[ https://issues.apache.org/jira/browse/AMBARI-16247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15321275#comment-15321275 ]
Hudson commented on AMBARI-16247: --------------------------------- FAILURE: Integrated in Ambari-trunk-Commit #5035 (See [https://builds.apache.org/job/Ambari-trunk-Commit/5035/]) AMBARI-16247. Authorizations given to role-based principals must be (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=8c1564e083169196cf53b8c1a570bcf3c5f65e68]) * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/UsersTest.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java > Authorizations given to role-based principals must be dereferenced upon user > login > ---------------------------------------------------------------------------------- > > Key: AMBARI-16247 > URL: https://issues.apache.org/jira/browse/AMBARI-16247 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.4.0 > Reporter: Robert Levas > Assignee: Robert Levas > Labels: rbac > Fix For: 2.4.0 > > Attachments: AMBARI-16247_branch-2.4_01.patch, > AMBARI-16247_trunk_01.patch > > > Authorizations given to role-based principals must be dereferenced upon user > login. These authorizations are dynamically determined based on the user's > set of roles. > In > {{org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService#loadUserByUsername}}, > the set of {{GrantedAuthorities}} the authenticated user is calculated. > During this process, using the set of {{cluster-level roles}} a user is > granted, any permissions given to matching role-based principals should be > given to the user. > This essentially work like giving privileges to a group of users calculated > at runtime. > A use-case to support the need for this is to assign access to a view to all > users with some specific role. Currently we can assign access to a view to a > specific user or group by assigning that user or group the {{VIEW.USER}} role > applied to the specific view. To assign access a view to users who have a > specific role, a {{role}} will need to behave like a {{principal}}. -- This message was sent by Atlassian JIRA (v6.3.4#6332)