You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/02 18:37:09 UTC
ambari git commit: AMBARI-14142. Enforce granular role-based access
control for group functions (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 4fe479b0f -> 35f0d3c42
AMBARI-14142. Enforce granular role-based access control for group functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/35f0d3c4
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/35f0d3c4
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/35f0d3c4
Branch: refs/heads/trunk
Commit: 35f0d3c4234361dc74bf64bbe91720d79b8ecaa7
Parents: 4fe479b
Author: Robert Levas <rl...@hortonworks.com>
Authored: Wed Dec 2 12:36:46 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Wed Dec 2 12:36:54 2015 -0500
----------------------------------------------------------------------
.../internal/GroupResourceProvider.java | 16 ++-
.../internal/MemberResourceProvider.java | 16 ++-
.../AmbariAuthorizationFilter.java | 1 +
.../internal/GroupResourceProviderTest.java | 95 +++++++++++-
.../internal/MemberResourceProviderTest.java | 143 +++++++++++++++----
.../AmbariAuthorizationFilterTest.java | 6 +-
6 files changed, 236 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java
index 36e1007..1678931 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.controller.internal;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -36,6 +37,7 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
/**
* Resource provider for group resources.
@@ -63,10 +65,16 @@ class GroupResourceProvider extends AbstractControllerResourceProvider {
Map<Resource.Type, String> keyPropertyIds,
AmbariManagementController managementController) {
super(propertyIds, keyPropertyIds, managementController);
+
+ EnumSet<RoleAuthorization> manageUserAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS);
+ setRequiredCreateAuthorizations(manageUserAuthorizations);
+ setRequiredGetAuthorizations(manageUserAuthorizations);
+ setRequiredUpdateAuthorizations(manageUserAuthorizations);
+ setRequiredDeleteAuthorizations(manageUserAuthorizations);
}
@Override
- public RequestStatus createResources(Request request)
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -88,7 +96,7 @@ class GroupResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public Set<Resource> getResources(Request request, Predicate predicate)
+ protected Set<Resource> getResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<GroupRequest> requests = new HashSet<GroupRequest>();
@@ -131,7 +139,7 @@ class GroupResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public RequestStatus updateResources(Request request, Predicate predicate)
+ protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<GroupRequest> requests = new HashSet<GroupRequest>();
@@ -152,7 +160,7 @@ class GroupResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<GroupRequest> requests = new HashSet<GroupRequest>();
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/MemberResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/MemberResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/MemberResourceProvider.java
index 0f6b66d..04e5f67 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/MemberResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/MemberResourceProvider.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.controller.internal;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
@@ -37,6 +38,7 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import com.google.inject.assistedinject.Assisted;
import com.google.inject.assistedinject.AssistedInject;
@@ -70,10 +72,16 @@ public class MemberResourceProvider extends AbstractControllerResourceProvider {
@Assisted Map<Resource.Type, String> keyPropertyIds,
@Assisted AmbariManagementController managementController) {
super(propertyIds, keyPropertyIds, managementController);
+
+ EnumSet<RoleAuthorization> manageUserAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS);
+ setRequiredCreateAuthorizations(manageUserAuthorizations);
+ setRequiredGetAuthorizations(manageUserAuthorizations);
+ setRequiredUpdateAuthorizations(manageUserAuthorizations);
+ setRequiredDeleteAuthorizations(manageUserAuthorizations);
}
@Override
- public RequestStatus createResources(Request request)
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -96,7 +104,7 @@ public class MemberResourceProvider extends AbstractControllerResourceProvider {
@Override
@Transactional
- public Set<Resource> getResources(Request request, Predicate predicate) throws
+ protected Set<Resource> getResourcesAuthorized(Request request, Predicate predicate) throws
SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<MemberRequest> requests = new HashSet<MemberRequest>();
@@ -134,7 +142,7 @@ public class MemberResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public RequestStatus updateResources(final Request request, Predicate predicate)
+ protected RequestStatus updateResourcesAuthorized(final Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<MemberRequest> requests = new HashSet<MemberRequest>();
@@ -160,7 +168,7 @@ public class MemberResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<MemberRequest> requests = new HashSet<MemberRequest>();
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 7f88286..43c9aa2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -256,6 +256,7 @@ public class AmbariAuthorizationFilter implements Filter {
*/
private boolean authorizationPerformedInternally(String requestURI) {
return requestURI.matches(API_USERS_ALL_PATTERN) ||
+ requestURI.matches(API_GROUPS_ALL_PATTERN) ||
requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupResourceProviderTest.java
index 0cd1be1..34b674f 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -31,6 +31,7 @@ import java.util.Map;
import java.util.Set;
import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.GroupRequest;
import org.apache.ambari.server.controller.GroupResponse;
import org.apache.ambari.server.controller.RequestStatusResponse;
import org.apache.ambari.server.controller.spi.Predicate;
@@ -39,15 +40,35 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
/**
* GroupResourceProvider tests.
*/
public class GroupResourceProviderTest {
+
+ @Before
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
@Test
- public void testCreateResources() throws Exception {
+ public void testCreateResources_Administrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResources_ClusterAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Group;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -58,6 +79,8 @@ public class GroupResourceProviderTest {
// replay
replay(managementController, response);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
PropertyHelper.getPropertyIds(type),
@@ -84,7 +107,16 @@ public class GroupResourceProviderTest {
}
@Test
- public void testGetResources() throws Exception {
+ public void testGetResources_Administrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_ClusterAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ public void testGetResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Group;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -99,6 +131,8 @@ public class GroupResourceProviderTest {
// replay
replay(managementController);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
PropertyHelper.getPropertyIds(type),
@@ -125,12 +159,59 @@ public class GroupResourceProviderTest {
}
@Test
- public void testUpdateResources() throws Exception {
- // currently provider.updateResources() does nothing, nothing to test
+ public void testUpdateResources_Adminstrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_ClusterAdminstrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception {
+ Resource.Type type = Resource.Type.Group;
+
+ AmbariManagementController managementController = createMock(AmbariManagementController.class);
+ RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+
+ Set<GroupRequest> requests = AbstractResourceProviderTest.Matcher.getGroupRequestSet("engineering");
+
+ // set expectations
+ managementController.updateGroups(requests);
+
+ // replay
+ replay(managementController, response);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
+ type,
+ PropertyHelper.getPropertyIds(type),
+ PropertyHelper.getKeyPropertyIds(type),
+ managementController);
+
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ Request request = PropertyHelper.getUpdateRequest(properties, null);
+ Predicate predicate = new PredicateBuilder().property(GroupResourceProvider.GROUP_GROUPNAME_PROPERTY_ID).
+ equals("engineering").toPredicate();
+
+ provider.updateResources(request, predicate);
+
+ // verify
+ verify(managementController, response);
}
@Test
- public void testDeleteResources() throws Exception {
+ public void testDeleteResources_Administrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResources_ClusterAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testDeleteResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Group;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -142,6 +223,8 @@ public class GroupResourceProviderTest {
// replay
replay(managementController, response);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
PropertyHelper.getPropertyIds(type),
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/MemberResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/MemberResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/MemberResourceProviderTest.java
index da8d781..b2a084a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/MemberResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/MemberResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,20 +18,14 @@
package org.apache.ambari.server.controller.internal;
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.createMock;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.eq;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.verify;
-
+import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.MemberResponse;
import org.apache.ambari.server.controller.RequestStatusResponse;
import org.apache.ambari.server.controller.ResourceProviderFactory;
import org.apache.ambari.server.controller.spi.Predicate;
@@ -40,27 +34,54 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import static org.easymock.EasyMock.*;
/**
* MemberResourceProvider tests.
*/
public class MemberResourceProviderTest {
+
+ @Before
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
@Test
- public void testCreateResources() throws Exception {
+ public void testCreateResources_Administrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResources_ClusterAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Member;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
ResourceProviderFactory resourceProviderFactory = createNiceMock(ResourceProviderFactory.class);
- ResourceProvider memberResourceProvider = createNiceMock(MemberResourceProvider.class);
AbstractControllerResourceProvider.init(resourceProviderFactory);
- expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class),
- eq(managementController))).andReturn(memberResourceProvider).anyTimes();
+ expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class), eq(managementController)))
+ .andReturn(new MemberResourceProvider(PropertyHelper.getPropertyIds(type), PropertyHelper.getKeyPropertyIds(type), managementController)).anyTimes();
+
+ managementController.createMembers(AbstractResourceProviderTest.Matcher.getMemberRequestSet("engineering", "joe"));
+ expectLastCall().atLeastOnce();
+
// replay
- replay(managementController, response, resourceProviderFactory, memberResourceProvider);
+ replay(managementController, response, resourceProviderFactory);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
@@ -89,22 +110,83 @@ public class MemberResourceProviderTest {
}
@Test
- public void testUpdateResources() throws Exception {
+ public void testGetResources_Administrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_ClusterAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testGetResources(Authentication authentication) throws Exception {
+ Resource.Type type = Resource.Type.Member;
+
+ AmbariManagementController managementController = createMock(AmbariManagementController.class);
+ RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ ResourceProviderFactory resourceProviderFactory = createNiceMock(ResourceProviderFactory.class);
+
+ AbstractControllerResourceProvider.init(resourceProviderFactory);
+
+ expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class), eq(managementController)))
+ .andReturn(new MemberResourceProvider(PropertyHelper.getPropertyIds(type), PropertyHelper.getKeyPropertyIds(type), managementController)).anyTimes();
+
+ expect(managementController.getMembers(AbstractResourceProviderTest.Matcher.getMemberRequestSet(null, null)))
+ .andReturn(Collections.<MemberResponse>emptySet())
+ .atLeastOnce();
+
+ // replay
+ replay(managementController, response, resourceProviderFactory);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
+ type,
+ PropertyHelper.getPropertyIds(type),
+ PropertyHelper.getKeyPropertyIds(type),
+ managementController);
+
+ // create the request
+ Request request = PropertyHelper.getReadRequest(null, null);
+ Predicate predicate = new PredicateBuilder().property(GroupResourceProvider.GROUP_GROUPNAME_PROPERTY_ID).
+ equals("engineering").toPredicate();
+
+ provider.getResources(request, predicate);
+
+ // verify
+ verify(managementController, response);
+ }
+
+ @Test
+ public void testUpdateResources_Administrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_ClusterAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Member;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
ResourceProviderFactory resourceProviderFactory = createNiceMock(ResourceProviderFactory.class);
- ResourceProvider memberResourceProvider = createNiceMock(MemberResourceProvider.class);
AbstractControllerResourceProvider.init(resourceProviderFactory);
// set expectations
- expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class),
- eq(managementController))).andReturn(memberResourceProvider).anyTimes();
+ expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class), eq(managementController)))
+ .andReturn(new MemberResourceProvider(PropertyHelper.getPropertyIds(type), PropertyHelper.getKeyPropertyIds(type), managementController)).anyTimes();
+
+ managementController.updateMembers(AbstractResourceProviderTest.Matcher.getMemberRequestSet("engineering", "joe"));
+ expectLastCall().atLeastOnce();
// replay
- replay(managementController, response, resourceProviderFactory, memberResourceProvider);
+ replay(managementController, response, resourceProviderFactory);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
@@ -131,22 +213,35 @@ public class MemberResourceProviderTest {
}
@Test
- public void testDeleteResources() throws Exception {
+ public void testDeleteResources_Administrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResources_ClusterAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ private void testDeleteResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Member;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
ResourceProviderFactory resourceProviderFactory = createNiceMock(ResourceProviderFactory.class);
- ResourceProvider memberResourceProvider = createNiceMock(MemberResourceProvider.class);
AbstractControllerResourceProvider.init(resourceProviderFactory);
// set expectations
- expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class),
- eq(managementController))).andReturn(memberResourceProvider).anyTimes();
+ expect(resourceProviderFactory.getMemberResourceProvider(anyObject(Set.class), anyObject(Map.class), eq(managementController)))
+ .andReturn(new MemberResourceProvider(PropertyHelper.getPropertyIds(type), PropertyHelper.getKeyPropertyIds(type), managementController)).anyTimes();
+
+ managementController.deleteMembers(AbstractResourceProviderTest.Matcher.getMemberRequestSet("engineering", null));
+ expectLastCall().atLeastOnce();
// replay
- replay(managementController, response, resourceProviderFactory, memberResourceProvider);
+ replay(managementController, response, resourceProviderFactory);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
http://git-wip-us.apache.org/repos/asf/ambari/blob/35f0d3c4/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index d4b7d5a..09972a7 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -221,7 +221,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/users/user1", "POST", true);
urlTests.put("/api/v1/users/user2", "GET", true);
urlTests.put("/api/v1/users/user2", "POST", true);
- urlTests.put("/api/v1/groups", "GET", false);
+ urlTests.put("/api/v1/groups", "GET", true);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
@@ -254,7 +254,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/users/user1", "POST", true);
urlTests.put("/api/v1/users/user2", "GET", true);
urlTests.put("/api/v1/users/user2", "POST", true);
- urlTests.put("/api/v1/groups", "GET", false);
+ urlTests.put("/api/v1/groups", "GET", true);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
@@ -287,7 +287,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/api/v1/users/user1", "POST", true);
urlTests.put("/api/v1/users/user2", "GET", true);
urlTests.put("/api/v1/users/user2", "POST", true);
- urlTests.put("/api/v1/groups", "GET", false);
+ urlTests.put("/api/v1/groups", "GET", true);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);