Re: Review Request 53060: Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals

Thu, 20 Oct 2016 13:07:38 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53060/
-----------------------------------------------------------

(Updated Oct. 20, 2016, 4:06 p.m.)


Review request for Ambari, Aleksandr Kovalenko, DIPAYAN BHOWMICK, Jonathan 
Hurley, Nate Cole, and Sebastian Toader.


Bugs: AMBARI-18635
    https://issues.apache.org/jira/browse/AMBARI-18635


Repository: ambari


Description
-------

Authorizations given to roles, should use generic role-based principals rather 
than hard-coded resource types.  

Access to views can be assigned to all users with a given role.  The 
implementation for this lead to the creation of hard-coded principals that 
represent the current set of roles. This is not dynamic enough for possibly 
future enhancements where new roles may be created by administrators. 

This needs to be changed such that rather that using the hard-coded 
pseudo-role-principals, the dynamically generated role-principals are to be 
used.

The hard-coded pseudo-role-principals have the following `adminprincipaltype` 
values as opposed to "ROLE":

* ALL.CLUSTER.ADMINISTRATOR
* ALL.CLUSTER.OPERATOR
* ALL.SERVICE.ADMINISTRATOR
* ALL.SERVICE.OPERATOR
* ALL.CLUSTER.USER

These should be removed along with the associated `adminprincipal` records. 

Also, the FE should be updated to set permissions using the dynamic 
role-principals.

Finally, code should be cleaned up to remove unneeded code in 

- 
org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
- 
org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
- 
org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
- 
org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
- 
org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
- org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
- ...


Diffs (updated)
-----

  
ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
 bd74b16 
  ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js 
af22d7f 
  
ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
 988986b 
  
ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
 c7b9295 
  ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js 
5bc0509 
  ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html 
69eb1c1 
  
ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
 fa36d98 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
 b28bb2a 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
 11c558c 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
 5c476c6 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
 56d35c0 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 56e2398 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
 e5c95cb 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
 8f37764 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
 94d1cad 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
 34111df 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
 bdd73a6 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
 e5bd224 
  
ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java 
88d9775 
  
ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java 
efbdfab 
  
ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
 7823d56 
  
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
 f091bab 
  
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
 716d4f7 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
 8639a2f 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
 9922bb2 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
 a4f0031 
  
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
 a5276c2 
  ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java 
455b4f1 
  
ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
 11efc76 
  ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql ed94c40 
  ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql c8fbaa7 
  ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql 04473d6 
  ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql 09ae3b0 
  ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql 3dbd3fc 
  ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql 9def741 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
 99962ee 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
 f00a21a 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
 c3510a8 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
 1f3cb52 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
 d85b37b 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
 47211ef 
  
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
 4457858 
  
ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
 3c4a440 

Diff: https://reviews.apache.org/r/53060/diff/


Testing
-------

Manually tested new cluster and upgraded cluster. 

# Local test results: 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 32:38.187s
[INFO] Finished at: Thu Oct 20 09:42:17 EDT 2016
[INFO] Final Memory: 67M/993M
[INFO] ------------------------------------------------------------------------

# Jenkins test results: PENDING


Thanks,

Robert Levas

Reply via email to