You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2016/10/21 20:01:57 UTC
[1/4] ambari git commit: Revert "AMBARI-1365. Authorizations given to
roles, should use generic role-based principals rather than hard-coded
pseudo-role-based principals (rlevas)"
Repository: ambari
Updated Branches:
refs/heads/trunk 0dd7770d9 -> 176c691ea
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
index 980b651..a5276c2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
@@ -19,23 +19,10 @@
package org.apache.ambari.server.upgrade;
import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.orm.DBAccessor;
-import org.apache.ambari.server.orm.dao.PermissionDAO;
-import org.apache.ambari.server.orm.dao.PrincipalDAO;
-import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -119,7 +106,6 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
@Override
protected void executeDMLUpdates() throws AmbariException, SQLException {
addNewConfigurationsFromXml();
- convertRolePrincipals();
}
protected void updateTablesForMysql() throws SQLException {
@@ -155,90 +141,4 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
}
}
- /**
- * Convert the previously set inherited privileges to the more generic inherited privileges model
- * based on role-based principals rather than specialized principal types.
- */
- protected void convertRolePrincipals() {
- LOG.info("Converting pseudo principle types to role principals");
-
- PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
- PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
- PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
- PrincipalTypeDAO principalTypeDAO = injector.getInstance(PrincipalTypeDAO.class);
-
- Map<String, String> principalTypeToRole = new HashMap<String, String>();
- principalTypeToRole.put("ALL.CLUSTER.ADMINISTRATOR", "CLUSTER.ADMINISTRATOR");
- principalTypeToRole.put("ALL.CLUSTER.OPERATOR", "CLUSTER.OPERATOR");
- principalTypeToRole.put("ALL.CLUSTER.USER", "CLUSTER.USER");
- principalTypeToRole.put("ALL.SERVICE.ADMINISTRATOR", "SERVICE.ADMINISTRATOR");
- principalTypeToRole.put("ALL.SERVICE.OPERATOR", "SERVICE.OPERATOR");
-
- // Handle a typo introduced in org.apache.ambari.server.upgrade.UpgradeCatalog240.updateClusterInheritedPermissionsConfig
- principalTypeToRole.put("ALL.SERVICE.OPERATIOR", "SERVICE.OPERATOR");
-
- for (Map.Entry<String, String> entry : principalTypeToRole.entrySet()) {
- String principalTypeName = entry.getKey();
- String roleName = entry.getValue();
-
- PermissionEntity role = permissionDAO.findByName(roleName);
- PrincipalEntity rolePrincipalEntity = (role == null) ? null : role.getPrincipal();
-
- // Convert Privilege Records
- PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findByName(principalTypeName);
-
- if (principalTypeEntity != null) {
- List<PrincipalEntity> principalEntities = principalDAO.findByPrincipalType(principalTypeName);
-
- for (PrincipalEntity principalEntity : principalEntities) {
- Set<PrivilegeEntity> privilegeEntities = principalEntity.getPrivileges();
-
- for (PrivilegeEntity privilegeEntity : privilegeEntities) {
- if (rolePrincipalEntity == null) {
- LOG.info("Removing privilege (id={}) since no role principle was found for {}:\n{}",
- privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
- // Remove this privilege
- privilegeDAO.remove(privilegeEntity);
- } else {
- LOG.info("Updating privilege (id={}) to use role principle for {}:\n{}",
- privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
-
- // Set the principal to the updated principal value
- privilegeEntity.setPrincipal(rolePrincipalEntity);
- privilegeDAO.merge(privilegeEntity);
- }
- }
-
- // Remove the obsolete principal
- principalDAO.remove(principalEntity);
- }
-
- // Remove the obsolete principal type
- principalTypeDAO.remove(principalTypeEntity);
- }
- }
-
- LOG.info("Converting pseudo principle types to role principals - complete.");
- }
-
- private String formatPrivilegeEntityDetails(PrivilegeEntity privilegeEntity) {
- if (privilegeEntity == null) {
- return "";
- } else {
- ResourceEntity resource = privilegeEntity.getResource();
- PrincipalEntity principal = privilegeEntity.getPrincipal();
- PermissionEntity permission = privilegeEntity.getPermission();
-
- return String.format("" +
- "\tPrivilege ID: %d" +
- "\n\tResource ID: %d" +
- "\n\tPrincipal ID: %d" +
- "\n\tPermission ID: %d",
- privilegeEntity.getId(),
- resource.getId(),
- principal.getId(),
- permission.getId()
- );
- }
- }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
index 7f58485..455b4f1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -86,6 +86,7 @@ import org.apache.ambari.server.orm.entities.ViewParameterEntity;
import org.apache.ambari.server.orm.entities.ViewResourceEntity;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.Clusters;
@@ -121,6 +122,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
+import com.google.common.collect.FluentIterable;
import com.google.common.collect.Sets;
import com.google.common.eventbus.AllowConcurrentEvents;
import com.google.common.eventbus.Subscribe;
@@ -1794,7 +1796,7 @@ public class ViewRegistry {
}
List<String> services = autoInstanceConfig.getServices();
- Collection<String> roles = autoInstanceConfig.getRoles();
+ List<String> permissions = autoInstanceConfig.getPermissions();
Map<String, org.apache.ambari.server.state.Cluster> allClusters = clustersProvider.get().getClusters();
for (org.apache.ambari.server.state.Cluster cluster : allClusters.values()) {
@@ -1812,7 +1814,7 @@ public class ViewRegistry {
ViewInstanceEntity viewInstanceEntity = createViewInstanceEntity(viewEntity, viewConfig, autoInstanceConfig);
viewInstanceEntity.setClusterHandle(clusterId);
installViewInstance(viewInstanceEntity);
- setViewInstanceRoleAccess(viewInstanceEntity, roles);
+ addClusterInheritedPermissions(viewInstanceEntity, permissions);
}
} catch (Exception e) {
LOG.error("Can't auto create instance of view " + viewName + " for cluster " + clusterName +
@@ -1823,45 +1825,40 @@ public class ViewRegistry {
}
/**
- * Set access to the a particular view instance based on a set of roles.
- * <p>
- * View access to the specified view instances will be granted to anyone directly or indirectly
- * assigned to one of the roles in the suppled set of role names.
- *
- * @param viewInstanceEntity a view instance entity
- * @param roles the set of roles to use to for granting access
+ * Validates principalTypes and creates privilege entities for each permission type for the view instance entity
+ * resource.
+ * @param viewInstanceEntity - view instance entity for which permission has to be set.
+ * @param principalTypes - list of cluster inherited principal types
*/
@Transactional
- protected void setViewInstanceRoleAccess(ViewInstanceEntity viewInstanceEntity, Collection<String> roles) {
- if ((roles != null) && !roles.isEmpty()) {
- PermissionEntity permissionViewUser = permissionDAO.findViewUsePermission();
+ private void addClusterInheritedPermissions(ViewInstanceEntity viewInstanceEntity, List<String> principalTypes) {
+ List<String> validPermissions = FluentIterable.from(principalTypes)
+ .filter(ClusterInheritedPermissionHelper.validPrincipalTypePredicate)
+ .toList();
- if (permissionViewUser == null) {
- LOG.error("Missing the {} role. Access to view cannot be set.",
- PermissionEntity.VIEW_USER_PERMISSION_NAME, viewInstanceEntity.getName());
- } else {
- for (String role : roles) {
- PermissionEntity permissionRole = permissionDAO.findByName(role);
-
- if (permissionRole == null) {
- LOG.warn("Invalid role {} encountered while setting access to view {}, Ignoring.",
- role, viewInstanceEntity.getName());
- } else {
- PrincipalEntity principalRole = permissionRole.getPrincipal();
-
- if (principalRole == null) {
- LOG.warn("Missing principal ID for role {} encountered while setting access to view {}. Ignoring.",
- role, viewInstanceEntity.getName());
- } else {
- PrivilegeEntity privilegeEntity = new PrivilegeEntity();
- privilegeEntity.setPermission(permissionViewUser);
- privilegeEntity.setPrincipal(principalRole);
- privilegeEntity.setResource(viewInstanceEntity.getResource());
- privilegeDAO.create(privilegeEntity);
- }
- }
- }
- }
+ for(String permission: validPermissions) {
+ addClusterInheritedPermission(viewInstanceEntity, permission);
+ }
+ }
+
+ private void addClusterInheritedPermission(ViewInstanceEntity viewInstanceEntity, String principalType) {
+ ResourceEntity resource = viewInstanceEntity.getResource();
+ List<PrincipalEntity> principals = principalDAO.findByPrincipalType(principalType);
+ if (principals.size() == 0) {
+ LOG.error("Failed to find principal for principal type '{}'", principalType);
+ return;
+ }
+
+ PrincipalEntity principal = principals.get(0); // There will be only one principal associated with the principal type
+ PermissionEntity permission = permissionDAO.findViewUsePermission();
+
+ if (!privilegeDAO.exists(principal, resource, permission)) {
+ PrivilegeEntity privilege = new PrivilegeEntity();
+ privilege.setPrincipal(principal);
+ privilege.setResource(resource);
+ privilege.setPermission(permission);
+
+ privilegeDAO.create(privilege);
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
index f934ed5..11efc76 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,14 +18,16 @@
package org.apache.ambari.server.view.configuration;
+import com.google.common.base.Function;
+import com.google.common.collect.FluentIterable;
+import com.google.common.collect.Lists;
+
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlElementWrapper;
-import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
-import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
+import java.util.Arrays;
import java.util.List;
-import java.util.Set;
/**
* View auto instance configuration.
@@ -46,25 +48,14 @@ public class AutoInstanceConfig extends InstanceConfig {
*/
@XmlElementWrapper
@XmlElement(name="service")
- @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
private List<String> services;
/**
- * A list of roles that should have access to this view.
- * <p>
- * Example values:
- * <ul>
- * <li>CLUSTER.ADMINISTRATOR</li>
- * <li>CLUSTER.OPERATOR</li>
- * <li>SERVICE.ADMINISTRATOR</li>
- * <li>SERVICE.OPERATOR</li>
- * <li>CLUSTER.USER</li>
- * </ul>
+ * Cluster Inherited permissions. Comma separated strings for multiple values
+ * Possible values: ALL.CLUSTER.ADMINISTRATOR, ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER,
+ * ALL.SERVICE.OPERATOR, ALL.SERVICE.ADMINISTRATOR
*/
- @XmlElementWrapper
- @XmlElement(name="role")
- @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
- private Set<String> roles;
+ private String permissions;
/**
* Get the stack id used for auto instance creation.
@@ -85,9 +76,17 @@ public class AutoInstanceConfig extends InstanceConfig {
}
/**
- * @return the set of roles that should have access to this view
+ * @return the list of configured cluster inherited permissions
*/
- public Set<String> getRoles() {
- return roles;
+ public List<String> getPermissions() {
+ if(permissions == null) {
+ return Lists.newArrayList();
+ }
+ return FluentIterable.from(Arrays.asList(permissions.split(","))).transform(new Function<String, String>() {
+ @Override
+ public String apply(String permission) {
+ return permission.trim();
+ }
+ }).toList();
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
index 7ab1dc7..ed94c40 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
@@ -1174,6 +1174,16 @@ INSERT INTO adminprincipaltype (principal_type_id, principal_type_name)
UNION ALL
SELECT 2, 'GROUP' FROM SYSIBM.SYSDUMMY1
UNION ALL
+ SELECT 3, 'ALL.CLUSTER.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
+ UNION ALL
+ SELECT 4, 'ALL.CLUSTER.OPERATOR' FROM SYSIBM.SYSDUMMY1
+ UNION ALL
+ SELECT 5, 'ALL.CLUSTER.USER' FROM SYSIBM.SYSDUMMY1
+ UNION ALL
+ SELECT 6, 'ALL.SERVICE.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
+ UNION ALL
+ SELECT 7, 'ALL.SERVICE.OPERRATOR' FROM SYSIBM.SYSDUMMY1
+ UNION ALL
SELECT 8, 'ROLE' FROM SYSIBM.SYSDUMMY1;
INSERT INTO adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 5556e82..c8fbaa7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1123,6 +1123,11 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
(1, 'USER'),
(2, 'GROUP'),
+ (3, 'ALL.CLUSTER.ADMINISTRATOR'),
+ (4, 'ALL.CLUSTER.OPERATOR'),
+ (5, 'ALL.CLUSTER.USER'),
+ (6, 'ALL.SERVICE.ADMINISTRATOR'),
+ (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index fb3ada5..04473d6 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1119,6 +1119,16 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
union all
select 2, 'GROUP' from dual
union all
+ select 3, 'ALL.CLUSTER.ADMINISTRATOR' from dual
+ union all
+ select 4, 'ALL.CLUSTER.OPERATOR' from dual
+ union all
+ select 5, 'ALL.CLUSTER.USER' from dual
+ union all
+ select 6, 'ALL.SERVICE.ADMINISTRATOR' from dual
+ union all
+ select 7, 'ALL.SERVICE.OPERATOR' from dual
+ union all
select 8, 'ROLE' from dual;
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 137a243..09ae3b0 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -1114,6 +1114,11 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
(1, 'USER'),
(2, 'GROUP'),
+ (3, 'ALL.CLUSTER.ADMINISTRATOR'),
+ (4, 'ALL.CLUSTER.OPERATOR'),
+ (5, 'ALL.CLUSTER.USER'),
+ (6, 'ALL.SERVICE.ADMINISTRATOR'),
+ (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index 4922378..3dbd3fc 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -1116,6 +1116,16 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
union all
select 2, 'GROUP'
union all
+ select 3, 'ALL.CLUSTER.ADMINISTRATOR'
+ union all
+ select 4, 'ALL.CLUSTER.OPERATOR'
+ union all
+ select 5, 'ALL.CLUSTER.USER'
+ union all
+ select 6, 'ALL.SERVICE.ADMINISTRATOR'
+ union all
+ select 7, 'ALL.SERVICE.OPERATOR'
+ union all
select 8, 'ROLE';
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index f72b0ab..9def741 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -1140,6 +1140,11 @@ BEGIN TRANSACTION
values
(1, 'USER'),
(2, 'GROUP'),
+ (3, 'ALL.CLUSTER.ADMINISTRATOR'),
+ (4, 'ALL.CLUSTER.OPERATOR'),
+ (5, 'ALL.CLUSTER.USER'),
+ (6, 'ALL.SERVICE.ADMINISTRATOR'),
+ (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
deleted file mode 100644
index 547bba5..0000000
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.controller.internal;
-
-import org.apache.ambari.server.orm.dao.MemberDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.security.authorization.Users;
-import org.easymock.EasyMockSupport;
-
-class AbstractPrivilegeResourceProviderTest extends EasyMockSupport {
-
- static class TestUsers extends Users {
-
- void setPrivilegeDAO(PrivilegeDAO privilegeDAO) {
- this.privilegeDAO = privilegeDAO;
- }
-
- public void setMemberDAO(MemberDAO memberDAO) {
- this.memberDAO = memberDAO;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
index 7702fd0..99962ee 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
@@ -270,6 +270,9 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).atLeastOnce();
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
+
replayAll();
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
@@ -353,11 +356,10 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
- Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals(ResourceType.AMBARI.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -397,13 +399,12 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
- Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), clusterEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("TestCluster", resource.getPropertyValue(ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID));
Assert.assertEquals(ResourceType.CLUSTER.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -449,13 +450,12 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
- Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -503,13 +503,12 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
- Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -609,6 +608,9 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
+
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -662,6 +664,9 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
+
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
index 976dd34..f00a21a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
@@ -38,6 +38,7 @@ import org.apache.ambari.server.orm.dao.ResourceDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
+import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -60,6 +61,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import javax.persistence.EntityManager;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.LinkedList;
@@ -249,6 +251,9 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
+
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -301,6 +306,9 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
+
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
index d417595..c3510a8 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.controller.internal;
+import com.google.common.collect.Lists;
import junit.framework.Assert;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -30,6 +31,7 @@ import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
+import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -42,15 +44,13 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
-import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import java.util.Collections;
import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
import java.util.Set;
import static org.easymock.EasyMock.anyObject;
@@ -59,7 +59,7 @@ import static org.easymock.EasyMock.expect;
/**
* GroupPrivilegeResourceProvider tests.
*/
-public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
+public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -124,11 +124,11 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
ClusterDAO clusterDAO = createMock(ClusterDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -175,11 +175,11 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -233,11 +233,11 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -292,11 +292,11 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -320,32 +320,30 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
-
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
-
- List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
- groupPrincipals.add(principalEntity);
-
- expect(privilegeDAO.findAllByPrincipal(groupPrincipals)).
- andReturn(Collections.singletonList(privilegeEntity))
- .once();
- expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).atLeastOnce();
- expect(groupEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
- expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).atLeastOnce();
- expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).atLeastOnce();
- expect(groupEntity.getGroupName()).andReturn(requestedGroupName).atLeastOnce();
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
- expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).atLeastOnce();
+ final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+
+ expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).anyTimes();
+ expect(groupEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(groupEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
+ expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).anyTimes();
+ expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
+ {
+ add(privilegeEntity);
+ }
+ }).anyTimes();
+ expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
+ expect(groupEntity.getGroupName()).andReturn(requestedGroupName).anyTimes();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
+ expect(viewInstanceDAO.findAll()).andReturn(Lists.<ViewInstanceEntity>newArrayList()).anyTimes();
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
final Set<String> propertyIds = new HashSet<String>();
propertyIds.add(GroupPrivilegeResourceProvider.PRIVILEGE_GROUP_NAME_PROPERTY_ID);
@@ -369,4 +367,5 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
verifyAll();
}
+
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index ddb510d..1f3cb52 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,6 +18,8 @@
package org.apache.ambari.server.controller.internal;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
import junit.framework.Assert;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -27,7 +29,6 @@ import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.MemberDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
@@ -45,7 +46,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
-import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -53,8 +54,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
import java.util.Set;
import static org.easymock.EasyMock.anyObject;
@@ -63,7 +62,7 @@ import static org.easymock.EasyMock.expect;
/**
* UserPrivilegeResourceProvider tests.
*/
-public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
+public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -135,11 +134,11 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
GroupDAO groupDAO = createMock(GroupDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -188,11 +187,11 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -247,11 +246,11 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -308,11 +307,11 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- Users users = createNiceMock(Users.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -328,14 +327,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
public void testToResource_SpecificVIEW_WithClusterInheritedPermission() throws Exception {
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L));
- PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
- expect(rolePrincipalTypeEntity.getName()).andReturn("ROLE").atLeastOnce();
-
- PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
- expect(rolePrincipalEntity.getPrincipalType()).andReturn(rolePrincipalTypeEntity).atLeastOnce();
-
PermissionEntity permissionEntity = createMock(PermissionEntity.class);
- expect(permissionEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").atLeastOnce();
expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").atLeastOnce();
@@ -345,10 +337,19 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
+
+ PrincipalTypeEntity principalTypeWithAllClusterAdministrator = createNiceMock(PrincipalTypeEntity.class);
+ expect(principalTypeWithAllClusterAdministrator.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").atLeastOnce();
+
+ PrincipalEntity principalEntityWithAllClusterAdministrator = createNiceMock(PrincipalEntity.class);
+ expect(principalEntityWithAllClusterAdministrator.getPrincipalType()).andReturn(principalTypeWithAllClusterAdministrator).atLeastOnce();
+
ViewEntity viewEntity = createMock(ViewEntity.class);
expect(viewEntity.getCommonName()).andReturn("TestView").atLeastOnce();
expect(viewEntity.getVersion()).andReturn("1.2.3.4").atLeastOnce();
+
+
ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
expect(resourceTypeEntity.getName()).andReturn("TestView{1.2.3.4}").atLeastOnce();
@@ -359,56 +360,38 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).atLeastOnce();
expect(viewInstanceEntity.getName()).andReturn("Test View").atLeastOnce();
+ expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).atLeastOnce();
+ expect(viewInstanceEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
- PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
- expect(explicitPrivilegeEntity.getId()).andReturn(1).atLeastOnce();
- expect(explicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
- expect(explicitPrivilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- expect(explicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+ PrivilegeEntity privilegeEntityViewWithClusterAdminAccess = createMock(PrivilegeEntity.class);
+ expect(privilegeEntityViewWithClusterAdminAccess.getPrincipal()).andReturn(principalEntityWithAllClusterAdministrator).atLeastOnce();
- PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
- expect(implicitPrivilegeEntity.getId()).andReturn(2).atLeastOnce();
- expect(implicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
- expect(implicitPrivilegeEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
- expect(implicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+ PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
+ expect(privilegeEntity.getId()).andReturn(1).atLeastOnce();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+
+ expect(principalEntity.getPrivileges()).andReturn(Sets.newHashSet(privilegeEntity)).atLeastOnce();
UserEntity userEntity = createMock(UserEntity.class);
expect(userEntity.getUserName()).andReturn("jdoe").atLeastOnce();
expect(userEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+ expect(userEntity.getMemberEntities()).andReturn(Sets.<MemberEntity>newHashSet()).atLeastOnce();
ClusterDAO clusterDAO = createMock(ClusterDAO.class);
GroupDAO groupDAO = createMock(GroupDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
+ expect(viewInstanceDAO.findAll()).andReturn(Lists.newArrayList(viewInstanceEntity)).atLeastOnce();
final UserDAO userDAO = createNiceMock(UserDAO.class);
expect(userDAO.findLocalUserByName("jdoe")).andReturn(userEntity).anyTimes();
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
- final MemberDAO memberDAO = createMock(MemberDAO.class);
-
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
- users.setMemberDAO(memberDAO);
-
- List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
- rolePrincipals.add(rolePrincipalEntity);
-
- List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
- userPrincipals.add(principalEntity);
-
- expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
- andReturn(Collections.singletonList(explicitPrivilegeEntity))
- .once();
- // Implicit privileges...
- expect(privilegeDAO.findAllByPrincipal(rolePrincipals)).
- andReturn(Collections.singletonList(implicitPrivilegeEntity))
- .once();
- expect(memberDAO.findAllMembersByUser(userEntity)).
- andReturn(Collections.<MemberEntity>emptyList())
- .atLeastOnce();
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ expect(privilegeDAO.findByResourceId(1L)).andReturn(Lists.newArrayList(privilegeEntity, privilegeEntityViewWithClusterAdminAccess)).anyTimes();
replayAll();
@@ -421,7 +404,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L);
Request request = PropertyHelper.getReadRequest(propertyIds);
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Set<Resource> resources = provider.getResources(request, predicate);
@@ -441,6 +424,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
+ final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
final UserEntity userEntity = createNiceMock(UserEntity.class);
final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
@@ -448,22 +432,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
- final MemberDAO memberDAO = createMock(MemberDAO.class);
-
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
- users.setMemberDAO(memberDAO);
-
- List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
- userPrincipals.add(principalEntity);
-
- expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
- andReturn(Collections.singletonList(privilegeEntity))
- .atLeastOnce();
- expect(memberDAO.findAllMembersByUser(userEntity)).
- andReturn(Collections.<MemberEntity>emptyList())
- .atLeastOnce();
+
expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
@@ -485,7 +454,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
final Set<String> propertyIds = new HashSet<String>();
propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
index 20ecc88..d85b37b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,6 +30,7 @@ import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
+import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -52,6 +53,7 @@ import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.security.core.context.SecurityContextHolder;
+import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -144,6 +146,7 @@ public class ViewPrivilegeResourceProviderTest {
expect(permissionDAO.findById(PermissionEntity.VIEW_USER_PERMISSION)).andReturn(permissionEntity);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
userEntity, principalEntity, permissionEntity, principalTypeEntity);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
index d376d4b..47211ef 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
@@ -362,6 +362,72 @@ public class AuthorizationHelperTest extends EasyMockSupport {
}
@Test
+ public void testIsAuthorizedForClusterInheritedPermission() {
+
+ ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
+ clusterResourceTypeEntity.setId(1);
+ clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
+
+ ResourceEntity clusterResourceEntity = new ResourceEntity();
+ clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
+ clusterResourceEntity.setId(1L);
+
+ PermissionEntity clusterPermissionEntity = new PermissionEntity();
+ clusterPermissionEntity.setPermissionName("CLUSTER.ADMINISTRATOR");
+
+ RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
+ readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
+
+ RoleAuthorizationEntity privilegedRoleAuthorizationEntity = new RoleAuthorizationEntity();
+ privilegedRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS.getId());
+
+
+ clusterPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
+ privilegedRoleAuthorizationEntity));
+
+ PrivilegeEntity clusterPrivilegeEntity = new PrivilegeEntity();
+ clusterPrivilegeEntity.setPermission(clusterPermissionEntity);
+ clusterPrivilegeEntity.setResource(clusterResourceEntity);
+
+ GrantedAuthority clusterAuthority = new AmbariGrantedAuthority(clusterPrivilegeEntity);
+ Authentication clusterUser = new TestAuthentication(Collections.singleton(clusterAuthority));
+
+
+ Provider viewInstanceDAOProvider = createNiceMock(Provider.class);
+ Provider privilegeDAOProvider = createNiceMock(Provider.class);
+
+ ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
+ PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+
+ ViewInstanceEntity viewInstanceEntity = createNiceMock(ViewInstanceEntity.class);
+ expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).anyTimes();
+
+ PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
+ PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
+ PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
+
+ expect(viewInstanceDAOProvider.get()).andReturn(viewInstanceDAO).anyTimes();
+ expect(privilegeDAOProvider.get()).andReturn(privilegeDAO).anyTimes();
+
+ expect(viewInstanceDAO.findByResourceId(2L)).andReturn(viewInstanceEntity).anyTimes();
+
+ expect(privilegeDAO.findByResourceId(2L)).andReturn(Lists.newArrayList(privilegeEntity)).anyTimes();
+
+ expect(principalTypeEntity.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").anyTimes();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+
+ replayAll();
+
+ AuthorizationHelper.viewInstanceDAOProvider = viewInstanceDAOProvider;
+ AuthorizationHelper.privilegeDAOProvider = privilegeDAOProvider;
+
+ SecurityContext context = SecurityContextHolder.getContext();
+ context.setAuthentication(clusterUser);
+
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.VIEW, 2L, EnumSet.of(RoleAuthorization.VIEW_USE)));
+ }
+
public void testIsAuthorizedForSpecificView() {
RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
index 29bf820..4457858 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
@@ -20,8 +20,6 @@ package org.apache.ambari.server.upgrade;
import javax.persistence.EntityManager;
import junit.framework.Assert;
-
-import static org.easymock.EasyMock.anyString;
import static org.easymock.EasyMock.aryEq;
import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.createMockBuilder;
@@ -36,13 +34,7 @@ import static org.easymock.EasyMock.reset;
import static org.easymock.EasyMock.verify;
import java.lang.reflect.Method;
-import java.sql.SQLException;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.controller.AmbariManagementController;
@@ -52,22 +44,12 @@ import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.ClusterVersionDAO;
import org.apache.ambari.server.orm.dao.HostVersionDAO;
-import org.apache.ambari.server.orm.dao.PermissionDAO;
-import org.apache.ambari.server.orm.dao.PrincipalDAO;
-import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.RepositoryVersionDAO;
import org.apache.ambari.server.orm.dao.StackDAO;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
import org.apache.ambari.server.state.stack.OsFamily;
import org.easymock.Capture;
import org.easymock.EasyMock;
-import org.easymock.EasyMockSupport;
import org.easymock.IMocksControl;
import org.junit.After;
import org.junit.Before;
@@ -237,19 +219,16 @@ public class UpgradeCatalog242Test {
@Test
public void testExecuteDMLUpdates() throws Exception {
Method addNewConfigurationsFromXml = AbstractUpgradeCatalog.class.getDeclaredMethod("addNewConfigurationsFromXml");
- Method convertRolePrincipals = UpgradeCatalog242.class.getDeclaredMethod("convertRolePrincipals");
+
UpgradeCatalog242 upgradeCatalog242 = createMockBuilder(UpgradeCatalog242.class)
- .addMockedMethod(addNewConfigurationsFromXml)
- .addMockedMethod(convertRolePrincipals)
- .createMock();
+ .addMockedMethod(addNewConfigurationsFromXml)
+ .createMock();
upgradeCatalog242.addNewConfigurationsFromXml();
expectLastCall().once();
- upgradeCatalog242.convertRolePrincipals();
- expectLastCall().once();
replay(upgradeCatalog242);
@@ -257,111 +236,4 @@ public class UpgradeCatalog242Test {
verify(upgradeCatalog242);
}
-
- @Test
- public void testConvertRolePrincipals() throws AmbariException, SQLException {
-
- EasyMockSupport easyMockSupport = new EasyMockSupport();
-
- PrincipalEntity clusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
-
- PermissionEntity clusterAdministratorPermissionEntity = easyMockSupport.createMock(PermissionEntity.class);
- expect(clusterAdministratorPermissionEntity.getPrincipal())
- .andReturn(clusterAdministratorPrincipalEntity)
- .once();
-
- PrincipalTypeEntity allClusterAdministratorPrincipalTypeEntity = easyMockSupport.createMock(PrincipalTypeEntity.class);
-
- PermissionDAO permissionDAO = easyMockSupport.createMock(PermissionDAO.class);
- expect(permissionDAO.findByName("CLUSTER.ADMINISTRATOR"))
- .andReturn(clusterAdministratorPermissionEntity)
- .once();
- expect(permissionDAO.findByName(anyString()))
- .andReturn(null)
- .anyTimes();
-
- PrincipalTypeDAO principalTypeDAO = easyMockSupport.createMock(PrincipalTypeDAO.class);
- expect(principalTypeDAO.findByName("ALL.CLUSTER.ADMINISTRATOR"))
- .andReturn(allClusterAdministratorPrincipalTypeEntity)
- .once();
- expect(principalTypeDAO.findByName(anyString()))
- .andReturn(null)
- .anyTimes();
- principalTypeDAO.remove(allClusterAdministratorPrincipalTypeEntity);
- expectLastCall().once();
-
- ResourceEntity allClusterAdministratorPrivilege1Resource = easyMockSupport.createMock(ResourceEntity.class);
- expect(allClusterAdministratorPrivilege1Resource.getId()).andReturn(1L).once();
-
- PrincipalEntity allClusterAdministratorPrivilege1Principal = easyMockSupport.createMock(PrincipalEntity.class);
- expect(allClusterAdministratorPrivilege1Principal.getId()).andReturn(1L).once();
-
- PermissionEntity allClusterAdministratorPrivilege1Permission = easyMockSupport.createMock(PermissionEntity.class);
- expect(allClusterAdministratorPrivilege1Permission.getId()).andReturn(1).once();
-
- PrivilegeEntity allClusterAdministratorPrivilege1 = easyMockSupport.createMock(PrivilegeEntity.class);
- expect(allClusterAdministratorPrivilege1.getId()).andReturn(1).atLeastOnce();
- expect(allClusterAdministratorPrivilege1.getResource()).andReturn(allClusterAdministratorPrivilege1Resource).once();
- expect(allClusterAdministratorPrivilege1.getPrincipal()).andReturn(allClusterAdministratorPrivilege1Principal).once();
- expect(allClusterAdministratorPrivilege1.getPermission()).andReturn(allClusterAdministratorPrivilege1Permission).once();
- allClusterAdministratorPrivilege1.setPrincipal(clusterAdministratorPrincipalEntity);
- expectLastCall().once();
-
- ResourceEntity allClusterAdministratorPrivilege2Resource = easyMockSupport.createMock(ResourceEntity.class);
- expect(allClusterAdministratorPrivilege2Resource.getId()).andReturn(2L).once();
-
- PrincipalEntity allClusterAdministratorPrivilege2Principal = easyMockSupport.createMock(PrincipalEntity.class);
- expect(allClusterAdministratorPrivilege2Principal.getId()).andReturn(2L).once();
-
- PermissionEntity allClusterAdministratorPrivilege2Permission = easyMockSupport.createMock(PermissionEntity.class);
- expect(allClusterAdministratorPrivilege2Permission.getId()).andReturn(2).once();
-
- PrivilegeEntity allClusterAdministratorPrivilege2 = easyMockSupport.createMock(PrivilegeEntity.class);
- expect(allClusterAdministratorPrivilege2.getId()).andReturn(2).atLeastOnce();
- expect(allClusterAdministratorPrivilege2.getResource()).andReturn(allClusterAdministratorPrivilege2Resource).once();
- expect(allClusterAdministratorPrivilege2.getPrincipal()).andReturn(allClusterAdministratorPrivilege2Principal).once();
- expect(allClusterAdministratorPrivilege2.getPermission()).andReturn(allClusterAdministratorPrivilege2Permission).once();
- allClusterAdministratorPrivilege2.setPrincipal(clusterAdministratorPrincipalEntity);
- expectLastCall().once();
-
- Set<PrivilegeEntity> allClusterAdministratorPrivileges = new HashSet<PrivilegeEntity>();
- allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege1);
- allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege2);
-
- PrincipalEntity allClusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
- expect(allClusterAdministratorPrincipalEntity.getPrivileges())
- .andReturn(allClusterAdministratorPrivileges)
- .once();
-
- List<PrincipalEntity> allClusterAdministratorPrincipals = new ArrayList<PrincipalEntity>();
- allClusterAdministratorPrincipals.add(allClusterAdministratorPrincipalEntity);
-
- PrincipalDAO principalDAO = easyMockSupport.createMock(PrincipalDAO.class);
- expect(principalDAO.findByPrincipalType("ALL.CLUSTER.ADMINISTRATOR"))
- .andReturn(allClusterAdministratorPrincipals)
- .once();
- principalDAO.remove(allClusterAdministratorPrincipalEntity);
- expectLastCall().once();
-
-
- PrivilegeDAO privilegeDAO = easyMockSupport.createMock(PrivilegeDAO.class);
- expect(privilegeDAO.merge(allClusterAdministratorPrivilege1))
- .andReturn(allClusterAdministratorPrivilege1)
- .once();
- expect(privilegeDAO.merge(allClusterAdministratorPrivilege2))
- .andReturn(allClusterAdministratorPrivilege2)
- .once();
-
- Injector injector = easyMockSupport.createNiceMock(Injector.class);
- expect(injector.getInstance(PrincipalTypeDAO.class)).andReturn(principalTypeDAO).atLeastOnce();
- expect(injector.getInstance(PrincipalDAO.class)).andReturn(principalDAO).atLeastOnce();
- expect(injector.getInstance(PermissionDAO.class)).andReturn(permissionDAO).atLeastOnce();
- expect(injector.getInstance(PrivilegeDAO.class)).andReturn(privilegeDAO).atLeastOnce();
-
- easyMockSupport.replayAll();
- UpgradeCatalog242 upgradeCatalog = new UpgradeCatalog242(injector);
- injector.injectMembers(upgradeCatalog);
- upgradeCatalog.convertRolePrincipals();
- easyMockSupport.verifyAll();
- }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
index a24f041..3c4a440 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -22,8 +22,9 @@ import junit.framework.Assert;
import org.junit.Test;
import javax.xml.bind.JAXBException;
-import java.util.Collection;
+import java.util.LinkedList;
import java.util.List;
+import java.util.Set;
import static org.junit.Assert.*;
@@ -74,7 +75,7 @@ public class AutoInstanceConfigTest {
" </property>\n" +
" <stack-id>HDP-2.0</stack-id>\n" +
" <services><service>HIVE</service><service>HDFS</service></services>\n" +
- " <roles><role>CLUSTER.OPERATOR </role><role> CLUSTER.USER</role></roles>\n" +
+ " <permissions>ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER</permissions>\n" +
" </auto-instance>\n" +
"</view>";
@@ -112,13 +113,13 @@ public class AutoInstanceConfigTest {
@Test
public void shouldParseClusterInheritedPermissions() throws Exception {
AutoInstanceConfig config = getAutoInstanceConfigs(VIEW_XML);
- Collection<String> roles = config.getRoles();
- assertEquals(2, roles.size());
- assertTrue(roles.contains("CLUSTER.OPERATOR"));
- assertTrue(roles.contains("CLUSTER.USER"));
+ List<String> permissions = config.getPermissions();
+ assertEquals(2, permissions.size());
+ assertTrue(permissions.contains("ALL.CLUSTER.OPERATOR"));
+ assertTrue(permissions.contains("ALL.CLUSTER.USER"));
}
- private static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
+ public static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
ViewConfig config = ViewConfigTest.getConfig(xml);
return config.getAutoInstance();
}
[4/4] ambari git commit: AMBARI-18365. Authorizations given to roles,
should use generic role-based principals rather than hard-coded
pseudo-role-based principals (rlevas)
Posted by rl...@apache.org.
AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/176c691e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/176c691e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/176c691e
Branch: refs/heads/trunk
Commit: 176c691eaed6dbf639617f6208f7fb117597c1ce
Parents: b90b286
Author: Robert Levas <rl...@hortonworks.com>
Authored: Fri Oct 21 16:01:44 2016 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Fri Oct 21 16:01:44 2016 -0400
----------------------------------------------------------------------
.../controllers/ambariViews/ViewsEditCtrl.js | 16 +-
.../ui/admin-web/app/scripts/i18n.config.js | 10 +-
.../app/scripts/services/PermissionLoader.js | 11 +-
.../app/scripts/services/PermissionsSaver.js | 8 +-
.../ui/admin-web/app/scripts/services/View.js | 12 +-
.../admin-web/app/views/ambariViews/edit.html | 4 +-
.../test/unit/services/PermissionSaver_test.js | 16 +-
...ClusterPrivilegeChangeRequestAuditEvent.java | 21 +-
.../ViewPrivilegeChangeRequestAuditEvent.java | 18 +-
.../eventcreator/PrivilegeEventCreator.java | 4 +-
.../eventcreator/ViewPrivilegeEventCreator.java | 4 +-
.../ambari/server/controller/AmbariServer.java | 2 +-
.../AmbariPrivilegeResourceProvider.java | 9 +-
.../ClusterPrivilegeResourceProvider.java | 3 +-
.../GroupPrivilegeResourceProvider.java | 18 +-
.../internal/PrivilegeResourceProvider.java | 114 +++++++---
.../internal/UserPrivilegeResourceProvider.java | 49 ++---
.../internal/ViewPrivilegeResourceProvider.java | 8 +-
.../ambari/server/orm/dao/PermissionDAO.java | 35 ++-
.../ambari/server/orm/dao/PrincipalDAO.java | 13 +-
.../ambari/server/orm/dao/PrincipalTypeDAO.java | 29 ++-
.../server/orm/entities/PermissionEntity.java | 6 +
.../orm/entities/PrincipalTypeEntity.java | 17 +-
.../authorization/AuthorizationHelper.java | 56 +----
.../ClusterInheritedPermissionHelper.java | 213 -------------------
.../server/security/authorization/Users.java | 145 +++++++++++--
.../server/upgrade/UpgradeCatalog242.java | 100 +++++++++
.../apache/ambari/server/view/ViewRegistry.java | 75 +++----
.../view/configuration/AutoInstanceConfig.java | 43 ++--
.../main/resources/Ambari-DDL-Derby-CREATE.sql | 10 -
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 5 -
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 10 -
.../resources/Ambari-DDL-Postgres-CREATE.sql | 5 -
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 10 -
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 5 -
.../AbstractPrivilegeResourceProviderTest.java | 38 ++++
.../AmbariPrivilegeResourceProviderTest.java | 21 +-
.../ClusterPrivilegeResourceProviderTest.java | 8 -
.../GroupPrivilegeResourceProviderTest.java | 67 +++---
.../UserPrivilegeResourceProviderTest.java | 113 ++++++----
.../ViewPrivilegeResourceProviderTest.java | 5 +-
.../authorization/AuthorizationHelperTest.java | 66 ------
.../server/upgrade/UpgradeCatalog242Test.java | 134 +++++++++++-
.../configuration/AutoInstanceConfigTest.java | 17 +-
44 files changed, 857 insertions(+), 716 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
index bd74b16..834efdb 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
$scope.identity = angular.identity;
$scope.isConfigurationEmpty = true;
$scope.isSettingsEmpty = true;
- $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
+ $scope.permissionRoles = View.permissionRoles;
$scope.constants = {
instance: $t('views.instance'),
props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
}
});
- $scope.clearClusterInheritedPermissions();
+ $scope.removeAllRolePermissions();
}
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
});
};
- $scope.clearClusterInheritedPermissions = function() {
- angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
- $scope.permissionsEdit["VIEW.USER"][key] = false;
+ $scope.removeAllRolePermissions = function() {
+ angular.forEach(View.permissionRoles, function(key) {
+ $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
})
};
@@ -510,11 +510,9 @@ angular.module('ambariAdminConsole')
};
function setAllViewRoles(value) {
- var viewRoles = $scope.permissionsEdit["VIEW.USER"];
+ var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
for (var role in viewRoles) {
- if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
- viewRoles[role] = value;
- }
+ $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
}
}
}]);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
index af22d7f..cd9b922 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
@@ -234,11 +234,11 @@ angular.module('ambariAdminConsole')
'clusterPermissions': {
'label': 'Local Cluster Permissions',
- 'allclusteradministrator': 'Cluster Administrator',
- 'allclusteroperator': 'Cluster Operator',
- 'allclusteruser': 'Cluster User',
- 'allserviceadministrator': 'Service Administrator',
- 'allserviceoperator': 'Service Operator',
+ 'clusteradministrator': 'Cluster Administrator',
+ 'clusteroperator': 'Cluster Operator',
+ 'clusteruser': 'Cluster User',
+ 'serviceadministrator': 'Service Administrator',
+ 'serviceoperator': 'Service Operator',
'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
},
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
index 988986b..9cc04e4 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
@@ -28,8 +28,9 @@ angular.module('ambariAdminConsole')
angular.forEach(permissions, function(permission) {
permission.GROUP = [];
permission.USER = [];
- angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
- permission[key] = false;
+ permission.ROLE = {};
+ angular.forEach(View.permissionRoles, function(key) {
+ permission.ROLE[key] = false;
});
permissionsInner[permission.PermissionInfo.permission_name] = permission;
});
@@ -37,10 +38,10 @@ angular.module('ambariAdminConsole')
// Now we can get privileges
resource.getPrivileges(params).then(function(privileges) {
angular.forEach(privileges, function(privilege) {
- if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
- permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+ if(privilege.PrivilegeInfo.principal_type == "ROLE") {
+ permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
} else {
- permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
+ permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
}
});
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
index c7b9295..c170235 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
}
}));
- angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
- if(permission[key] === true) {
+ angular.forEach(View.permissionRoles, function(key) {
+ if(permission.ROLE[key] === true) {
arr.push({
'PrivilegeInfo': {
'permission_name': 'VIEW.USER',
- 'principal_name': '*',
- 'principal_type': key
+ 'principal_name': key,
+ 'principal_type': 'ROLE'
}
});
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
index 5bc0509..f549b29 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
self.versionsList = item.versions;
}
- View.clusterInheritedPermissionKeys = [
- "ALL.CLUSTER.ADMINISTRATOR",
- "ALL.CLUSTER.OPERATOR",
- "ALL.SERVICE.OPERATOR",
- "ALL.SERVICE.ADMINISTRATOR",
- "ALL.CLUSTER.USER"
+ View.permissionRoles = [
+ "CLUSTER.ADMINISTRATOR",
+ "CLUSTER.OPERATOR",
+ "SERVICE.OPERATOR",
+ "SERVICE.ADMINISTRATOR",
+ "CLUSTER.USER"
];
View.getInstance = function(viewName, version, instanceName) {
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
index 69eb1c1..418c115 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
@@ -287,10 +287,10 @@
<span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
</div>
<div class="col-sm-offset-2 col-sm-10">
- <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
+ <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
<div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
<label>
- <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
+ <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
</label>
</div>
</div>
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
index fa36d98..6c662f2 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
@@ -178,11 +178,13 @@ describe('PermissionSaver Service', function () {
'PermissionInfo': {
permission_name: 'VIEW.USER'
},
- 'ALL.CLUSTER.ADMINISTRATOR': true,
- 'ALL.CLUSTER.OPERATOR': false,
- 'ALL.SERVICE.OPERATOR': false,
- 'ALL.SERVICE.ADMINISTRATOR': false,
- 'ALL.CLUSTER.USER': false,
+ 'ROLE': {
+ 'CLUSTER.ADMINISTRATOR': true,
+ 'CLUSTER.OPERATOR': false,
+ 'SERVICE.OPERATOR': false,
+ 'SERVICE.ADMINISTRATOR': false,
+ 'CLUSTER.USER': false
+ },
'USER': ['u0', 'u1', 'g0'],
'GROUP': ['g0', 'g1', 'u0']
}
@@ -233,8 +235,8 @@ describe('PermissionSaver Service', function () {
{
PrivilegeInfo: {
permission_name: 'VIEW.USER',
- principal_name: '*',
- principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
+ principal_name: 'CLUSTER.ADMINISTRATOR',
+ principal_type: 'ROLE'
}
}
];
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
index b28bb2a..29fb7b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
@@ -18,11 +18,9 @@
package org.apache.ambari.server.audit.event.request;
-import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -47,10 +45,16 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
/**
* Roles for groups
- * groupname -> list fo roles
+ * group name -> list of roles
*/
private Map<String, List<String>> groups;
+ /**
+ * Roles for roles
+ * role name -> list of roles
+ */
+ private Map<String, List<String>> roles;
+
public ClusterPrivilegeChangeRequestAuditEventBuilder() {
super.withOperation("Role change");
}
@@ -72,9 +76,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
+ roleSet.addAll(roles.keySet());
builder.append(", Roles(");
- if (!users.isEmpty() || !groups.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -88,6 +93,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
+ if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+ lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
+ }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -104,6 +112,11 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
+
+ public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+ this.roles = roles;
+ return this;
+ }
}
protected ClusterPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
index 11c558c..73c1aa6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
@@ -18,11 +18,9 @@
package org.apache.ambari.server.audit.event.request;
-import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -50,6 +48,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
private Map<String, List<String>> groups;
/**
+ * Roles with their roles
+ */
+ private Map<String, List<String>> roles;
+
+ /**
* View name
*/
private String name;
@@ -94,9 +97,10 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
+ roleSet.addAll(roles.keySet());
builder.append(", Permissions(");
- if (!users.isEmpty() || !groups.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -110,6 +114,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
+ if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+ lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
+ }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -141,6 +148,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
+
+ public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+ this.roles = roles;
+ return this;
+ }
}
protected ViewPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
index 5c476c6..a7be8e1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
@@ -33,8 +33,6 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
@@ -88,6 +86,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+ Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
switch (request.getRequestType()) {
case PUT:
@@ -99,6 +98,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
.withRemoteIp(request.getRemoteAddress())
.withUsers(users)
.withGroups(groups)
+ .withRoles(roles)
.build();
case POST:
String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
index 56d35c0..47983ff 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
@@ -32,8 +32,6 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
@@ -87,6 +85,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+ Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
return ViewPrivilegeChangeRequestAuditEvent.builder()
.withTimestamp(System.currentTimeMillis())
@@ -99,6 +98,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
.withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
.withUsers(users)
.withGroups(groups)
+ .withRoles(roles)
.build();
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 56e2398..68ee67f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -876,7 +876,7 @@ public class AmbariServer {
injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
- injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
+ injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index e5c95cb..bd17b6a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -22,6 +22,7 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -148,8 +149,10 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, Object> resourceEntities, Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+ Map<Long, PermissionEntity> roleEntities,
+ Map<Long, Object> resourceEntities,
+ Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
if (resource != null) {
ResourceEntity resourceEntity = privilegeEntity.getResource();
ResourceTypeEntity type = resourceEntity.getResourceType();
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index 8f37764..fb7bff3 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -147,10 +147,11 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
+ Map<Long, PermissionEntity> roleEntities,
Map<Long, ClusterEntity> resourceEntities,
Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
if (resource != null) {
ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
index 94d1cad..4b71b47 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
@@ -28,7 +28,6 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -38,6 +37,7 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.*;
+import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * Data access object used to obtain privilege entities.
+ * Users (helper) object used to obtain privilege entities.
*/
@Inject
- protected static PrivilegeDAO privilegeDAO;
+ protected static Users users;
/**
* The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param privilegeDAO
+ * @param users the users helper instance
*/
public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+ ViewInstanceDAO viewInstanceDAO, Users users) {
GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
GroupPrivilegeResourceProvider.groupDAO = groupDAO;
GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
+ GroupPrivilegeResourceProvider.users = users;
}
@SuppressWarnings("serial")
@@ -180,11 +180,7 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("Group " + groupName + " was not found");
}
- final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
-
- Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
- ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
- privileges.addAll(allViewPrivilegesWithClusterPermission);
+ final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, groupName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 34111df..07b98bd 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
+import org.apache.commons.lang.StringUtils;
/**
* Abstract resource provider for privilege resources.
@@ -195,35 +195,58 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
resourceIds.addAll(resourceEntities.keySet());
- Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
- List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
+ Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
+ List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+ List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+ List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
List<PrivilegeEntity> entities = privilegeDAO.findAll();
for(PrivilegeEntity privilegeEntity : entities){
if (resourceIds.contains(privilegeEntity.getResource().getId())) {
PrincipalEntity principal = privilegeEntity.getPrincipal();
+ String principalType = principal.getPrincipalType().getName();
+
entitySet.add(privilegeEntity);
- principalList.add(principal);
+
+ if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+ userPrincipals.add(principal);
+ }
+ else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+ groupPrincipals.add(principal);
+ }
+ else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+ rolePrincipals.add(principal);
+ }
}
}
Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
- List<UserEntity> userList = userDAO.findUsersByPrincipal(principalList);
-
- for (UserEntity userEntity : userList) {
- userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+ if(!userPrincipals.isEmpty()) {
+ List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
+ for (UserEntity userEntity : userList) {
+ userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+ }
}
Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
- List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(principalList);
+ if(!groupPrincipals.isEmpty()) {
+ List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
+ for (GroupEntity groupEntity : groupList) {
+ groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+ }
+ }
- for (GroupEntity groupEntity : groupList) {
- groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+ Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
+ if (!rolePrincipals.isEmpty()){
+ List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
+ for (PermissionEntity roleEntity : roleList) {
+ roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
+ }
}
for(PrivilegeEntity privilegeEntity : entitySet){
- Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+ Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
if (resource != null && (predicate == null || predicate.evaluate(resource))) {
resources.add(resource);
}
@@ -281,6 +304,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
* @param privilegeEntity the privilege entity to be converted
* @param userEntities the map of user entities keyed by resource id
* @param groupEntities the map of group entities keyed by resource id
+ * @param roleEntities the map of role entities keyed by resource id
* @param resourceEntities the map of resource entities keyed by resource id
* @param requestedIds the requested property ids
*
@@ -289,29 +313,48 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
+ Map<Long, PermissionEntity> roleEntities,
Map<Long, T> resourceEntities,
Set<String> requestedIds) {
Resource resource = new ResourceImpl(resourceType);
- setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
- privilegeEntity.getId(), requestedIds);
- setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
- privilegeEntity.getPermission().getPermissionName(), requestedIds);
- setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
- privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
-
- PrincipalEntity principal = privilegeEntity.getPrincipal();
- Long principalId = principal.getId();
-
- if (userEntities.containsKey(principalId)) {
- UserEntity userEntity = userEntities.get(principalId);
- setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
- } else if (groupEntities.containsKey(principalId)){
- GroupEntity groupEntity = groupEntities.get(principalId);
- setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
+ PrincipalEntity principal = privilegeEntity.getPrincipal();
+ String principalTypeName = null;
+ String resourcePropertyName = null;
+
+ if(principal != null) {
+ PrincipalTypeEntity principalType = principal.getPrincipalType();
+
+ if (principalType != null) {
+ Long principalId = principal.getId();
+
+ principalTypeName = principalType.getName();
+
+ if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+ GroupEntity groupEntity = groupEntities.get(principalId);
+ if (groupEntity != null) {
+ resourcePropertyName = groupEntity.getGroupName();
+ }
+ } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+ PermissionEntity roleEntity = roleEntities.get(principalId);
+ if (roleEntity != null) {
+ resourcePropertyName = roleEntity.getPermissionName();
+ }
+ } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+ UserEntity userEntity = userEntities.get(principalId);
+ if (userEntity != null) {
+ resourcePropertyName = userEntity.getUserName();
+ }
+ }
+ }
}
- setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
+ setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
+ setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
+ setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+ setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
+ setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
+
return resource;
}
@@ -339,18 +382,21 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
- if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+ if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
if (groupEntity != null) {
entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
}
- } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+ } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
+ PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
+ if (permissionEntity != null) {
+ entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
+ }
+ } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
UserEntity userEntity = userDAO.findUserByName(principalName);
if (userEntity != null) {
entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
}
- } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
- entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
} else {
throw new AmbariException("Unknown principal type " + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index bdd73a6..009c38b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -17,8 +17,6 @@
*/
package org.apache.ambari.server.controller.internal;
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
import org.apache.ambari.server.controller.spi.NoSuchResourceException;
import org.apache.ambari.server.controller.spi.Predicate;
@@ -28,26 +26,23 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.Users;
-import javax.annotation.Nullable;
+import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -59,17 +54,17 @@ import java.util.Set;
*/
public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
- protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
- protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
+ protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+ protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
/**
* Data access object used to obtain user entities.
@@ -92,9 +87,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * DAO used to obtain privilege entities.
+ * Helper to obtain privilege data for requested users
*/
- protected static PrivilegeDAO privilegeDAO;
+ private static Users users;
/**
* The property ids for a privilege resource.
@@ -120,15 +115,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param privilegeDAO
+ * @param users the Users helper object
*/
public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+ ViewInstanceDAO viewInstanceDAO, Users users) {
UserPrivilegeResourceProvider.userDAO = userDAO;
UserPrivilegeResourceProvider.clusterDAO = clusterDAO;
UserPrivilegeResourceProvider.groupDAO = groupDAO;
UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- UserPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
+ UserPrivilegeResourceProvider.users = users;
}
@SuppressWarnings("serial")
@@ -199,15 +194,7 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("User " + userName + " was not found");
}
- final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
-
- for (MemberEntity membership : userEntity.getMemberEntities()) {
- privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
- }
-
- Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
- ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
- privileges.addAll(allViewPrivilegesWithClusterPermission);
+ final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, userName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index e5bd224..7182f4c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -191,8 +191,10 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+ Map<Long, PermissionEntity> roleEntities,
+ Map<Long, ViewInstanceEntity> resourceEntities,
+ Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
if (resource != null) {
ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
index 88d9775..c844ab6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,6 +18,7 @@
package org.apache.ambari.server.orm.dao;
+import java.util.Collections;
import java.util.List;
import javax.persistence.EntityManager;
@@ -25,6 +26,7 @@ import javax.persistence.TypedQuery;
import org.apache.ambari.server.orm.RequiresSession;
import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import com.google.inject.Inject;
@@ -80,6 +82,37 @@ public class PermissionDAO {
}
/**
+ * Find a permission entity with the given name.
+ *
+ * @param name permission name
+ *
+ * @return a matching permission entity or null
+ */
+ @RequiresSession
+ public PermissionEntity findByName(String name) {
+ TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
+ query.setParameter("permissionName", name);
+ return daoUtils.selectSingle(query);
+ }
+
+ /**
+ * Find the permission entities for the given list of principals
+ *
+ * @param principalList the list of principal entities
+ *
+ * @return the list of permissions (or roles) matching the query
+ */
+ @RequiresSession
+ public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
+ if (principalList == null || principalList.isEmpty()) {
+ return Collections.emptyList();
+ }
+ TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
+ query.setParameter("principalList", principalList);
+ return daoUtils.selectList(query);
+ }
+
+ /**
* Find all permission entities.
*
* @return all entities or an empty List
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
index efbdfab..45a1658 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -121,4 +121,15 @@ public class PrincipalDAO {
public PrincipalEntity merge(PrincipalEntity entity) {
return entityManagerProvider.get().merge(entity);
}
+
+ /**
+ * Remove the entity instance.
+ *
+ * @param entity entity to remove
+ */
+ @Transactional
+ public void remove(PrincipalEntity entity) {
+ entityManagerProvider.get().remove(entity);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
index 7823d56..17628c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -60,6 +60,20 @@ public class PrincipalTypeDAO {
}
/**
+ * Find a principal type entity with the given name.
+ *
+ * @param name principal type name
+ *
+ * @return a matching principal type entity or null
+ */
+ @RequiresSession
+ public PrincipalTypeEntity findByName(String name) {
+ TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
+ query.setParameter("name", name);
+ return daoUtils.selectSingle(query);
+ }
+
+ /**
* Find all principal types.
*
* @return all principal types or an empty List
@@ -86,6 +100,16 @@ public class PrincipalTypeDAO {
}
/**
+ * Remove the entity instance.
+ *
+ * @param entity entity to remove
+ */
+ @Transactional
+ public void remove(PrincipalTypeEntity entity) {
+ entityManagerProvider.get().remove(entity);
+ }
+
+ /**
* Creates and returns principal type if it wasn't persisted yet.
*
* @param principalType id of principal type
@@ -104,6 +128,9 @@ public class PrincipalTypeDAO {
case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
break;
+ case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
+ principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
+ break;
default:
throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index f091bab..b6f1557 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -29,6 +29,8 @@ import javax.persistence.JoinColumns;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import javax.persistence.TableGenerator;
@@ -44,6 +46,10 @@ import java.util.Collection;
, pkColumnValue = "permission_id_seq"
, initialValue = 100
)
+@NamedQueries({
+ @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
+ @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
+})
public class PermissionEntity {
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
index 716d4f7..31e11e6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,6 +30,9 @@ import javax.persistence.*;
, pkColumnValue = "principal_type_id_seq"
, initialValue = 100
)
+@NamedQueries({
+ @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
+})
public class PrincipalTypeEntity {
/**
@@ -37,19 +40,11 @@ public class PrincipalTypeEntity {
*/
public static final int USER_PRINCIPAL_TYPE = 1;
public static final int GROUP_PRINCIPAL_TYPE = 2;
- public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
- public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
- public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
- public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
- public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
+ public static final int ROLE_PRINCIPAL_TYPE = 8;
public static final String USER_PRINCIPAL_TYPE_NAME = "USER";
public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
- public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
- public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
- public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
- public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
- public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
+ public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
/**
* The type id.
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index 8639a2f..e875e8a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -17,9 +17,6 @@
*/
package org.apache.ambari.server.security.authorization;
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -30,7 +27,6 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
@@ -47,10 +43,10 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
-@Singleton
/**
* Provides utility methods for authentication functionality
*/
+@Singleton
public class AuthorizationHelper {
private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
@@ -230,56 +226,8 @@ public class AuthorizationHelper {
}
}
- // Check if the resourceId is a view.
- // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
- // type.
- // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
- // cluster resource with the permission.
- // Then if the permission type matches the cluster/service type principal(names) then the user should have access
- // to those views.
-
- if(resourceId == null) {
- return false;
- }
-
- ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
-
- ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
- if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
- return false;
- }
-
- PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
-
- final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
- .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
- .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
- .toSet();
-
- return FluentIterable.from(authentication.getAuthorities())
- .filter(new Predicate<GrantedAuthority>() {
- @Override
- public boolean apply(GrantedAuthority grantedAuthority) {
- AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
- PrivilegeEntity privilege = authority.getPrivilegeEntity();
- String resourceTypeName = privilege.getResource().getResourceType().getName();
- return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
- }
- }).transform(new Function<GrantedAuthority, PermissionEntity>() {
- @Override
- public PermissionEntity apply(GrantedAuthority grantedAuthority) {
- AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
- PrivilegeEntity privilege = authority.getPrivilegeEntity();
- return privilege.getPermission();
- }
- }).anyMatch(new Predicate<PermissionEntity>() {
- @Override
- public boolean apply(PermissionEntity input) {
- return privilegeNames.contains(input.getPermissionName());
- }
- });
+ return false;
}
-
}
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
deleted file mode 100644
index 9922bb2..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization;
-
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
-
-import javax.annotation.Nullable;
-import java.util.Collection;
-import java.util.Set;
-
-
-/**
- * Helper class to take care of the cluster inherited permission for any view.
- */
-public class ClusterInheritedPermissionHelper {
-
- /**
- * Predicate which validates if the principalType passed is valid or not.
- */
- public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
- @Override
- public boolean apply(String principalType) {
- return isValidPrincipalType(principalType);
- }
- };
-
- /**
- * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
- */
- public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
- @Override
- public boolean apply(PrivilegeEntity privilegeEntity) {
- String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
- return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
- }
- };
-
- /**
- * Predicate which validates if view instance entity is cluster associated
- */
- public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
- @Override
- public boolean apply(ViewInstanceEntity viewInstanceEntity) {
- return viewInstanceEntity.getClusterHandle() != null;
- }
- };
-
- /**
- * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
- */
- public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
- @Override
- public boolean apply(PrivilegeEntity privilegeEntity) {
- String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
- return principalTypeName.startsWith("ALL.");
- }
- };
-
- /**
- * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
- */
- public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
- @Override
- public String apply(PrivilegeEntity input) {
- return input.getPrincipal().getPrincipalType().getName().substring(4);
- }
- };
-
- /**
- * Mapper to return resources from view instance entity.
- */
- public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
- @Override
- public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
- return viewInstanceEntity.getResource();
- }
- };
-
- /**
- * Mapper to return all privileges from resource entity
- */
- public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
- @Override
- public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
- return resourceEntity.getPrivileges();
- }
- };
-
- /**
- * Mapper to return permission name from privilege
- */
- public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
- @Override
- public String apply(PrivilegeEntity privilegeEntity) {
- return privilegeEntity.getPermission().getPermissionName();
- }
- };
-
- /**
- * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
- * @param validSet - valid set of permission types
- * @return Predicate to check the condition
- */
- public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
- return new Predicate<PrivilegeEntity>() {
- @Override
- public boolean apply(PrivilegeEntity privilegeEntity) {
- String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
- return validSet.contains(permissionName);
- }
- };
- }
-
- /**
- * Predicate to filter out privileges which are already existing in the passed privileges set.
- * @param existingPrivileges - Privileges set to which the comparison will be made
- * @return Predicate to check the validation
- */
- public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
- return new Predicate<PrivilegeEntity>() {
- @Override
- public boolean apply(final PrivilegeEntity privilegeEntity) {
- return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
- @Override
- public boolean apply(PrivilegeEntity directPrivilegeEntity) {
- return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
- && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
- }
- });
- }
- };
- }
-
- /**
- * Validates if the principal type is valid for cluster inherited permissions.
- * @param principalType - Principal type
- * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
- * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
- */
- public static boolean isValidPrincipalType(String principalType) {
- return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
- || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
- || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
- || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
- || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
- }
-
- /**
- * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
- * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
- * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
- * the user should have privilege.
- * @param userDirectPrivileges - direct privileges for the user.
- * @return - Filtered list of privileges for view resource for which the user should have access.
- */
- public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
- final Set<PrivilegeEntity> userDirectPrivileges) {
-
- final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
- .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
- .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
- .toSet();
-
- Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
- .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
- .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
- .transform(new Function<ResourceEntity, Long>() {
- @Nullable
- @Override
- public Long apply(@Nullable ResourceEntity input) {
- return input.getId();
- }
- }).toSet();
-
- Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
- .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
- @Nullable
- @Override
- public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
- return privilegeDAO.findByResourceId(input);
- }
- }).toSet();
-
- return FluentIterable.from(allPrivileges)
- .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
- .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
- .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
- .toSet();
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index a4f0031..eee721a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -705,6 +705,96 @@ public class Users {
}
/**
+ * Gets the explicit and implicit privileges for the given user.
+ * <p>
+ * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+ * a user. For example the Cluster Operator role on a given cluster gives that the ability to
+ * start and stop services in that cluster, among other privileges for that particular cluster.
+ * <p>
+ * The implicit privileges are the privileges that have been given to the roles themselves which
+ * in turn are granted to the users that have been assigned those roles. For example if the
+ * Cluster User role for a given cluster has been given View User access on a specified File View
+ * instance, then all users who have the Cluster User role for that cluster will implicitly be
+ * granted View User access on that File View instance.
+ *
+ * @param userEntity the relevant user
+ * @return the collection of implicit and explicit privileges
+ */
+ public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
+ if (userEntity == null) {
+ return Collections.emptyList();
+ }
+
+ // get all of the privileges for the user
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+ principalEntities.add(userEntity.getPrincipal());
+
+ List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+
+ for (MemberEntity memberEntity : memberEntities) {
+ principalEntities.add(memberEntity.getGroup().getPrincipal());
+ }
+
+ List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+ List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+ List<PrivilegeEntity> privilegeEntities;
+
+ if(implicitPrivilegeEntities.isEmpty()) {
+ privilegeEntities = explicitPrivilegeEntities;
+ }
+ else {
+ privilegeEntities = new LinkedList<PrivilegeEntity>();
+ privilegeEntities.addAll(explicitPrivilegeEntities);
+ privilegeEntities.addAll(implicitPrivilegeEntities);
+ }
+
+ return privilegeEntities;
+ }
+
+ /**
+ * Gets the explicit and implicit privileges for the given group.
+ * <p>
+ * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+ * a group. For example the Cluster Operator role on a given cluster gives that the ability to
+ * start and stop services in that cluster, among other privileges for that particular cluster.
+ * <p>
+ * The implicit privileges are the privileges that have been given to the roles themselves which
+ * in turn are granted to the groups that have been assigned those roles. For example if the
+ * Cluster User role for a given cluster has been given View User access on a specified File View
+ * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+ * granted View User access on that File View instance.
+ *
+ * @param groupEntity the relevant group
+ * @return the collection of implicit and explicit privileges
+ */
+ public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
+ if (groupEntity == null) {
+ return Collections.emptyList();
+ }
+
+ // get all of the privileges for the group
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+ principalEntities.add(groupEntity.getPrincipal());
+
+ List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+ List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+ List<PrivilegeEntity> privilegeEntities;
+
+ if(implicitPrivilegeEntities.isEmpty()) {
+ privilegeEntities = explicitPrivilegeEntities;
+ }
+ else {
+ privilegeEntities = new LinkedList<PrivilegeEntity>();
+ privilegeEntities.addAll(explicitPrivilegeEntities);
+ privilegeEntities.addAll(implicitPrivilegeEntities);
+ }
+
+ return privilegeEntities;
+ }
+
+ /**
* Gets the explicit and implicit authorities for the given user.
* <p>
* The explicit authorities are the authorities that have be explicitly set by assigning roles to
@@ -727,50 +817,59 @@ public class Users {
return Collections.emptyList();
}
- // get all of the privileges for the user
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+ Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
- principalEntities.add(userEntity.getPrincipal());
+ Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
- List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+ for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+ authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+ }
- for (MemberEntity memberEntity : memberEntities) {
- principalEntities.add(memberEntity.getGroup().getPrincipal());
+ return authorities;
+ }
+
+ /**
+ * Gets the implicit privileges based on the set of roles found in a collection of privileges.
+ * <p>
+ * The implicit privileges are the privileges that have been given to the roles themselves which
+ * in turn are granted to the groups that have been assigned those roles. For example if the
+ * Cluster User role for a given cluster has been given View User access on a specified File View
+ * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+ * granted View User access on that File View instance.
+ *
+ * @param privilegeEntities the relevant privileges
+ * @return the collection explicit privileges
+ */
+ private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+
+ if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
+ return Collections.emptyList();
}
- List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+ List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
// A list of principals representing roles/permissions. This collection of roles will be used to
- // find additional authorizations inherited by the authenticated user based on the assigned roles.
+ // find additional inherited privileges based on the assigned roles.
// For example a File View instance may be set to be accessible to all authenticated user with
// the Cluster User role.
List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
- Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
for (PrivilegeEntity privilegeEntity : privilegeEntities) {
// Add the principal representing the role associated with this PrivilegeEntity to the collection
- // of roles for the authenticated user.
+ // of roles.
PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
- if(rolePrincipal != null) {
+ if (rolePrincipal != null) {
rolePrincipals.add(rolePrincipal);
}
-
- authorities.add(new AmbariGrantedAuthority(privilegeEntity));
}
- // If the collections of assigned roles is not empty find the inherited authorizations that are
- // give to the roles and add them to the collection of (Granted) authorities for the user.
- if(!rolePrincipals.isEmpty()) {
+ // If the collections of assigned roles is not empty find the inherited priviliges.
+ if (!rolePrincipals.isEmpty()) {
// For each "role" see if any privileges have been granted...
- List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
-
- for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
- authorities.add(new AmbariGrantedAuthority(privilegeEntity));
- }
+ implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
}
- return authorities;
+ return implicitPrivileges;
}
}
[3/4] ambari git commit: AMBARI-18365. Authorizations given to roles,
should use generic role-based principals rather than hard-coded
pseudo-role-based principals (rlevas)
Posted by rl...@apache.org.
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
index a5276c2..980b651 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
@@ -19,10 +19,23 @@
package org.apache.ambari.server.upgrade;
import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -106,6 +119,7 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
@Override
protected void executeDMLUpdates() throws AmbariException, SQLException {
addNewConfigurationsFromXml();
+ convertRolePrincipals();
}
protected void updateTablesForMysql() throws SQLException {
@@ -141,4 +155,90 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
}
}
+ /**
+ * Convert the previously set inherited privileges to the more generic inherited privileges model
+ * based on role-based principals rather than specialized principal types.
+ */
+ protected void convertRolePrincipals() {
+ LOG.info("Converting pseudo principle types to role principals");
+
+ PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ PrincipalTypeDAO principalTypeDAO = injector.getInstance(PrincipalTypeDAO.class);
+
+ Map<String, String> principalTypeToRole = new HashMap<String, String>();
+ principalTypeToRole.put("ALL.CLUSTER.ADMINISTRATOR", "CLUSTER.ADMINISTRATOR");
+ principalTypeToRole.put("ALL.CLUSTER.OPERATOR", "CLUSTER.OPERATOR");
+ principalTypeToRole.put("ALL.CLUSTER.USER", "CLUSTER.USER");
+ principalTypeToRole.put("ALL.SERVICE.ADMINISTRATOR", "SERVICE.ADMINISTRATOR");
+ principalTypeToRole.put("ALL.SERVICE.OPERATOR", "SERVICE.OPERATOR");
+
+ // Handle a typo introduced in org.apache.ambari.server.upgrade.UpgradeCatalog240.updateClusterInheritedPermissionsConfig
+ principalTypeToRole.put("ALL.SERVICE.OPERATIOR", "SERVICE.OPERATOR");
+
+ for (Map.Entry<String, String> entry : principalTypeToRole.entrySet()) {
+ String principalTypeName = entry.getKey();
+ String roleName = entry.getValue();
+
+ PermissionEntity role = permissionDAO.findByName(roleName);
+ PrincipalEntity rolePrincipalEntity = (role == null) ? null : role.getPrincipal();
+
+ // Convert Privilege Records
+ PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findByName(principalTypeName);
+
+ if (principalTypeEntity != null) {
+ List<PrincipalEntity> principalEntities = principalDAO.findByPrincipalType(principalTypeName);
+
+ for (PrincipalEntity principalEntity : principalEntities) {
+ Set<PrivilegeEntity> privilegeEntities = principalEntity.getPrivileges();
+
+ for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+ if (rolePrincipalEntity == null) {
+ LOG.info("Removing privilege (id={}) since no role principle was found for {}:\n{}",
+ privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+ // Remove this privilege
+ privilegeDAO.remove(privilegeEntity);
+ } else {
+ LOG.info("Updating privilege (id={}) to use role principle for {}:\n{}",
+ privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+
+ // Set the principal to the updated principal value
+ privilegeEntity.setPrincipal(rolePrincipalEntity);
+ privilegeDAO.merge(privilegeEntity);
+ }
+ }
+
+ // Remove the obsolete principal
+ principalDAO.remove(principalEntity);
+ }
+
+ // Remove the obsolete principal type
+ principalTypeDAO.remove(principalTypeEntity);
+ }
+ }
+
+ LOG.info("Converting pseudo principle types to role principals - complete.");
+ }
+
+ private String formatPrivilegeEntityDetails(PrivilegeEntity privilegeEntity) {
+ if (privilegeEntity == null) {
+ return "";
+ } else {
+ ResourceEntity resource = privilegeEntity.getResource();
+ PrincipalEntity principal = privilegeEntity.getPrincipal();
+ PermissionEntity permission = privilegeEntity.getPermission();
+
+ return String.format("" +
+ "\tPrivilege ID: %d" +
+ "\n\tResource ID: %d" +
+ "\n\tPrincipal ID: %d" +
+ "\n\tPermission ID: %d",
+ privilegeEntity.getId(),
+ resource.getId(),
+ principal.getId(),
+ permission.getId()
+ );
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
index 455b4f1..7f58485 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -86,7 +86,6 @@ import org.apache.ambari.server.orm.entities.ViewParameterEntity;
import org.apache.ambari.server.orm.entities.ViewResourceEntity;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.Clusters;
@@ -122,7 +121,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
-import com.google.common.collect.FluentIterable;
import com.google.common.collect.Sets;
import com.google.common.eventbus.AllowConcurrentEvents;
import com.google.common.eventbus.Subscribe;
@@ -1796,7 +1794,7 @@ public class ViewRegistry {
}
List<String> services = autoInstanceConfig.getServices();
- List<String> permissions = autoInstanceConfig.getPermissions();
+ Collection<String> roles = autoInstanceConfig.getRoles();
Map<String, org.apache.ambari.server.state.Cluster> allClusters = clustersProvider.get().getClusters();
for (org.apache.ambari.server.state.Cluster cluster : allClusters.values()) {
@@ -1814,7 +1812,7 @@ public class ViewRegistry {
ViewInstanceEntity viewInstanceEntity = createViewInstanceEntity(viewEntity, viewConfig, autoInstanceConfig);
viewInstanceEntity.setClusterHandle(clusterId);
installViewInstance(viewInstanceEntity);
- addClusterInheritedPermissions(viewInstanceEntity, permissions);
+ setViewInstanceRoleAccess(viewInstanceEntity, roles);
}
} catch (Exception e) {
LOG.error("Can't auto create instance of view " + viewName + " for cluster " + clusterName +
@@ -1825,40 +1823,45 @@ public class ViewRegistry {
}
/**
- * Validates principalTypes and creates privilege entities for each permission type for the view instance entity
- * resource.
- * @param viewInstanceEntity - view instance entity for which permission has to be set.
- * @param principalTypes - list of cluster inherited principal types
+ * Set access to the a particular view instance based on a set of roles.
+ * <p>
+ * View access to the specified view instances will be granted to anyone directly or indirectly
+ * assigned to one of the roles in the suppled set of role names.
+ *
+ * @param viewInstanceEntity a view instance entity
+ * @param roles the set of roles to use to for granting access
*/
@Transactional
- private void addClusterInheritedPermissions(ViewInstanceEntity viewInstanceEntity, List<String> principalTypes) {
- List<String> validPermissions = FluentIterable.from(principalTypes)
- .filter(ClusterInheritedPermissionHelper.validPrincipalTypePredicate)
- .toList();
-
- for(String permission: validPermissions) {
- addClusterInheritedPermission(viewInstanceEntity, permission);
- }
- }
-
- private void addClusterInheritedPermission(ViewInstanceEntity viewInstanceEntity, String principalType) {
- ResourceEntity resource = viewInstanceEntity.getResource();
- List<PrincipalEntity> principals = principalDAO.findByPrincipalType(principalType);
- if (principals.size() == 0) {
- LOG.error("Failed to find principal for principal type '{}'", principalType);
- return;
- }
+ protected void setViewInstanceRoleAccess(ViewInstanceEntity viewInstanceEntity, Collection<String> roles) {
+ if ((roles != null) && !roles.isEmpty()) {
+ PermissionEntity permissionViewUser = permissionDAO.findViewUsePermission();
- PrincipalEntity principal = principals.get(0); // There will be only one principal associated with the principal type
- PermissionEntity permission = permissionDAO.findViewUsePermission();
-
- if (!privilegeDAO.exists(principal, resource, permission)) {
- PrivilegeEntity privilege = new PrivilegeEntity();
- privilege.setPrincipal(principal);
- privilege.setResource(resource);
- privilege.setPermission(permission);
-
- privilegeDAO.create(privilege);
+ if (permissionViewUser == null) {
+ LOG.error("Missing the {} role. Access to view cannot be set.",
+ PermissionEntity.VIEW_USER_PERMISSION_NAME, viewInstanceEntity.getName());
+ } else {
+ for (String role : roles) {
+ PermissionEntity permissionRole = permissionDAO.findByName(role);
+
+ if (permissionRole == null) {
+ LOG.warn("Invalid role {} encountered while setting access to view {}, Ignoring.",
+ role, viewInstanceEntity.getName());
+ } else {
+ PrincipalEntity principalRole = permissionRole.getPrincipal();
+
+ if (principalRole == null) {
+ LOG.warn("Missing principal ID for role {} encountered while setting access to view {}. Ignoring.",
+ role, viewInstanceEntity.getName());
+ } else {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setPermission(permissionViewUser);
+ privilegeEntity.setPrincipal(principalRole);
+ privilegeEntity.setResource(viewInstanceEntity.getResource());
+ privilegeDAO.create(privilegeEntity);
+ }
+ }
+ }
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
index 11efc76..f934ed5 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,16 +18,14 @@
package org.apache.ambari.server.view.configuration;
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
-import com.google.common.collect.Lists;
-
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlElementWrapper;
-import java.util.Arrays;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
import java.util.List;
+import java.util.Set;
/**
* View auto instance configuration.
@@ -48,14 +46,25 @@ public class AutoInstanceConfig extends InstanceConfig {
*/
@XmlElementWrapper
@XmlElement(name="service")
+ @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
private List<String> services;
/**
- * Cluster Inherited permissions. Comma separated strings for multiple values
- * Possible values: ALL.CLUSTER.ADMINISTRATOR, ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER,
- * ALL.SERVICE.OPERATOR, ALL.SERVICE.ADMINISTRATOR
+ * A list of roles that should have access to this view.
+ * <p>
+ * Example values:
+ * <ul>
+ * <li>CLUSTER.ADMINISTRATOR</li>
+ * <li>CLUSTER.OPERATOR</li>
+ * <li>SERVICE.ADMINISTRATOR</li>
+ * <li>SERVICE.OPERATOR</li>
+ * <li>CLUSTER.USER</li>
+ * </ul>
*/
- private String permissions;
+ @XmlElementWrapper
+ @XmlElement(name="role")
+ @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+ private Set<String> roles;
/**
* Get the stack id used for auto instance creation.
@@ -76,17 +85,9 @@ public class AutoInstanceConfig extends InstanceConfig {
}
/**
- * @return the list of configured cluster inherited permissions
+ * @return the set of roles that should have access to this view
*/
- public List<String> getPermissions() {
- if(permissions == null) {
- return Lists.newArrayList();
- }
- return FluentIterable.from(Arrays.asList(permissions.split(","))).transform(new Function<String, String>() {
- @Override
- public String apply(String permission) {
- return permission.trim();
- }
- }).toList();
+ public Set<String> getRoles() {
+ return roles;
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
index ed94c40..7ab1dc7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
@@ -1174,16 +1174,6 @@ INSERT INTO adminprincipaltype (principal_type_id, principal_type_name)
UNION ALL
SELECT 2, 'GROUP' FROM SYSIBM.SYSDUMMY1
UNION ALL
- SELECT 3, 'ALL.CLUSTER.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
- UNION ALL
- SELECT 4, 'ALL.CLUSTER.OPERATOR' FROM SYSIBM.SYSDUMMY1
- UNION ALL
- SELECT 5, 'ALL.CLUSTER.USER' FROM SYSIBM.SYSDUMMY1
- UNION ALL
- SELECT 6, 'ALL.SERVICE.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
- UNION ALL
- SELECT 7, 'ALL.SERVICE.OPERRATOR' FROM SYSIBM.SYSDUMMY1
- UNION ALL
SELECT 8, 'ROLE' FROM SYSIBM.SYSDUMMY1;
INSERT INTO adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index c8fbaa7..5556e82 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1123,11 +1123,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
(1, 'USER'),
(2, 'GROUP'),
- (3, 'ALL.CLUSTER.ADMINISTRATOR'),
- (4, 'ALL.CLUSTER.OPERATOR'),
- (5, 'ALL.CLUSTER.USER'),
- (6, 'ALL.SERVICE.ADMINISTRATOR'),
- (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 04473d6..fb3ada5 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1119,16 +1119,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
union all
select 2, 'GROUP' from dual
union all
- select 3, 'ALL.CLUSTER.ADMINISTRATOR' from dual
- union all
- select 4, 'ALL.CLUSTER.OPERATOR' from dual
- union all
- select 5, 'ALL.CLUSTER.USER' from dual
- union all
- select 6, 'ALL.SERVICE.ADMINISTRATOR' from dual
- union all
- select 7, 'ALL.SERVICE.OPERATOR' from dual
- union all
select 8, 'ROLE' from dual;
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 09ae3b0..137a243 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -1114,11 +1114,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
(1, 'USER'),
(2, 'GROUP'),
- (3, 'ALL.CLUSTER.ADMINISTRATOR'),
- (4, 'ALL.CLUSTER.OPERATOR'),
- (5, 'ALL.CLUSTER.USER'),
- (6, 'ALL.SERVICE.ADMINISTRATOR'),
- (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index 3dbd3fc..4922378 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -1116,16 +1116,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
union all
select 2, 'GROUP'
union all
- select 3, 'ALL.CLUSTER.ADMINISTRATOR'
- union all
- select 4, 'ALL.CLUSTER.OPERATOR'
- union all
- select 5, 'ALL.CLUSTER.USER'
- union all
- select 6, 'ALL.SERVICE.ADMINISTRATOR'
- union all
- select 7, 'ALL.SERVICE.OPERATOR'
- union all
select 8, 'ROLE';
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index 9def741..f72b0ab 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -1140,11 +1140,6 @@ BEGIN TRANSACTION
values
(1, 'USER'),
(2, 'GROUP'),
- (3, 'ALL.CLUSTER.ADMINISTRATOR'),
- (4, 'ALL.CLUSTER.OPERATOR'),
- (5, 'ALL.CLUSTER.USER'),
- (6, 'ALL.SERVICE.ADMINISTRATOR'),
- (7, 'ALL.SERVICE.OPERATOR'),
(8, 'ROLE');
insert into adminprincipal (principal_id, principal_type_id)
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
new file mode 100644
index 0000000..547bba5
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
+
+class AbstractPrivilegeResourceProviderTest extends EasyMockSupport {
+
+ static class TestUsers extends Users {
+
+ void setPrivilegeDAO(PrivilegeDAO privilegeDAO) {
+ this.privilegeDAO = privilegeDAO;
+ }
+
+ public void setMemberDAO(MemberDAO memberDAO) {
+ this.memberDAO = memberDAO;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
index 99962ee..7702fd0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
@@ -270,9 +270,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).atLeastOnce();
- GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
- expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
replayAll();
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
@@ -356,10 +353,11 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
+ Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals(ResourceType.AMBARI.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -399,12 +397,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
+ Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), clusterEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("TestCluster", resource.getPropertyValue(ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID));
Assert.assertEquals(ResourceType.CLUSTER.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -450,12 +449,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
+ Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -503,12 +503,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
Map<Long, UserEntity> userEntities = new HashMap<>();
Map<Long, GroupEntity> groupEntities = new HashMap<>();
+ Map<Long, PermissionEntity> roleEntities = new HashMap<>();
Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+ Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -608,9 +609,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
- GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -664,9 +662,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
- GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
index f00a21a..976dd34 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
@@ -38,7 +38,6 @@ import org.apache.ambari.server.orm.dao.ResourceDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -61,7 +60,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
import javax.persistence.EntityManager;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.LinkedList;
@@ -251,9 +249,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
- GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -306,9 +301,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
- GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
replayAll();
SecurityContextHolder.getContext().setAuthentication(authentication);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
index c3510a8..d417595 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
@@ -18,7 +18,6 @@
package org.apache.ambari.server.controller.internal;
-import com.google.common.collect.Lists;
import junit.framework.Assert;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -31,7 +30,6 @@ import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -44,13 +42,15 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import java.util.Collections;
import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
import java.util.Set;
import static org.easymock.EasyMock.anyObject;
@@ -59,7 +59,7 @@ import static org.easymock.EasyMock.expect;
/**
* GroupPrivilegeResourceProvider tests.
*/
-public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
+public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -124,11 +124,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
ClusterDAO clusterDAO = createMock(ClusterDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -175,11 +175,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -233,11 +233,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -292,11 +292,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
GroupDAO groupDAO = createMock(GroupDAO.class);
expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
@@ -320,30 +320,32 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
- expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).anyTimes();
- expect(groupEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(groupEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
- expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).anyTimes();
- expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
- {
- add(privilegeEntity);
- }
- }).anyTimes();
- expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
- expect(groupEntity.getGroupName()).andReturn(requestedGroupName).anyTimes();
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
- expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+
+ final TestUsers users = new TestUsers();
+ users.setPrivilegeDAO(privilegeDAO);
+
+ List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+ groupPrincipals.add(principalEntity);
+
+ expect(privilegeDAO.findAllByPrincipal(groupPrincipals)).
+ andReturn(Collections.singletonList(privilegeEntity))
+ .once();
+ expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).atLeastOnce();
+ expect(groupEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
+ expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).atLeastOnce();
+ expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).atLeastOnce();
+ expect(groupEntity.getGroupName()).andReturn(requestedGroupName).atLeastOnce();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+ expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).atLeastOnce();
expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
- expect(viewInstanceDAO.findAll()).andReturn(Lists.<ViewInstanceEntity>newArrayList()).anyTimes();
replayAll();
- GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
final Set<String> propertyIds = new HashSet<String>();
propertyIds.add(GroupPrivilegeResourceProvider.PRIVILEGE_GROUP_NAME_PROPERTY_ID);
@@ -367,5 +369,4 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
verifyAll();
}
-
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index 1f3cb52..ddb510d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,8 +18,6 @@
package org.apache.ambari.server.controller.internal;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
import junit.framework.Assert;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -29,6 +27,7 @@ import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.MemberDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
@@ -46,7 +45,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -54,6 +53,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
import java.util.Set;
import static org.easymock.EasyMock.anyObject;
@@ -62,7 +63,7 @@ import static org.easymock.EasyMock.expect;
/**
* UserPrivilegeResourceProvider tests.
*/
-public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
+public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -134,11 +135,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
GroupDAO groupDAO = createMock(GroupDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -187,11 +188,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -246,11 +247,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -307,11 +308,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
UserDAO userDAO = createMock(UserDAO.class);
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+ Users users = createNiceMock(Users.class);
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
@@ -327,7 +328,14 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
public void testToResource_SpecificVIEW_WithClusterInheritedPermission() throws Exception {
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L));
+ PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
+ expect(rolePrincipalTypeEntity.getName()).andReturn("ROLE").atLeastOnce();
+
+ PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
+ expect(rolePrincipalEntity.getPrincipalType()).andReturn(rolePrincipalTypeEntity).atLeastOnce();
+
PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+ expect(permissionEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").atLeastOnce();
expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").atLeastOnce();
@@ -337,19 +345,10 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
-
- PrincipalTypeEntity principalTypeWithAllClusterAdministrator = createNiceMock(PrincipalTypeEntity.class);
- expect(principalTypeWithAllClusterAdministrator.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").atLeastOnce();
-
- PrincipalEntity principalEntityWithAllClusterAdministrator = createNiceMock(PrincipalEntity.class);
- expect(principalEntityWithAllClusterAdministrator.getPrincipalType()).andReturn(principalTypeWithAllClusterAdministrator).atLeastOnce();
-
ViewEntity viewEntity = createMock(ViewEntity.class);
expect(viewEntity.getCommonName()).andReturn("TestView").atLeastOnce();
expect(viewEntity.getVersion()).andReturn("1.2.3.4").atLeastOnce();
-
-
ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
expect(resourceTypeEntity.getName()).andReturn("TestView{1.2.3.4}").atLeastOnce();
@@ -360,38 +359,56 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).atLeastOnce();
expect(viewInstanceEntity.getName()).andReturn("Test View").atLeastOnce();
- expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).atLeastOnce();
- expect(viewInstanceEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
- PrivilegeEntity privilegeEntityViewWithClusterAdminAccess = createMock(PrivilegeEntity.class);
- expect(privilegeEntityViewWithClusterAdminAccess.getPrincipal()).andReturn(principalEntityWithAllClusterAdministrator).atLeastOnce();
+ PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+ expect(explicitPrivilegeEntity.getId()).andReturn(1).atLeastOnce();
+ expect(explicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+ expect(explicitPrivilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+ expect(explicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
- PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
- expect(privilegeEntity.getId()).andReturn(1).atLeastOnce();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
-
- expect(principalEntity.getPrivileges()).andReturn(Sets.newHashSet(privilegeEntity)).atLeastOnce();
+ PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+ expect(implicitPrivilegeEntity.getId()).andReturn(2).atLeastOnce();
+ expect(implicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+ expect(implicitPrivilegeEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
+ expect(implicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
UserEntity userEntity = createMock(UserEntity.class);
expect(userEntity.getUserName()).andReturn("jdoe").atLeastOnce();
expect(userEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- expect(userEntity.getMemberEntities()).andReturn(Sets.<MemberEntity>newHashSet()).atLeastOnce();
ClusterDAO clusterDAO = createMock(ClusterDAO.class);
GroupDAO groupDAO = createMock(GroupDAO.class);
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
- expect(viewInstanceDAO.findAll()).andReturn(Lists.newArrayList(viewInstanceEntity)).atLeastOnce();
final UserDAO userDAO = createNiceMock(UserDAO.class);
expect(userDAO.findLocalUserByName("jdoe")).andReturn(userEntity).anyTimes();
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
- expect(privilegeDAO.findByResourceId(1L)).andReturn(Lists.newArrayList(privilegeEntity, privilegeEntityViewWithClusterAdminAccess)).anyTimes();
+ final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+ final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+ final TestUsers users = new TestUsers();
+ users.setPrivilegeDAO(privilegeDAO);
+ users.setMemberDAO(memberDAO);
+
+ List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+ rolePrincipals.add(rolePrincipalEntity);
+
+ List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+ userPrincipals.add(principalEntity);
+
+ expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+ andReturn(Collections.singletonList(explicitPrivilegeEntity))
+ .once();
+ // Implicit privileges...
+ expect(privilegeDAO.findAllByPrincipal(rolePrincipals)).
+ andReturn(Collections.singletonList(implicitPrivilegeEntity))
+ .once();
+ expect(memberDAO.findAllMembersByUser(userEntity)).
+ andReturn(Collections.<MemberEntity>emptyList())
+ .atLeastOnce();
replayAll();
@@ -404,7 +421,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L);
Request request = PropertyHelper.getReadRequest(propertyIds);
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
Set<Resource> resources = provider.getResources(request, predicate);
@@ -424,7 +441,6 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
- final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
final UserEntity userEntity = createNiceMock(UserEntity.class);
final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
@@ -432,7 +448,22 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-
+ final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+ final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+ final TestUsers users = new TestUsers();
+ users.setPrivilegeDAO(privilegeDAO);
+ users.setMemberDAO(memberDAO);
+
+ List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+ userPrincipals.add(principalEntity);
+
+ expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+ andReturn(Collections.singletonList(privilegeEntity))
+ .atLeastOnce();
+ expect(memberDAO.findAllMembersByUser(userEntity)).
+ andReturn(Collections.<MemberEntity>emptyList())
+ .atLeastOnce();
expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
@@ -454,7 +485,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
replayAll();
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
final Set<String> propertyIds = new HashSet<String>();
propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
index d85b37b..20ecc88 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,7 +30,6 @@ import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -53,7 +52,6 @@ import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.security.core.context.SecurityContextHolder;
-import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -146,7 +144,6 @@ public class ViewPrivilegeResourceProviderTest {
expect(permissionDAO.findById(PermissionEntity.VIEW_USER_PERMISSION)).andReturn(permissionEntity);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
userEntity, principalEntity, permissionEntity, principalTypeEntity);
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
index 47211ef..d376d4b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
@@ -362,72 +362,6 @@ public class AuthorizationHelperTest extends EasyMockSupport {
}
@Test
- public void testIsAuthorizedForClusterInheritedPermission() {
-
- ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
- clusterResourceTypeEntity.setId(1);
- clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
-
- ResourceEntity clusterResourceEntity = new ResourceEntity();
- clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
- clusterResourceEntity.setId(1L);
-
- PermissionEntity clusterPermissionEntity = new PermissionEntity();
- clusterPermissionEntity.setPermissionName("CLUSTER.ADMINISTRATOR");
-
- RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
- readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
-
- RoleAuthorizationEntity privilegedRoleAuthorizationEntity = new RoleAuthorizationEntity();
- privilegedRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS.getId());
-
-
- clusterPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
- privilegedRoleAuthorizationEntity));
-
- PrivilegeEntity clusterPrivilegeEntity = new PrivilegeEntity();
- clusterPrivilegeEntity.setPermission(clusterPermissionEntity);
- clusterPrivilegeEntity.setResource(clusterResourceEntity);
-
- GrantedAuthority clusterAuthority = new AmbariGrantedAuthority(clusterPrivilegeEntity);
- Authentication clusterUser = new TestAuthentication(Collections.singleton(clusterAuthority));
-
-
- Provider viewInstanceDAOProvider = createNiceMock(Provider.class);
- Provider privilegeDAOProvider = createNiceMock(Provider.class);
-
- ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
- PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
- ViewInstanceEntity viewInstanceEntity = createNiceMock(ViewInstanceEntity.class);
- expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).anyTimes();
-
- PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
- PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
-
- expect(viewInstanceDAOProvider.get()).andReturn(viewInstanceDAO).anyTimes();
- expect(privilegeDAOProvider.get()).andReturn(privilegeDAO).anyTimes();
-
- expect(viewInstanceDAO.findByResourceId(2L)).andReturn(viewInstanceEntity).anyTimes();
-
- expect(privilegeDAO.findByResourceId(2L)).andReturn(Lists.newArrayList(privilegeEntity)).anyTimes();
-
- expect(principalTypeEntity.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").anyTimes();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-
- replayAll();
-
- AuthorizationHelper.viewInstanceDAOProvider = viewInstanceDAOProvider;
- AuthorizationHelper.privilegeDAOProvider = privilegeDAOProvider;
-
- SecurityContext context = SecurityContextHolder.getContext();
- context.setAuthentication(clusterUser);
-
- assertTrue(AuthorizationHelper.isAuthorized(ResourceType.VIEW, 2L, EnumSet.of(RoleAuthorization.VIEW_USE)));
- }
-
public void testIsAuthorizedForSpecificView() {
RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
index 4457858..29bf820 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
@@ -20,6 +20,8 @@ package org.apache.ambari.server.upgrade;
import javax.persistence.EntityManager;
import junit.framework.Assert;
+
+import static org.easymock.EasyMock.anyString;
import static org.easymock.EasyMock.aryEq;
import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.createMockBuilder;
@@ -34,7 +36,13 @@ import static org.easymock.EasyMock.reset;
import static org.easymock.EasyMock.verify;
import java.lang.reflect.Method;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.controller.AmbariManagementController;
@@ -44,12 +52,22 @@ import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.ClusterVersionDAO;
import org.apache.ambari.server.orm.dao.HostVersionDAO;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.RepositoryVersionDAO;
import org.apache.ambari.server.orm.dao.StackDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
import org.apache.ambari.server.state.stack.OsFamily;
import org.easymock.Capture;
import org.easymock.EasyMock;
+import org.easymock.EasyMockSupport;
import org.easymock.IMocksControl;
import org.junit.After;
import org.junit.Before;
@@ -219,16 +237,19 @@ public class UpgradeCatalog242Test {
@Test
public void testExecuteDMLUpdates() throws Exception {
Method addNewConfigurationsFromXml = AbstractUpgradeCatalog.class.getDeclaredMethod("addNewConfigurationsFromXml");
-
+ Method convertRolePrincipals = UpgradeCatalog242.class.getDeclaredMethod("convertRolePrincipals");
UpgradeCatalog242 upgradeCatalog242 = createMockBuilder(UpgradeCatalog242.class)
- .addMockedMethod(addNewConfigurationsFromXml)
- .createMock();
+ .addMockedMethod(addNewConfigurationsFromXml)
+ .addMockedMethod(convertRolePrincipals)
+ .createMock();
upgradeCatalog242.addNewConfigurationsFromXml();
expectLastCall().once();
+ upgradeCatalog242.convertRolePrincipals();
+ expectLastCall().once();
replay(upgradeCatalog242);
@@ -236,4 +257,111 @@ public class UpgradeCatalog242Test {
verify(upgradeCatalog242);
}
+
+ @Test
+ public void testConvertRolePrincipals() throws AmbariException, SQLException {
+
+ EasyMockSupport easyMockSupport = new EasyMockSupport();
+
+ PrincipalEntity clusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+
+ PermissionEntity clusterAdministratorPermissionEntity = easyMockSupport.createMock(PermissionEntity.class);
+ expect(clusterAdministratorPermissionEntity.getPrincipal())
+ .andReturn(clusterAdministratorPrincipalEntity)
+ .once();
+
+ PrincipalTypeEntity allClusterAdministratorPrincipalTypeEntity = easyMockSupport.createMock(PrincipalTypeEntity.class);
+
+ PermissionDAO permissionDAO = easyMockSupport.createMock(PermissionDAO.class);
+ expect(permissionDAO.findByName("CLUSTER.ADMINISTRATOR"))
+ .andReturn(clusterAdministratorPermissionEntity)
+ .once();
+ expect(permissionDAO.findByName(anyString()))
+ .andReturn(null)
+ .anyTimes();
+
+ PrincipalTypeDAO principalTypeDAO = easyMockSupport.createMock(PrincipalTypeDAO.class);
+ expect(principalTypeDAO.findByName("ALL.CLUSTER.ADMINISTRATOR"))
+ .andReturn(allClusterAdministratorPrincipalTypeEntity)
+ .once();
+ expect(principalTypeDAO.findByName(anyString()))
+ .andReturn(null)
+ .anyTimes();
+ principalTypeDAO.remove(allClusterAdministratorPrincipalTypeEntity);
+ expectLastCall().once();
+
+ ResourceEntity allClusterAdministratorPrivilege1Resource = easyMockSupport.createMock(ResourceEntity.class);
+ expect(allClusterAdministratorPrivilege1Resource.getId()).andReturn(1L).once();
+
+ PrincipalEntity allClusterAdministratorPrivilege1Principal = easyMockSupport.createMock(PrincipalEntity.class);
+ expect(allClusterAdministratorPrivilege1Principal.getId()).andReturn(1L).once();
+
+ PermissionEntity allClusterAdministratorPrivilege1Permission = easyMockSupport.createMock(PermissionEntity.class);
+ expect(allClusterAdministratorPrivilege1Permission.getId()).andReturn(1).once();
+
+ PrivilegeEntity allClusterAdministratorPrivilege1 = easyMockSupport.createMock(PrivilegeEntity.class);
+ expect(allClusterAdministratorPrivilege1.getId()).andReturn(1).atLeastOnce();
+ expect(allClusterAdministratorPrivilege1.getResource()).andReturn(allClusterAdministratorPrivilege1Resource).once();
+ expect(allClusterAdministratorPrivilege1.getPrincipal()).andReturn(allClusterAdministratorPrivilege1Principal).once();
+ expect(allClusterAdministratorPrivilege1.getPermission()).andReturn(allClusterAdministratorPrivilege1Permission).once();
+ allClusterAdministratorPrivilege1.setPrincipal(clusterAdministratorPrincipalEntity);
+ expectLastCall().once();
+
+ ResourceEntity allClusterAdministratorPrivilege2Resource = easyMockSupport.createMock(ResourceEntity.class);
+ expect(allClusterAdministratorPrivilege2Resource.getId()).andReturn(2L).once();
+
+ PrincipalEntity allClusterAdministratorPrivilege2Principal = easyMockSupport.createMock(PrincipalEntity.class);
+ expect(allClusterAdministratorPrivilege2Principal.getId()).andReturn(2L).once();
+
+ PermissionEntity allClusterAdministratorPrivilege2Permission = easyMockSupport.createMock(PermissionEntity.class);
+ expect(allClusterAdministratorPrivilege2Permission.getId()).andReturn(2).once();
+
+ PrivilegeEntity allClusterAdministratorPrivilege2 = easyMockSupport.createMock(PrivilegeEntity.class);
+ expect(allClusterAdministratorPrivilege2.getId()).andReturn(2).atLeastOnce();
+ expect(allClusterAdministratorPrivilege2.getResource()).andReturn(allClusterAdministratorPrivilege2Resource).once();
+ expect(allClusterAdministratorPrivilege2.getPrincipal()).andReturn(allClusterAdministratorPrivilege2Principal).once();
+ expect(allClusterAdministratorPrivilege2.getPermission()).andReturn(allClusterAdministratorPrivilege2Permission).once();
+ allClusterAdministratorPrivilege2.setPrincipal(clusterAdministratorPrincipalEntity);
+ expectLastCall().once();
+
+ Set<PrivilegeEntity> allClusterAdministratorPrivileges = new HashSet<PrivilegeEntity>();
+ allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege1);
+ allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege2);
+
+ PrincipalEntity allClusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+ expect(allClusterAdministratorPrincipalEntity.getPrivileges())
+ .andReturn(allClusterAdministratorPrivileges)
+ .once();
+
+ List<PrincipalEntity> allClusterAdministratorPrincipals = new ArrayList<PrincipalEntity>();
+ allClusterAdministratorPrincipals.add(allClusterAdministratorPrincipalEntity);
+
+ PrincipalDAO principalDAO = easyMockSupport.createMock(PrincipalDAO.class);
+ expect(principalDAO.findByPrincipalType("ALL.CLUSTER.ADMINISTRATOR"))
+ .andReturn(allClusterAdministratorPrincipals)
+ .once();
+ principalDAO.remove(allClusterAdministratorPrincipalEntity);
+ expectLastCall().once();
+
+
+ PrivilegeDAO privilegeDAO = easyMockSupport.createMock(PrivilegeDAO.class);
+ expect(privilegeDAO.merge(allClusterAdministratorPrivilege1))
+ .andReturn(allClusterAdministratorPrivilege1)
+ .once();
+ expect(privilegeDAO.merge(allClusterAdministratorPrivilege2))
+ .andReturn(allClusterAdministratorPrivilege2)
+ .once();
+
+ Injector injector = easyMockSupport.createNiceMock(Injector.class);
+ expect(injector.getInstance(PrincipalTypeDAO.class)).andReturn(principalTypeDAO).atLeastOnce();
+ expect(injector.getInstance(PrincipalDAO.class)).andReturn(principalDAO).atLeastOnce();
+ expect(injector.getInstance(PermissionDAO.class)).andReturn(permissionDAO).atLeastOnce();
+ expect(injector.getInstance(PrivilegeDAO.class)).andReturn(privilegeDAO).atLeastOnce();
+
+ easyMockSupport.replayAll();
+ UpgradeCatalog242 upgradeCatalog = new UpgradeCatalog242(injector);
+ injector.injectMembers(upgradeCatalog);
+ upgradeCatalog.convertRolePrincipals();
+ easyMockSupport.verifyAll();
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
index 3c4a440..a24f041 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -22,9 +22,8 @@ import junit.framework.Assert;
import org.junit.Test;
import javax.xml.bind.JAXBException;
-import java.util.LinkedList;
+import java.util.Collection;
import java.util.List;
-import java.util.Set;
import static org.junit.Assert.*;
@@ -75,7 +74,7 @@ public class AutoInstanceConfigTest {
" </property>\n" +
" <stack-id>HDP-2.0</stack-id>\n" +
" <services><service>HIVE</service><service>HDFS</service></services>\n" +
- " <permissions>ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER</permissions>\n" +
+ " <roles><role>CLUSTER.OPERATOR </role><role> CLUSTER.USER</role></roles>\n" +
" </auto-instance>\n" +
"</view>";
@@ -113,13 +112,13 @@ public class AutoInstanceConfigTest {
@Test
public void shouldParseClusterInheritedPermissions() throws Exception {
AutoInstanceConfig config = getAutoInstanceConfigs(VIEW_XML);
- List<String> permissions = config.getPermissions();
- assertEquals(2, permissions.size());
- assertTrue(permissions.contains("ALL.CLUSTER.OPERATOR"));
- assertTrue(permissions.contains("ALL.CLUSTER.USER"));
+ Collection<String> roles = config.getRoles();
+ assertEquals(2, roles.size());
+ assertTrue(roles.contains("CLUSTER.OPERATOR"));
+ assertTrue(roles.contains("CLUSTER.USER"));
}
- public static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
+ private static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
ViewConfig config = ViewConfigTest.getConfig(xml);
return config.getAutoInstance();
}
[2/4] ambari git commit: Revert "AMBARI-1365. Authorizations given to
roles, should use generic role-based principals rather than hard-coded
pseudo-role-based principals (rlevas)"
Posted by rl...@apache.org.
Revert "AMBARI-1365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)"
This reverts commit b3dda4ffe9c8bc47725fd9292dc621568df45610.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b90b2863
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b90b2863
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b90b2863
Branch: refs/heads/trunk
Commit: b90b286366e67b7b494b2f2cf886dc4eab4ff006
Parents: 0dd7770
Author: Robert Levas <rl...@hortonworks.com>
Authored: Fri Oct 21 16:01:10 2016 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Fri Oct 21 16:01:10 2016 -0400
----------------------------------------------------------------------
.../controllers/ambariViews/ViewsEditCtrl.js | 16 +-
.../ui/admin-web/app/scripts/i18n.config.js | 10 +-
.../app/scripts/services/PermissionLoader.js | 11 +-
.../app/scripts/services/PermissionsSaver.js | 8 +-
.../ui/admin-web/app/scripts/services/View.js | 12 +-
.../admin-web/app/views/ambariViews/edit.html | 4 +-
.../test/unit/services/PermissionSaver_test.js | 16 +-
...ClusterPrivilegeChangeRequestAuditEvent.java | 21 +-
.../ViewPrivilegeChangeRequestAuditEvent.java | 18 +-
.../eventcreator/PrivilegeEventCreator.java | 4 +-
.../eventcreator/ViewPrivilegeEventCreator.java | 4 +-
.../ambari/server/controller/AmbariServer.java | 2 +-
.../AmbariPrivilegeResourceProvider.java | 9 +-
.../ClusterPrivilegeResourceProvider.java | 3 +-
.../GroupPrivilegeResourceProvider.java | 18 +-
.../internal/PrivilegeResourceProvider.java | 114 +++-------
.../internal/UserPrivilegeResourceProvider.java | 49 +++--
.../internal/ViewPrivilegeResourceProvider.java | 8 +-
.../ambari/server/orm/dao/PermissionDAO.java | 35 +--
.../ambari/server/orm/dao/PrincipalDAO.java | 13 +-
.../ambari/server/orm/dao/PrincipalTypeDAO.java | 29 +--
.../server/orm/entities/PermissionEntity.java | 6 -
.../orm/entities/PrincipalTypeEntity.java | 17 +-
.../authorization/AuthorizationHelper.java | 56 ++++-
.../ClusterInheritedPermissionHelper.java | 213 +++++++++++++++++++
.../server/security/authorization/Users.java | 145 ++-----------
.../server/upgrade/UpgradeCatalog242.java | 100 ---------
.../apache/ambari/server/view/ViewRegistry.java | 75 ++++---
.../view/configuration/AutoInstanceConfig.java | 43 ++--
.../main/resources/Ambari-DDL-Derby-CREATE.sql | 10 +
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 5 +
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 10 +
.../resources/Ambari-DDL-Postgres-CREATE.sql | 5 +
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 10 +
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 5 +
.../AbstractPrivilegeResourceProviderTest.java | 38 ----
.../AmbariPrivilegeResourceProviderTest.java | 21 +-
.../ClusterPrivilegeResourceProviderTest.java | 8 +
.../GroupPrivilegeResourceProviderTest.java | 67 +++---
.../UserPrivilegeResourceProviderTest.java | 113 ++++------
.../ViewPrivilegeResourceProviderTest.java | 5 +-
.../authorization/AuthorizationHelperTest.java | 66 ++++++
.../server/upgrade/UpgradeCatalog242Test.java | 134 +-----------
.../configuration/AutoInstanceConfigTest.java | 17 +-
44 files changed, 716 insertions(+), 857 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
index 834efdb..bd74b16 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
$scope.identity = angular.identity;
$scope.isConfigurationEmpty = true;
$scope.isSettingsEmpty = true;
- $scope.permissionRoles = View.permissionRoles;
+ $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
$scope.constants = {
instance: $t('views.instance'),
props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
}
});
- $scope.removeAllRolePermissions();
+ $scope.clearClusterInheritedPermissions();
}
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
});
};
- $scope.removeAllRolePermissions = function() {
- angular.forEach(View.permissionRoles, function(key) {
- $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
+ $scope.clearClusterInheritedPermissions = function() {
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ $scope.permissionsEdit["VIEW.USER"][key] = false;
})
};
@@ -510,9 +510,11 @@ angular.module('ambariAdminConsole')
};
function setAllViewRoles(value) {
- var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
+ var viewRoles = $scope.permissionsEdit["VIEW.USER"];
for (var role in viewRoles) {
- $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
+ if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
+ viewRoles[role] = value;
+ }
}
}
}]);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
index cd9b922..af22d7f 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
@@ -234,11 +234,11 @@ angular.module('ambariAdminConsole')
'clusterPermissions': {
'label': 'Local Cluster Permissions',
- 'clusteradministrator': 'Cluster Administrator',
- 'clusteroperator': 'Cluster Operator',
- 'clusteruser': 'Cluster User',
- 'serviceadministrator': 'Service Administrator',
- 'serviceoperator': 'Service Operator',
+ 'allclusteradministrator': 'Cluster Administrator',
+ 'allclusteroperator': 'Cluster Operator',
+ 'allclusteruser': 'Cluster User',
+ 'allserviceadministrator': 'Service Administrator',
+ 'allserviceoperator': 'Service Operator',
'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
},
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
index 9cc04e4..988986b 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
@@ -28,9 +28,8 @@ angular.module('ambariAdminConsole')
angular.forEach(permissions, function(permission) {
permission.GROUP = [];
permission.USER = [];
- permission.ROLE = {};
- angular.forEach(View.permissionRoles, function(key) {
- permission.ROLE[key] = false;
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ permission[key] = false;
});
permissionsInner[permission.PermissionInfo.permission_name] = permission;
});
@@ -38,10 +37,10 @@ angular.module('ambariAdminConsole')
// Now we can get privileges
resource.getPrivileges(params).then(function(privileges) {
angular.forEach(privileges, function(privilege) {
- if(privilege.PrivilegeInfo.principal_type == "ROLE") {
- permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
- } else {
+ if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+ } else {
+ permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
}
});
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
index c170235..c7b9295 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
}
}));
- angular.forEach(View.permissionRoles, function(key) {
- if(permission.ROLE[key] === true) {
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ if(permission[key] === true) {
arr.push({
'PrivilegeInfo': {
'permission_name': 'VIEW.USER',
- 'principal_name': key,
- 'principal_type': 'ROLE'
+ 'principal_name': '*',
+ 'principal_type': key
}
});
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
index f549b29..5bc0509 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
self.versionsList = item.versions;
}
- View.permissionRoles = [
- "CLUSTER.ADMINISTRATOR",
- "CLUSTER.OPERATOR",
- "SERVICE.OPERATOR",
- "SERVICE.ADMINISTRATOR",
- "CLUSTER.USER"
+ View.clusterInheritedPermissionKeys = [
+ "ALL.CLUSTER.ADMINISTRATOR",
+ "ALL.CLUSTER.OPERATOR",
+ "ALL.SERVICE.OPERATOR",
+ "ALL.SERVICE.ADMINISTRATOR",
+ "ALL.CLUSTER.USER"
];
View.getInstance = function(viewName, version, instanceName) {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
index 418c115..69eb1c1 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
@@ -287,10 +287,10 @@
<span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
</div>
<div class="col-sm-offset-2 col-sm-10">
- <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
+ <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
<div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
<label>
- <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
+ <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
</label>
</div>
</div>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
index 6c662f2..fa36d98 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
@@ -178,13 +178,11 @@ describe('PermissionSaver Service', function () {
'PermissionInfo': {
permission_name: 'VIEW.USER'
},
- 'ROLE': {
- 'CLUSTER.ADMINISTRATOR': true,
- 'CLUSTER.OPERATOR': false,
- 'SERVICE.OPERATOR': false,
- 'SERVICE.ADMINISTRATOR': false,
- 'CLUSTER.USER': false
- },
+ 'ALL.CLUSTER.ADMINISTRATOR': true,
+ 'ALL.CLUSTER.OPERATOR': false,
+ 'ALL.SERVICE.OPERATOR': false,
+ 'ALL.SERVICE.ADMINISTRATOR': false,
+ 'ALL.CLUSTER.USER': false,
'USER': ['u0', 'u1', 'g0'],
'GROUP': ['g0', 'g1', 'u0']
}
@@ -235,8 +233,8 @@ describe('PermissionSaver Service', function () {
{
PrivilegeInfo: {
permission_name: 'VIEW.USER',
- principal_name: 'CLUSTER.ADMINISTRATOR',
- principal_type: 'ROLE'
+ principal_name: '*',
+ principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
}
}
];
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
index 29fb7b4..b28bb2a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
package org.apache.ambari.server.audit.event.request;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -45,16 +47,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
/**
* Roles for groups
- * group name -> list of roles
+ * groupname -> list fo roles
*/
private Map<String, List<String>> groups;
- /**
- * Roles for roles
- * role name -> list of roles
- */
- private Map<String, List<String>> roles;
-
public ClusterPrivilegeChangeRequestAuditEventBuilder() {
super.withOperation("Role change");
}
@@ -76,10 +72,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
- roleSet.addAll(roles.keySet());
builder.append(", Roles(");
- if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -93,9 +88,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
- if (roles.get(role) != null && !roles.get(role).isEmpty()) {
- lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
- }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -112,11 +104,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
-
- public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
- this.roles = roles;
- return this;
- }
}
protected ClusterPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
index 73c1aa6..11c558c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
package org.apache.ambari.server.audit.event.request;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -48,11 +50,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
private Map<String, List<String>> groups;
/**
- * Roles with their roles
- */
- private Map<String, List<String>> roles;
-
- /**
* View name
*/
private String name;
@@ -97,10 +94,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
- roleSet.addAll(roles.keySet());
builder.append(", Permissions(");
- if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -114,9 +110,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
- if (roles.get(role) != null && !roles.get(role).isEmpty()) {
- lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
- }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -148,11 +141,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
-
- public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
- this.roles = roles;
- return this;
- }
}
protected ViewPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
index a7be8e1..5c476c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
@@ -33,6 +33,8 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
@@ -86,7 +88,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
- Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
switch (request.getRequestType()) {
case PUT:
@@ -98,7 +99,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
.withRemoteIp(request.getRemoteAddress())
.withUsers(users)
.withGroups(groups)
- .withRoles(roles)
.build();
case POST:
String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
index 47983ff..56d35c0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
@@ -32,6 +32,8 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
@@ -85,7 +87,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
- Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
return ViewPrivilegeChangeRequestAuditEvent.builder()
.withTimestamp(System.currentTimeMillis())
@@ -98,7 +99,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
.withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
.withUsers(users)
.withGroups(groups)
- .withRoles(roles)
.build();
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 68ee67f..56e2398 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -876,7 +876,7 @@ public class AmbariServer {
injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
- injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
+ injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index bd17b6a..e5c95cb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -22,7 +22,6 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -149,10 +148,8 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
- Map<Long, Object> resourceEntities,
- Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Map<Long, Object> resourceEntities, Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ResourceEntity resourceEntity = privilegeEntity.getResource();
ResourceTypeEntity type = resourceEntity.getResourceType();
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index fb7bff3..8f37764 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -147,11 +147,10 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
Map<Long, ClusterEntity> resourceEntities,
Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
index 4b71b47..94d1cad 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
@@ -28,6 +28,7 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -37,7 +38,6 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.*;
-import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * Users (helper) object used to obtain privilege entities.
+ * Data access object used to obtain privilege entities.
*/
@Inject
- protected static Users users;
+ protected static PrivilegeDAO privilegeDAO;
/**
* The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param users the users helper instance
+ * @param privilegeDAO
*/
public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, Users users) {
+ ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
GroupPrivilegeResourceProvider.groupDAO = groupDAO;
GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- GroupPrivilegeResourceProvider.users = users;
+ GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
}
@SuppressWarnings("serial")
@@ -180,7 +180,11 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("Group " + groupName + " was not found");
}
- final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
+ final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
+
+ Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+ ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+ privileges.addAll(allViewPrivilegesWithClusterPermission);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, groupName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 07b98bd..34111df 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.commons.lang.StringUtils;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
/**
* Abstract resource provider for privilege resources.
@@ -195,58 +195,35 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
resourceIds.addAll(resourceEntities.keySet());
- Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
- List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
- List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
- List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+ Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
+ List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
List<PrivilegeEntity> entities = privilegeDAO.findAll();
for(PrivilegeEntity privilegeEntity : entities){
if (resourceIds.contains(privilegeEntity.getResource().getId())) {
PrincipalEntity principal = privilegeEntity.getPrincipal();
- String principalType = principal.getPrincipalType().getName();
-
entitySet.add(privilegeEntity);
-
- if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- userPrincipals.add(principal);
- }
- else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- groupPrincipals.add(principal);
- }
- else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- rolePrincipals.add(principal);
- }
+ principalList.add(principal);
}
}
Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
- if(!userPrincipals.isEmpty()) {
- List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
- for (UserEntity userEntity : userList) {
- userEntities.put(userEntity.getPrincipal().getId(), userEntity);
- }
+ List<UserEntity> userList = userDAO.findUsersByPrincipal(principalList);
+
+ for (UserEntity userEntity : userList) {
+ userEntities.put(userEntity.getPrincipal().getId(), userEntity);
}
Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
- if(!groupPrincipals.isEmpty()) {
- List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
- for (GroupEntity groupEntity : groupList) {
- groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
- }
- }
+ List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(principalList);
- Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
- if (!rolePrincipals.isEmpty()){
- List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
- for (PermissionEntity roleEntity : roleList) {
- roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
- }
+ for (GroupEntity groupEntity : groupList) {
+ groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
}
for(PrivilegeEntity privilegeEntity : entitySet){
- Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null && (predicate == null || predicate.evaluate(resource))) {
resources.add(resource);
}
@@ -304,7 +281,6 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
* @param privilegeEntity the privilege entity to be converted
* @param userEntities the map of user entities keyed by resource id
* @param groupEntities the map of group entities keyed by resource id
- * @param roleEntities the map of role entities keyed by resource id
* @param resourceEntities the map of resource entities keyed by resource id
* @param requestedIds the requested property ids
*
@@ -313,48 +289,29 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
Map<Long, T> resourceEntities,
Set<String> requestedIds) {
Resource resource = new ResourceImpl(resourceType);
- PrincipalEntity principal = privilegeEntity.getPrincipal();
- String principalTypeName = null;
- String resourcePropertyName = null;
-
- if(principal != null) {
- PrincipalTypeEntity principalType = principal.getPrincipalType();
-
- if (principalType != null) {
- Long principalId = principal.getId();
-
- principalTypeName = principalType.getName();
-
- if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- GroupEntity groupEntity = groupEntities.get(principalId);
- if (groupEntity != null) {
- resourcePropertyName = groupEntity.getGroupName();
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- PermissionEntity roleEntity = roleEntities.get(principalId);
- if (roleEntity != null) {
- resourcePropertyName = roleEntity.getPermissionName();
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- UserEntity userEntity = userEntities.get(principalId);
- if (userEntity != null) {
- resourcePropertyName = userEntity.getUserName();
- }
- }
- }
+ setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
+ privilegeEntity.getId(), requestedIds);
+ setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
+ privilegeEntity.getPermission().getPermissionName(), requestedIds);
+ setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
+ privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+
+ PrincipalEntity principal = privilegeEntity.getPrincipal();
+ Long principalId = principal.getId();
+
+ if (userEntities.containsKey(principalId)) {
+ UserEntity userEntity = userEntities.get(principalId);
+ setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
+ } else if (groupEntities.containsKey(principalId)){
+ GroupEntity groupEntity = groupEntities.get(principalId);
+ setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
}
- setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
- setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
- setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
- setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
- setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
-
+ setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
return resource;
}
@@ -382,21 +339,18 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
- if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
+ if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
if (groupEntity != null) {
entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
}
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
- PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
- if (permissionEntity != null) {
- entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
+ } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
UserEntity userEntity = userDAO.findUserByName(principalName);
if (userEntity != null) {
entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
}
+ } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
+ entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
} else {
throw new AmbariException("Unknown principal type " + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index 009c38b..bdd73a6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -17,6 +17,8 @@
*/
package org.apache.ambari.server.controller.internal;
+import com.google.common.base.Function;
+import com.google.common.collect.FluentIterable;
import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
import org.apache.ambari.server.controller.spi.NoSuchResourceException;
import org.apache.ambari.server.controller.spi.Predicate;
@@ -26,23 +28,26 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import java.util.Collection;
+import javax.annotation.Nullable;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -54,17 +59,17 @@ import java.util.Set;
*/
public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
- protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
- protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
+ protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+ protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
/**
* Data access object used to obtain user entities.
@@ -87,9 +92,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * Helper to obtain privilege data for requested users
+ * DAO used to obtain privilege entities.
*/
- private static Users users;
+ protected static PrivilegeDAO privilegeDAO;
/**
* The property ids for a privilege resource.
@@ -115,15 +120,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param users the Users helper object
+ * @param privilegeDAO
*/
public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, Users users) {
+ ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
UserPrivilegeResourceProvider.userDAO = userDAO;
UserPrivilegeResourceProvider.clusterDAO = clusterDAO;
UserPrivilegeResourceProvider.groupDAO = groupDAO;
UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- UserPrivilegeResourceProvider.users = users;
+ UserPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
}
@SuppressWarnings("serial")
@@ -194,7 +199,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("User " + userName + " was not found");
}
- final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
+ final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
+
+ for (MemberEntity membership : userEntity.getMemberEntities()) {
+ privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
+ }
+
+ Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+ ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+ privileges.addAll(allViewPrivilegesWithClusterPermission);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, userName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index 7182f4c..e5bd224 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -191,10 +191,8 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
- Map<Long, ViewInstanceEntity> resourceEntities,
- Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
index c844ab6..88d9775 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,7 +18,6 @@
package org.apache.ambari.server.orm.dao;
-import java.util.Collections;
import java.util.List;
import javax.persistence.EntityManager;
@@ -26,7 +25,6 @@ import javax.persistence.TypedQuery;
import org.apache.ambari.server.orm.RequiresSession;
import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import com.google.inject.Inject;
@@ -82,37 +80,6 @@ public class PermissionDAO {
}
/**
- * Find a permission entity with the given name.
- *
- * @param name permission name
- *
- * @return a matching permission entity or null
- */
- @RequiresSession
- public PermissionEntity findByName(String name) {
- TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
- query.setParameter("permissionName", name);
- return daoUtils.selectSingle(query);
- }
-
- /**
- * Find the permission entities for the given list of principals
- *
- * @param principalList the list of principal entities
- *
- * @return the list of permissions (or roles) matching the query
- */
- @RequiresSession
- public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
- if (principalList == null || principalList.isEmpty()) {
- return Collections.emptyList();
- }
- TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
- query.setParameter("principalList", principalList);
- return daoUtils.selectList(query);
- }
-
- /**
* Find all permission entities.
*
* @return all entities or an empty List
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
index 45a1658..efbdfab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -121,15 +121,4 @@ public class PrincipalDAO {
public PrincipalEntity merge(PrincipalEntity entity) {
return entityManagerProvider.get().merge(entity);
}
-
- /**
- * Remove the entity instance.
- *
- * @param entity entity to remove
- */
- @Transactional
- public void remove(PrincipalEntity entity) {
- entityManagerProvider.get().remove(entity);
- }
-
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
index 17628c6..7823d56 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -60,20 +60,6 @@ public class PrincipalTypeDAO {
}
/**
- * Find a principal type entity with the given name.
- *
- * @param name principal type name
- *
- * @return a matching principal type entity or null
- */
- @RequiresSession
- public PrincipalTypeEntity findByName(String name) {
- TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
- query.setParameter("name", name);
- return daoUtils.selectSingle(query);
- }
-
- /**
* Find all principal types.
*
* @return all principal types or an empty List
@@ -100,16 +86,6 @@ public class PrincipalTypeDAO {
}
/**
- * Remove the entity instance.
- *
- * @param entity entity to remove
- */
- @Transactional
- public void remove(PrincipalTypeEntity entity) {
- entityManagerProvider.get().remove(entity);
- }
-
- /**
* Creates and returns principal type if it wasn't persisted yet.
*
* @param principalType id of principal type
@@ -128,9 +104,6 @@ public class PrincipalTypeDAO {
case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
break;
- case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
- principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
- break;
default:
throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index b6f1557..f091bab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -29,8 +29,6 @@ import javax.persistence.JoinColumns;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.ManyToOne;
-import javax.persistence.NamedQueries;
-import javax.persistence.NamedQuery;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import javax.persistence.TableGenerator;
@@ -46,10 +44,6 @@ import java.util.Collection;
, pkColumnValue = "permission_id_seq"
, initialValue = 100
)
-@NamedQueries({
- @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
- @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
-})
public class PermissionEntity {
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
index 31e11e6..716d4f7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,9 +30,6 @@ import javax.persistence.*;
, pkColumnValue = "principal_type_id_seq"
, initialValue = 100
)
-@NamedQueries({
- @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
-})
public class PrincipalTypeEntity {
/**
@@ -40,11 +37,19 @@ public class PrincipalTypeEntity {
*/
public static final int USER_PRINCIPAL_TYPE = 1;
public static final int GROUP_PRINCIPAL_TYPE = 2;
- public static final int ROLE_PRINCIPAL_TYPE = 8;
+ public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
+ public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
+ public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
+ public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
+ public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
public static final String USER_PRINCIPAL_TYPE_NAME = "USER";
public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
- public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
+ public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
+ public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
+ public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
+ public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
+ public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
/**
* The type id.
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index e875e8a..8639a2f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -17,6 +17,9 @@
*/
package org.apache.ambari.server.security.authorization;
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -27,6 +30,7 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
@@ -43,10 +47,10 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
+@Singleton
/**
* Provides utility methods for authentication functionality
*/
-@Singleton
public class AuthorizationHelper {
private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
@@ -226,8 +230,56 @@ public class AuthorizationHelper {
}
}
- return false;
+ // Check if the resourceId is a view.
+ // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
+ // type.
+ // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
+ // cluster resource with the permission.
+ // Then if the permission type matches the cluster/service type principal(names) then the user should have access
+ // to those views.
+
+ if(resourceId == null) {
+ return false;
+ }
+
+ ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
+
+ ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
+ if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
+ return false;
+ }
+
+ PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
+
+ final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
+ .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+ .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
+ .toSet();
+
+ return FluentIterable.from(authentication.getAuthorities())
+ .filter(new Predicate<GrantedAuthority>() {
+ @Override
+ public boolean apply(GrantedAuthority grantedAuthority) {
+ AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+ PrivilegeEntity privilege = authority.getPrivilegeEntity();
+ String resourceTypeName = privilege.getResource().getResourceType().getName();
+ return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+ }
+ }).transform(new Function<GrantedAuthority, PermissionEntity>() {
+ @Override
+ public PermissionEntity apply(GrantedAuthority grantedAuthority) {
+ AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+ PrivilegeEntity privilege = authority.getPrivilegeEntity();
+ return privilege.getPermission();
+ }
+ }).anyMatch(new Predicate<PermissionEntity>() {
+ @Override
+ public boolean apply(PermissionEntity input) {
+ return privilegeNames.contains(input.getPermissionName());
+ }
+ });
}
+
}
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
new file mode 100644
index 0000000..9922bb2
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+
+import javax.annotation.Nullable;
+import java.util.Collection;
+import java.util.Set;
+
+
+/**
+ * Helper class to take care of the cluster inherited permission for any view.
+ */
+public class ClusterInheritedPermissionHelper {
+
+ /**
+ * Predicate which validates if the principalType passed is valid or not.
+ */
+ public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
+ @Override
+ public boolean apply(String principalType) {
+ return isValidPrincipalType(principalType);
+ }
+ };
+
+ /**
+ * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
+ */
+ public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
+ return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+ }
+ };
+
+ /**
+ * Predicate which validates if view instance entity is cluster associated
+ */
+ public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
+ @Override
+ public boolean apply(ViewInstanceEntity viewInstanceEntity) {
+ return viewInstanceEntity.getClusterHandle() != null;
+ }
+ };
+
+ /**
+ * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
+ */
+ public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
+ return principalTypeName.startsWith("ALL.");
+ }
+ };
+
+ /**
+ * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
+ */
+ public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
+ @Override
+ public String apply(PrivilegeEntity input) {
+ return input.getPrincipal().getPrincipalType().getName().substring(4);
+ }
+ };
+
+ /**
+ * Mapper to return resources from view instance entity.
+ */
+ public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
+ @Override
+ public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
+ return viewInstanceEntity.getResource();
+ }
+ };
+
+ /**
+ * Mapper to return all privileges from resource entity
+ */
+ public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
+ @Override
+ public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
+ return resourceEntity.getPrivileges();
+ }
+ };
+
+ /**
+ * Mapper to return permission name from privilege
+ */
+ public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
+ @Override
+ public String apply(PrivilegeEntity privilegeEntity) {
+ return privilegeEntity.getPermission().getPermissionName();
+ }
+ };
+
+ /**
+ * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
+ * @param validSet - valid set of permission types
+ * @return Predicate to check the condition
+ */
+ public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
+ return new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
+ return validSet.contains(permissionName);
+ }
+ };
+ }
+
+ /**
+ * Predicate to filter out privileges which are already existing in the passed privileges set.
+ * @param existingPrivileges - Privileges set to which the comparison will be made
+ * @return Predicate to check the validation
+ */
+ public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
+ return new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(final PrivilegeEntity privilegeEntity) {
+ return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity directPrivilegeEntity) {
+ return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
+ && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
+ }
+ });
+ }
+ };
+ }
+
+ /**
+ * Validates if the principal type is valid for cluster inherited permissions.
+ * @param principalType - Principal type
+ * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
+ * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
+ */
+ public static boolean isValidPrincipalType(String principalType) {
+ return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
+ }
+
+ /**
+ * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
+ * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
+ * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
+ * the user should have privilege.
+ * @param userDirectPrivileges - direct privileges for the user.
+ * @return - Filtered list of privileges for view resource for which the user should have access.
+ */
+ public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
+ final Set<PrivilegeEntity> userDirectPrivileges) {
+
+ final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
+ .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
+ .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
+ .toSet();
+
+ Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
+ .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
+ .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
+ .transform(new Function<ResourceEntity, Long>() {
+ @Nullable
+ @Override
+ public Long apply(@Nullable ResourceEntity input) {
+ return input.getId();
+ }
+ }).toSet();
+
+ Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
+ .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
+ @Nullable
+ @Override
+ public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
+ return privilegeDAO.findByResourceId(input);
+ }
+ }).toSet();
+
+ return FluentIterable.from(allPrivileges)
+ .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+ .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
+ .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
+ .toSet();
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index eee721a..a4f0031 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -705,96 +705,6 @@ public class Users {
}
/**
- * Gets the explicit and implicit privileges for the given user.
- * <p>
- * The explicit privileges are the privileges that have be explicitly set by assigning roles to
- * a user. For example the Cluster Operator role on a given cluster gives that the ability to
- * start and stop services in that cluster, among other privileges for that particular cluster.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the users that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all users who have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param userEntity the relevant user
- * @return the collection of implicit and explicit privileges
- */
- public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
- if (userEntity == null) {
- return Collections.emptyList();
- }
-
- // get all of the privileges for the user
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
- principalEntities.add(userEntity.getPrincipal());
-
- List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
-
- for (MemberEntity memberEntity : memberEntities) {
- principalEntities.add(memberEntity.getGroup().getPrincipal());
- }
-
- List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
- List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
- List<PrivilegeEntity> privilegeEntities;
-
- if(implicitPrivilegeEntities.isEmpty()) {
- privilegeEntities = explicitPrivilegeEntities;
- }
- else {
- privilegeEntities = new LinkedList<PrivilegeEntity>();
- privilegeEntities.addAll(explicitPrivilegeEntities);
- privilegeEntities.addAll(implicitPrivilegeEntities);
- }
-
- return privilegeEntities;
- }
-
- /**
- * Gets the explicit and implicit privileges for the given group.
- * <p>
- * The explicit privileges are the privileges that have be explicitly set by assigning roles to
- * a group. For example the Cluster Operator role on a given cluster gives that the ability to
- * start and stop services in that cluster, among other privileges for that particular cluster.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the groups that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all groups that have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param groupEntity the relevant group
- * @return the collection of implicit and explicit privileges
- */
- public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
- if (groupEntity == null) {
- return Collections.emptyList();
- }
-
- // get all of the privileges for the group
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
- principalEntities.add(groupEntity.getPrincipal());
-
- List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
- List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
- List<PrivilegeEntity> privilegeEntities;
-
- if(implicitPrivilegeEntities.isEmpty()) {
- privilegeEntities = explicitPrivilegeEntities;
- }
- else {
- privilegeEntities = new LinkedList<PrivilegeEntity>();
- privilegeEntities.addAll(explicitPrivilegeEntities);
- privilegeEntities.addAll(implicitPrivilegeEntities);
- }
-
- return privilegeEntities;
- }
-
- /**
* Gets the explicit and implicit authorities for the given user.
* <p>
* The explicit authorities are the authorities that have be explicitly set by assigning roles to
@@ -817,59 +727,50 @@ public class Users {
return Collections.emptyList();
}
- Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
-
- Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
- for (PrivilegeEntity privilegeEntity : privilegeEntities) {
- authorities.add(new AmbariGrantedAuthority(privilegeEntity));
- }
+ // get all of the privileges for the user
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
- return authorities;
- }
+ principalEntities.add(userEntity.getPrincipal());
- /**
- * Gets the implicit privileges based on the set of roles found in a collection of privileges.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the groups that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all groups that have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param privilegeEntities the relevant privileges
- * @return the collection explicit privileges
- */
- private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+ List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
- if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
- return Collections.emptyList();
+ for (MemberEntity memberEntity : memberEntities) {
+ principalEntities.add(memberEntity.getGroup().getPrincipal());
}
- List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
+ List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
// A list of principals representing roles/permissions. This collection of roles will be used to
- // find additional inherited privileges based on the assigned roles.
+ // find additional authorizations inherited by the authenticated user based on the assigned roles.
// For example a File View instance may be set to be accessible to all authenticated user with
// the Cluster User role.
List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
+ Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
+
for (PrivilegeEntity privilegeEntity : privilegeEntities) {
// Add the principal representing the role associated with this PrivilegeEntity to the collection
- // of roles.
+ // of roles for the authenticated user.
PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
- if (rolePrincipal != null) {
+ if(rolePrincipal != null) {
rolePrincipals.add(rolePrincipal);
}
+
+ authorities.add(new AmbariGrantedAuthority(privilegeEntity));
}
- // If the collections of assigned roles is not empty find the inherited priviliges.
- if (!rolePrincipals.isEmpty()) {
+ // If the collections of assigned roles is not empty find the inherited authorizations that are
+ // give to the roles and add them to the collection of (Granted) authorities for the user.
+ if(!rolePrincipals.isEmpty()) {
// For each "role" see if any privileges have been granted...
- implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
+ List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
+
+ for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
+ authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+ }
}
- return implicitPrivileges;
+ return authorities;
}
}