[jira] [Created] (AMBARI-16246) Allow roles to be treated like principals in Ambari DB

["Robert Levas (JIRA)" <ji...@apache.org>]

Robert Levas created AMBARI-16246:
-------------------------------------

             Summary: Allow roles to be treated like principals in Ambari DB
                 Key: AMBARI-16246
                 URL: https://issues.apache.org/jira/browse/AMBARI-16246
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.4.0


To support assigning privileges to users based on their roles provide support in the Ambari database to allow a {{role}} to be referenced as a {{principal}} similar in the way a {{user}} and a {{group}} a referenced as a {principal}}.

A use-case to support the need for this is to assign access to a view to all users with some specific role. Currently we can assign access to a view to a specific user or group by assigning that user or group the {{VIEW.USER}} role applied to the specific view.  To assign access a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.

The following changes need to be made to the database:

* Add {{principal_id}} column to the {{adminpermission}} table
* Create a {{principaltype}} record where the {{principal_type_name}} is '{{ROLE}}'
* Add records to the {{adminprincpal}} table to represent each role in {{adminpermission}}
* Update {{adminpermission.principal_id}} to match the relevant records from {{adminprincipal}}

After this is complete, {{adminprivilege}} records can be created using roles as principals. 

NOTE: special handling will need to be done in the authorization logic to dereference the role associations with the authenticated user, similar in the way this is done for groups. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)