgrade is in progress, login in a different
session as cluster user - the cluster user can view the upgrade wizard in
exact same way as admin


Diffs (updated)
-----

  ambari-server/pom.xml f0bd67c 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
 0719430 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
 fb3ae69 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
 922a215 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
 c052a6c 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
 5bcfd86 

Diff: https://reviews.apache.org/r/48844/diff/


Testing
-------

mvn clean test


Thanks,

Andrew Onischuk

Reply via email to