You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/03 23:39:28 UTC
ambari git commit: AMBARI-14161. Enforce granular role-based access
control for credential functions (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 998baa593 -> 9a105fffd
AMBARI-14161. Enforce granular role-based access control for credential functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9a105fff
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9a105fff
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9a105fff
Branch: refs/heads/trunk
Commit: 9a105fffd10561d5dec8593e08c919eedf74771e
Parents: 998baa5
Author: Robert Levas <rl...@hortonworks.com>
Authored: Thu Dec 3 17:39:12 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Thu Dec 3 17:39:22 2015 -0500
----------------------------------------------------------------------
.../internal/CredentialResourceProvider.java | 19 ++-
.../AmbariAuthorizationFilter.java | 7 +-
.../authorization/RoleAuthorization.java | 1 +
.../server/upgrade/UpgradeCatalog220.java | 2 +
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 3 +
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 3 +
.../resources/Ambari-DDL-Postgres-CREATE.sql | 3 +
.../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql | 3 +
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 3 +
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 3 +
.../CredentialResourceProviderTest.java | 162 +++++++++++++++++--
.../security/TestAuthenticationFactory.java | 97 +++++++++--
.../AmbariAuthorizationFilterTest.java | 56 +++----
13 files changed, 304 insertions(+), 58 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java
index 52783c9..8a3937a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java
@@ -35,6 +35,7 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.credential.Credential;
import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
import org.apache.ambari.server.security.encryption.CredentialStoreService;
@@ -42,6 +43,7 @@ import org.apache.ambari.server.security.encryption.CredentialStoreType;
import org.apache.commons.lang.StringUtils;
import java.util.Collections;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
@@ -99,10 +101,19 @@ public class CredentialResourceProvider extends AbstractControllerResourceProvid
@AssistedInject
public CredentialResourceProvider(@Assisted AmbariManagementController managementController) {
super(PROPERTY_IDS, KEY_PROPERTY_IDS, managementController);
+
+ EnumSet<RoleAuthorization> authorizations = EnumSet.of(
+ RoleAuthorization.CLUSTER_MANAGE_CREDENTIALS,
+ RoleAuthorization.CLUSTER_TOGGLE_KERBEROS);
+
+ setRequiredCreateAuthorizations(authorizations);
+ setRequiredGetAuthorizations(authorizations);
+ setRequiredUpdateAuthorizations(authorizations);
+ setRequiredDeleteAuthorizations(authorizations);
}
@Override
- public RequestStatus createResources(final Request request)
+ protected RequestStatus createResourcesAuthorized(final Request request)
throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException {
for (final Map<String, Object> properties : request.getProperties()) {
@@ -114,7 +125,7 @@ public class CredentialResourceProvider extends AbstractControllerResourceProvid
}
@Override
- public Set<Resource> getResources(Request request, Predicate predicate)
+ protected Set<Resource> getResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
Set<String> requestedIds = getRequestPropertyIds(request, predicate);
@@ -167,7 +178,7 @@ public class CredentialResourceProvider extends AbstractControllerResourceProvid
}
@Override
- public RequestStatus updateResources(Request request, Predicate predicate)
+ protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
for (Map<String, Object> requestPropMap : request.getProperties()) {
@@ -183,7 +194,7 @@ public class CredentialResourceProvider extends AbstractControllerResourceProvid
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate);
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 43c9aa2..15f0fe6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -156,11 +156,6 @@ public class AmbariAuthorizationFilter implements Filter {
authorized = true;
break;
}
- } else if (requestURI.matches(API_CREDENTIALS_ALL_PATTERN)) {
- if (permissionId.equals(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION)) {
- authorized = true;
- break;
- }
} else if (requestURI.matches(API_CLUSTERS_ALL_PATTERN)) {
if (permissionId.equals(PermissionEntity.CLUSTER_USER_PERMISSION) ||
permissionId.equals(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION)) {
@@ -200,7 +195,6 @@ public class AmbariAuthorizationFilter implements Filter {
(!httpRequest.getMethod().equals("GET")
|| requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)
|| requestURI.matches(API_GROUPS_ALL_PATTERN)
- || requestURI.matches(API_CREDENTIALS_ALL_PATTERN)
|| requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) {
httpResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
@@ -257,6 +251,7 @@ public class AmbariAuthorizationFilter implements Filter {
private boolean authorizationPerformedInternally(String requestURI) {
return requestURI.matches(API_USERS_ALL_PATTERN) ||
requestURI.matches(API_GROUPS_ALL_PATTERN) ||
+ requestURI.matches(API_CREDENTIALS_ALL_PATTERN) ||
requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
index 00ad412..1f53b06 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
@@ -38,6 +38,7 @@ public enum RoleAuthorization {
AMBARI_MANAGE_VIEWS("AMBARI.MANAGE_VIEWS"),
AMBARI_RENAME_CLUSTER("AMBARI.RENAME_CLUSTER"),
AMBARI_SET_SERVICE_USERS_GROUPS("AMBARI.SET_SERVICE_USERS_GROUPS"),
+ CLUSTER_MANAGE_CREDENTIALS("CLUSTER.MANAGE_CREDENTIALS"),
CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"),
CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"),
CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"),
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
index 9eaced1..f83501c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
@@ -195,6 +195,7 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_CREDENTIALS'", "'Manage external credentials'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
@@ -286,6 +287,7 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
map.put("CLUSTER.VIEW_CONFIGS", clusterUserAndUp);
map.put("CLUSTER.VIEW_STACK_DETAILS", clusterUserAndUp);
map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
+ map.put("CLUSTER.MANAGE_CREDENTIALS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 0731cf7..5d65665 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1047,6 +1047,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1185,6 +1186,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1219,6 +1221,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 2a4c776..7aab3f7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1039,6 +1039,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' from dual UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL
@@ -1177,6 +1178,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1211,6 +1213,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 2492978..6c56a85 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -1083,6 +1083,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1221,6 +1222,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1255,6 +1257,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
index 970231b..3413285 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
@@ -1181,6 +1181,7 @@ INSERT INTO ambari.roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1319,6 +1320,7 @@ INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1353,6 +1355,7 @@ INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index 4091b70..bacce35 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -1035,6 +1035,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1173,6 +1174,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1207,6 +1209,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index da756f7..8d44b28 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -1144,6 +1144,7 @@ BEGIN TRANSACTION
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1282,6 +1283,7 @@ BEGIN TRANSACTION
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1316,6 +1318,7 @@ BEGIN TRANSACTION
SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java
index 5f32d39..7f99bb2 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java
@@ -34,6 +34,8 @@ import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.security.SecurePasswordHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.encryption.CredentialStoreService;
import org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl;
import org.apache.ambari.server.security.encryption.CredentialStoreType;
@@ -44,6 +46,8 @@ import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
import java.io.File;
import java.util.Collections;
@@ -95,8 +99,27 @@ public class CredentialResourceProviderTest {
tmpFolder.delete();
}
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
@Test
- public void testCreateResources() throws Exception {
+ public void testCreateResourcesAsAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testCreateResourcesAsClusterAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesAsServiceAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -115,6 +138,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -158,6 +183,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -196,6 +223,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -251,6 +280,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -278,7 +309,21 @@ public class CredentialResourceProviderTest {
@Test
- public void testGetResources() throws Exception {
+ public void testGetResourcesAsAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testGetResourcesAsClusterAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResourcesAsServiceAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testGetResources(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -301,6 +346,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -339,7 +386,21 @@ public class CredentialResourceProviderTest {
}
@Test
- public void testGetResources_WithPredicate() throws Exception {
+ public void testGetResourcesWithPredicateAsAdministrator() throws Exception {
+ testGetResourcesWithPredicate(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testGetResourcesWithPredicateAsClusterAdministrator() throws Exception {
+ testGetResourcesWithPredicate(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResourcesWithPredicateAsServiceAdministrator() throws Exception {
+ testGetResourcesWithPredicate(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testGetResourcesWithPredicate(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -361,6 +422,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -400,7 +463,21 @@ public class CredentialResourceProviderTest {
}
@Test
- public void testGetResources_WithPredicateNoResults() throws Exception {
+ public void testGetResourcesWithPredicateNoResultsAsAdministrator() throws Exception {
+ testGetResourcesWithPredicateNoResults(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testGetResourcesWithPredicateNoResultsAsClusterAdministrator() throws Exception {
+ testGetResourcesWithPredicateNoResults(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResourcesWithPredicateNoResultsAsServiceAdministrator() throws Exception {
+ testGetResourcesWithPredicateNoResults(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testGetResourcesWithPredicateNoResults(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -422,6 +499,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -451,8 +530,23 @@ public class CredentialResourceProviderTest {
verify(request, factory, managementController);
}
+
@Test
- public void testGetResources_WithOutPredicateNoResults() throws Exception {
+ public void testGetResourcesWithoutPredicateAsAdministrator() throws Exception {
+ testGetResourcesWithoutPredicate(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testGetResourcesWithoutPredicateAsClusterAdministrator() throws Exception {
+ testGetResourcesWithoutPredicate(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResourcesWithoutPredicateAsServiceAdministrator() throws Exception {
+ testGetResourcesWithoutPredicate(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testGetResourcesWithoutPredicate(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -469,6 +563,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -485,7 +581,21 @@ public class CredentialResourceProviderTest {
}
@Test
- public void testUpdateResources() throws Exception {
+ public void testUpdateResourcesAsAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testUpdateResourcesAsClusterAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResourcesAsServiceAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -510,7 +620,9 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
-
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -563,7 +675,21 @@ public class CredentialResourceProviderTest {
}
@Test
- public void testUpdateResources_ResourceNotFound() throws Exception {
+ public void testUpdateResourcesResourceNotFoundAsAdministrator() throws Exception {
+ testUpdateResourcesResourceNotFound(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testUpdateResourcesResourceNotFoundAsClusterAdministrator() throws Exception {
+ testUpdateResourcesResourceNotFound(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResourcesResourceNotFoundAsServiceAdministrator() throws Exception {
+ testUpdateResourcesResourceNotFound(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testUpdateResourcesResourceNotFound(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -589,6 +715,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
@@ -618,7 +746,21 @@ public class CredentialResourceProviderTest {
}
@Test
- public void testDeleteResources() throws Exception {
+ public void testDeleteResourcesAsAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test
+ public void testDeleteResourcesAsClusterAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesAsServiceAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ }
+
+ private void testDeleteResources(Authentication authentication) throws Exception {
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Request request = createMock(Request.class);
@@ -642,6 +784,8 @@ public class CredentialResourceProviderTest {
replay(request, factory, managementController);
// end expectations
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractControllerResourceProvider.init(factory);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
index 634d840..94f119c 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
@@ -33,6 +33,8 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
public class TestAuthenticationFactory {
public static Authentication createAdministrator(String name) {
@@ -43,6 +45,10 @@ public class TestAuthenticationFactory {
return new TestAuthorization(name, Collections.singleton(createClusterAdministratorGrantedAuthority()));
}
+ public static Authentication createServiceAdministrator(String name) {
+ return new TestAuthorization(name, Collections.singleton(createServiceAdministratorGrantedAuthority()));
+ }
+
private static GrantedAuthority createAdministratorGrantedAuthority() {
return new AmbariGrantedAuthority(createAdministratorPrivilegeEntity());
}
@@ -51,6 +57,10 @@ public class TestAuthenticationFactory {
return new AmbariGrantedAuthority(createClusterAdministratorPrivilegeEntity());
}
+ private static GrantedAuthority createServiceAdministratorGrantedAuthority() {
+ return new AmbariGrantedAuthority(createServiceAdministratorPrivilegeEntity());
+ }
+
private static PrivilegeEntity createAdministratorPrivilegeEntity() {
PrivilegeEntity privilegeEntity = new PrivilegeEntity();
privilegeEntity.setResource(createAmbariResourceEntity());
@@ -65,27 +75,84 @@ public class TestAuthenticationFactory {
return privilegeEntity;
}
+ private static PrivilegeEntity createServiceAdministratorPrivilegeEntity() {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setResource(createClusterResourceEntity());
+ privilegeEntity.setPermission(createServiceAdministratorPermission());
+ return privilegeEntity;
+ }
+
private static PermissionEntity createAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
-
- Collection<RoleAuthorizationEntity> authorizations = new ArrayList<RoleAuthorizationEntity>();
- for (RoleAuthorization roleAuthorization : RoleAuthorization.values()) {
- authorizations.add(createRoleAuthorizationEntity(roleAuthorization));
- }
-
- permissionEntity.setAuthorizations(authorizations);
-
+ permissionEntity.setAuthorizations(createAuthorizations(EnumSet.allOf(RoleAuthorization.class)));
return permissionEntity;
}
private static PermissionEntity createClusterAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
- permissionEntity.setAuthorizations(Arrays.asList(
- createRoleAuthorizationEntity(RoleAuthorization.CLUSTER_VIEW_ALERTS),
- createRoleAuthorizationEntity(RoleAuthorization.CLUSTER_TOGGLE_ALERTS)));
+ permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+ RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+ RoleAuthorization.CLUSTER_TOGGLE_KERBEROS,
+ RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK,
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_VIEW_CONFIGS,
+ RoleAuthorization.CLUSTER_VIEW_METRICS,
+ RoleAuthorization.CLUSTER_VIEW_STACK_DETAILS,
+ RoleAuthorization.CLUSTER_VIEW_STATUS_INFO,
+ RoleAuthorization.HOST_ADD_DELETE_COMPONENTS,
+ RoleAuthorization.HOST_ADD_DELETE_HOSTS,
+ RoleAuthorization.HOST_TOGGLE_MAINTENANCE,
+ RoleAuthorization.HOST_VIEW_CONFIGS,
+ RoleAuthorization.HOST_VIEW_METRICS,
+ RoleAuthorization.HOST_VIEW_STATUS_INFO,
+ RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,
+ RoleAuthorization.SERVICE_COMPARE_CONFIGS,
+ RoleAuthorization.SERVICE_DECOMMISSION_RECOMMISSION,
+ RoleAuthorization.SERVICE_ENABLE_HA,
+ RoleAuthorization.SERVICE_MANAGE_CONFIG_GROUPS,
+ RoleAuthorization.SERVICE_MODIFY_CONFIGS,
+ RoleAuthorization.SERVICE_MOVE,
+ RoleAuthorization.SERVICE_RUN_CUSTOM_COMMAND,
+ RoleAuthorization.SERVICE_RUN_SERVICE_CHECK,
+ RoleAuthorization.SERVICE_START_STOP,
+ RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+ RoleAuthorization.SERVICE_TOGGLE_MAINTENANCE,
+ RoleAuthorization.SERVICE_VIEW_ALERTS,
+ RoleAuthorization.SERVICE_VIEW_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_METRICS,
+ RoleAuthorization.SERVICE_VIEW_STATUS_INFO)));
+ return permissionEntity;
+ }
+ private static PermissionEntity createServiceAdministratorPermission() {
+ PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+ permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_VIEW_CONFIGS,
+ RoleAuthorization.CLUSTER_VIEW_METRICS,
+ RoleAuthorization.CLUSTER_VIEW_STACK_DETAILS,
+ RoleAuthorization.CLUSTER_VIEW_STATUS_INFO,
+ RoleAuthorization.HOST_VIEW_CONFIGS,
+ RoleAuthorization.HOST_VIEW_METRICS,
+ RoleAuthorization.HOST_VIEW_STATUS_INFO,
+ RoleAuthorization.SERVICE_COMPARE_CONFIGS,
+ RoleAuthorization.SERVICE_DECOMMISSION_RECOMMISSION,
+ RoleAuthorization.SERVICE_ENABLE_HA,
+ RoleAuthorization.SERVICE_MANAGE_CONFIG_GROUPS,
+ RoleAuthorization.SERVICE_MODIFY_CONFIGS,
+ RoleAuthorization.SERVICE_MOVE,
+ RoleAuthorization.SERVICE_RUN_CUSTOM_COMMAND,
+ RoleAuthorization.SERVICE_RUN_SERVICE_CHECK,
+ RoleAuthorization.SERVICE_START_STOP,
+ RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+ RoleAuthorization.SERVICE_TOGGLE_MAINTENANCE,
+ RoleAuthorization.SERVICE_VIEW_ALERTS,
+ RoleAuthorization.SERVICE_VIEW_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_METRICS,
+ RoleAuthorization.SERVICE_VIEW_STATUS_INFO)));
return permissionEntity;
}
@@ -117,6 +184,14 @@ public class TestAuthenticationFactory {
return roleAuthorizationEntity;
}
+ private static Collection<RoleAuthorizationEntity> createAuthorizations(Set<RoleAuthorization> roleAuthorizations) {
+ Collection<RoleAuthorizationEntity> roleAuthorizationEntities = new ArrayList<RoleAuthorizationEntity>();
+ for (RoleAuthorization roleAuthorization : roleAuthorizations) {
+ roleAuthorizationEntities.add(createRoleAuthorizationEntity(roleAuthorization));
+ }
+ return roleAuthorizationEntities;
+ }
+
private static class TestAuthorization implements Authentication {
private final String name;
private final Collection<? extends GrantedAuthority> authorities;
http://git-wip-us.apache.org/repos/asf/ambari/blob/9a105fff/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 09972a7..5b66a3f 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -117,7 +117,7 @@ public class AmbariAuthorizationFilterTest {
filter.doFilter(request, response, chain);
verify(request, response, chain, filter, securityContext, authentication, authority,
- privilegeEntity, permission, filterConfig);
+ privilegeEntity, permission, filterConfig);
}
@Test
@@ -205,14 +205,14 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/views", "POST", false);
urlTests.put("/api/v1/persist/SomeValue", "GET", true);
urlTests.put("/api/v1/persist/SomeValue", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", false);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
@@ -238,10 +238,10 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/views", "POST", false);
urlTests.put("/api/v1/persist/SomeValue", "GET", true);
urlTests.put("/api/v1/persist/SomeValue", "POST", true);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", false);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", false);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
@@ -271,14 +271,14 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/views", "POST", true);
urlTests.put("/api/v1/persist/SomeValue", "GET", true);
urlTests.put("/api/v1/persist/SomeValue", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", false);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
@@ -304,14 +304,14 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/views", "POST", false);
urlTests.put("/api/v1/persist/SomeValue", "GET", true);
urlTests.put("/api/v1/persist/SomeValue", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", false);
- urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", false);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
+ urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false);
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);