You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/11/24 00:57:53 UTC
[1/3] ambari git commit: AMBARI-13977. Enforce granular role-based
access control for user functions (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk e1584720b -> 7d45f1f71
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index e65786b..fdcfbce 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -45,9 +45,13 @@ import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.easymock.EasyMockSupport;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
import static org.easymock.EasyMock.anyObject;
import static org.easymock.EasyMock.expect;
@@ -59,74 +63,37 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
- final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
resourceProvider.createResources(createNiceMock(Request.class));
}
- @SuppressWarnings("serial")
@Test
- public void testGetResources() throws Exception {
- final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
- final UserDAO userDAO = createNiceMock(UserDAO.class);
- final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
- final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
- final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
- final UserEntity userEntity = createNiceMock(UserEntity.class);
- final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
- final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- final PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
- final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
- final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
- final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-
- expect(userDAO.findLocalUserByName("user")).andReturn(userEntity).anyTimes();
- expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity> emptySet()).anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
- expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME).anyTimes();
- expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
- {
- add(privilegeEntity);
- }
- }).anyTimes();
- expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
- expect(userEntity.getUserName()).andReturn("user").anyTimes();
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
- expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
-
- replayAll();
-
- UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO);
-
- final Set<String> propertyIds = new HashSet<String>();
- propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
- //propertyIds.add(UserResourceProvider.USER_PASSWORD_PROPERTY_ID);
-
- final Predicate predicate = new PredicateBuilder().property(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID).equals("user").toPredicate();
- Request request = PropertyHelper.getReadRequest(propertyIds);
- Set<Resource> resources = resourceProvider.getResources(request, predicate);
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- Assert.assertEquals(1, resources.size());
- for (Resource resource : resources) {
- String userName = (String) resource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
- Assert.assertEquals("user", userName);
- }
+ @Test
+ public void testGetResources_NonAdministrator_Self() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- verifyAll();
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_NonAdministrator_Other() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
}
@Test(expected = SystemException.class)
public void testUpdateResources() throws Exception {
- final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
resourceProvider.updateResources(createNiceMock(Request.class), createNiceMock(Predicate.class));
}
@Test(expected = SystemException.class)
public void testDeleteResources() throws Exception {
- final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
resourceProvider.deleteResources(createNiceMock(Predicate.class));
}
@@ -344,4 +311,65 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
verifyAll();
}
+
+ // @SuppressWarnings("serial")
+ private void getResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
+ final UserDAO userDAO = createNiceMock(UserDAO.class);
+ final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
+ final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
+ final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
+ final UserEntity userEntity = createNiceMock(UserEntity.class);
+ final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
+ final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
+ final PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
+ final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
+ final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
+ final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
+
+ expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
+ expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
+ expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME).anyTimes();
+ expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
+ {
+ add(privilegeEntity);
+ }
+ }).anyTimes();
+ expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
+ expect(userEntity.getUserName()).andReturn(requestedUsername).anyTimes();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
+
+ replayAll();
+
+ UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO);
+
+ final Set<String> propertyIds = new HashSet<String>();
+ propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
+
+ final Predicate predicate = new PredicateBuilder()
+ .property(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID)
+ .equals(requestedUsername)
+ .toPredicate();
+ Request request = PropertyHelper.getReadRequest(propertyIds);
+
+ // Set the authenticated user to a administrator
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ Set<Resource> resources = resourceProvider.getResources(request, predicate);
+
+ Assert.assertEquals(1, resources.size());
+ for (Resource resource : resources) {
+ String userName = (String) resource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
+ Assert.assertEquals(requestedUsername, userName);
+ }
+
+ verifyAll();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java
index 94f6fd7..4321485 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -30,8 +30,6 @@ import org.apache.ambari.server.controller.AbstractRootServiceResponseFactory;
import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.AmbariManagementControllerImpl;
import org.apache.ambari.server.controller.KerberosHelper;
-import org.apache.ambari.server.controller.RequestStatusResponse;
-import org.apache.ambari.server.controller.UserResponse;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
@@ -39,12 +37,11 @@ import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.DBAccessor;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.scheduler.ExecutionScheduler;
-import org.apache.ambari.server.security.SecurityHelper;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.User;
+import org.apache.ambari.server.security.authorization.UserType;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.encryption.CredentialStoreService;
import org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl;
@@ -59,487 +56,474 @@ import org.apache.ambari.server.state.ServiceFactory;
import org.apache.ambari.server.state.configgroup.ConfigGroupFactory;
import org.apache.ambari.server.state.scheduler.RequestExecutionFactory;
import org.apache.ambari.server.state.stack.OsFamily;
+import org.easymock.EasyMockSupport;
+import org.junit.After;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
-import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;
import javax.persistence.EntityManager;
-import java.util.Collection;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
-import static org.easymock.EasyMock.createMock;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.expectLastCall;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.verify;
+import static org.easymock.EasyMock.*;
/**
* UserResourceProvider tests.
*/
-public class UserResourceProviderTest {
- @Test
- public void testCreateResources() throws Exception {
- Resource.Type type = Resource.Type.User;
+public class UserResourceProviderTest extends EasyMockSupport {
- AmbariManagementController managementController = createMock(AmbariManagementController.class);
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ @Before
+ public void resetMocks() {
+ resetAll();
+ }
- managementController.createUsers(AbstractResourceProviderTest.Matcher.getUserRequestSet("User100"));
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
- // replay
- replay(managementController, response);
+ @Test
+ public void testCreateResources_Administrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResources_NonAdministrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
- // add the property map to a set for the request. add more maps for multiple creates
- Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
+ @Test
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ @Test
+ public void testGetResources_NonAdministrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
- // add properties to the request map
- properties.put(UserResourceProvider.USER_USERNAME_PROPERTY_ID, "User100");
+ @Test
+ public void testGetResource_Administrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "admin");
+ }
- propertySet.add(properties);
+ @Test
+ public void testGetResource_Administrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- // create the request
- Request request = PropertyHelper.getCreateRequest(propertySet, null);
+ @Test
+ public void testGetResource_NonAdministrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- provider.createResources(request);
+ @Test(expected = AuthorizationException.class)
+ public void testGetResource_NonAdministrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User100");
+ }
- // verify
- verify(managementController, response);
+ @Test
+ public void testUpdateResources_SetAdmin_Administrator_Self() throws Exception {
+ updateResources_SetAdmin(TestAuthenticationFactory.createAdministrator("admin"), "User100");
}
@Test
- public void testGetResources() throws Exception {
- Resource.Type type = Resource.Type.User;
+ public void testUpdateResources_SetAdmin_Administrator_Other() throws Exception {
+ updateResources_SetAdmin(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- AmbariManagementController managementController = createMock(AmbariManagementController.class);
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_SetAdmin_NonAdministrator_Self() throws Exception {
+ updateResources_SetAdmin(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- Set<UserResponse> allResponse = new HashSet<UserResponse>();
- allResponse.add(new UserResponse("User100", false, true, false));
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_SetAdmin_NonAdministrator_Other() throws Exception {
+ updateResources_SetAdmin(TestAuthenticationFactory.createClusterAdministrator("User1"), "User100");
+ }
- // set expectations
- expect(managementController.getUsers(AbstractResourceProviderTest.Matcher.getUserRequestSet("User100"))).
- andReturn(allResponse).once();
+ @Test
+ public void testUpdateResources_SetActive_Administrator_Self() throws Exception {
+ updateResources_SetActive(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- // replay
- replay(managementController);
+ @Test
+ public void testUpdateResources_SetActive_Administrator_Other() throws Exception {
+ updateResources_SetActive(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_SetActive_NonAdministrator_Self() throws Exception {
+ updateResources_SetActive(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- Set<String> propertyIds = new HashSet<String>();
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_SetActive_NonAdministrator_Other() throws Exception {
+ updateResources_SetActive(TestAuthenticationFactory.createClusterAdministrator("User1"), "User100");
+ }
- propertyIds.add(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
- propertyIds.add(UserResourceProvider.USER_PASSWORD_PROPERTY_ID);
+ @Test
+ public void testUpdateResources_SetPassword_Administrator_Self() throws Exception {
+ updateResources_SetPassword(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- Predicate predicate = new PredicateBuilder().property(UserResourceProvider.USER_USERNAME_PROPERTY_ID).
- equals("User100").toPredicate();
- Request request = PropertyHelper.getReadRequest(propertyIds);
- Set<Resource> resources = provider.getResources(request, predicate);
+ @Test
+ public void testUpdateResources_SetPassword_Administrator_Other() throws Exception {
+ updateResources_SetPassword(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- Assert.assertEquals(1, resources.size());
- for (Resource resource : resources) {
- String userName = (String) resource.getPropertyValue(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
- Assert.assertEquals("User100", userName);
- }
+ @Test
+ public void testUpdateResources_SetPassword_NonAdministrator_Self() throws Exception {
+ updateResources_SetPassword(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- // verify
- verify(managementController);
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_SetPassword_NonAdministrator_Other() throws Exception {
+ updateResources_SetPassword(TestAuthenticationFactory.createClusterAdministrator("User1"), "User100");
}
@Test
- public void testUpdateResources_SetAdmin_AsAdminUser() throws Exception {
- Resource.Type type = Resource.Type.User;
- Injector injector = createInjector();
+ public void testDeleteResource_Administrator_Self() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
- Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
- PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
- PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+ @Test
+ public void testDeleteResource_Administrator_Other() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User100");
+ }
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResource_NonAdministrator_Self() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResource_NonAdministrator_Other() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User100");
+ }
- Collection<? extends GrantedAuthority> currentAuthorities = Collections.singleton(new AmbariGrantedAuthority(privilegeEntity));
+ private Injector createInjector() throws Exception {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(ActionDBAccessor.class).toInstance(createNiceMock(ActionDBAccessor.class));
+ bind(ExecutionScheduler.class).toInstance(createNiceMock(ExecutionScheduler.class));
+ bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
+ bind(AmbariMetaInfo.class).toInstance(createMock(AmbariMetaInfo.class));
+ bind(ActionManager.class).toInstance(createNiceMock(ActionManager.class));
+ bind(RequestFactory.class).toInstance(createNiceMock(RequestFactory.class));
+ bind(RequestExecutionFactory.class).toInstance(createNiceMock(RequestExecutionFactory.class));
+ bind(StageFactory.class).toInstance(createNiceMock(StageFactory.class));
+ bind(RoleGraphFactory.class).to(RoleGraphFactoryImpl.class);
+ bind(Clusters.class).toInstance(createNiceMock(Clusters.class));
+ bind(AbstractRootServiceResponseFactory.class).toInstance(createNiceMock(AbstractRootServiceResponseFactory.class));
+ bind(StackManagerFactory.class).toInstance(createNiceMock(StackManagerFactory.class));
+ bind(ConfigFactory.class).toInstance(createNiceMock(ConfigFactory.class));
+ bind(ConfigGroupFactory.class).toInstance(createNiceMock(ConfigGroupFactory.class));
+ bind(ServiceFactory.class).toInstance(createNiceMock(ServiceFactory.class));
+ bind(ServiceComponentFactory.class).toInstance(createNiceMock(ServiceComponentFactory.class));
+ bind(ServiceComponentHostFactory.class).toInstance(createNiceMock(ServiceComponentHostFactory.class));
+ bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
+ bind(KerberosHelper.class).toInstance(createNiceMock(KerberosHelper.class));
+ bind(Users.class).toInstance(createMock(Users.class));
+ bind(AmbariManagementController.class).to(AmbariManagementControllerImpl.class);
+ bind(CredentialStoreService.class).to(CredentialStoreServiceImpl.class);
+ }
+ });
+ }
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
- users.grantAdminPrivilege(1000);
- expectLastCall().once();
+ private void createResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
- expect(user.getUserId()).andReturn(1000).once();
+ Users users = injector.getInstance(Users.class);
+ users.createUser("User100", "password", (Boolean) null, null, false);
+ expectLastCall().atLeastOnce();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).once();
- expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION).once();
+ // replay
+ replayAll();
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(currentAuthorities).once();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- // replay
- replay(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(managementController);
+
+ // add the property map to a set for the request. add more maps for multiple creates
+ Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
- // add the property map to a set for the request.
Map<String, Object> properties = new LinkedHashMap<String, Object>();
- properties.put(UserResourceProvider.USER_ADMIN_PROPERTY_ID, "true");
+ // add properties to the request map
+ properties.put(UserResourceProvider.USER_USERNAME_PROPERTY_ID, "User100");
+ properties.put(UserResourceProvider.USER_PASSWORD_PROPERTY_ID, "password");
+
+ propertySet.add(properties);
// create the request
- Request request = PropertyHelper.getUpdateRequest(properties, null);
+ Request request = PropertyHelper.getCreateRequest(propertySet, null);
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ provider.createResources(request);
// verify
- verify(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ verifyAll();
}
- @Test(expected = IllegalArgumentException.class)
- public void testUpdateResources_SetAdmin_AsNonAdminUser() throws Exception {
- Resource.Type type = Resource.Type.User;
+ private void getResourcesTest(Authentication authentication) throws Exception {
Injector injector = createInjector();
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ if ("admin".equals(authentication.getName())) {
+ List<User> allUsers = Arrays.asList(
+ createMockUser("User1"),
+ createMockUser("User10"),
+ createMockUser("User100"),
+ createMockUser("admin")
+ );
+ expect(users.getAllUsers()).andReturn(allUsers).atLeastOnce();
+ } else {
+ expect(users.getAnyUser("User1")).andReturn(createMockUser("User1")).atLeastOnce();
+ }
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ replayAll();
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(Collections.emptyList()).once();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- // replay
- replay(securityHelper, user, users, response);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ ResourceProvider provider = getResourceProvider(managementController);
- // add the property map to a set for the request.
- Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ Set<String> propertyIds = new HashSet<String>();
+ propertyIds.add(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
+ propertyIds.add(UserResourceProvider.USER_PASSWORD_PROPERTY_ID);
- properties.put(UserResourceProvider.USER_ADMIN_PROPERTY_ID, "true");
+ Request request = PropertyHelper.getReadRequest(propertyIds);
- // create the request
- Request request = PropertyHelper.getUpdateRequest(properties, null);
+ Set<Resource> resources = provider.getResources(request, null);
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ if ("admin".equals(authentication.getName())) {
+ List<String> expectedList = Arrays.asList("User1", "User10", "User100", "admin");
+ Assert.assertEquals(4, resources.size());
+ for (Resource resource : resources) {
+ String userName = (String) resource.getPropertyValue(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
+ Assert.assertTrue(expectedList.contains(userName));
+ }
+ } else {
+ Assert.assertEquals(1, resources.size());
+ for (Resource resource : resources) {
+ Assert.assertEquals("User1", resource.getPropertyValue(UserResourceProvider.USER_USERNAME_PROPERTY_ID));
+ }
+ }
- // verify
- verify(securityHelper, user, users, response);
+ verifyAll();
}
- @Test
- public void testUpdateResources_SetActive_AsAdminUser() throws Exception {
- Resource.Type type = Resource.Type.User;
+ private void getResourceTest(Authentication authentication, String requestedUsername) throws Exception {
Injector injector = createInjector();
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
- PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
- PermissionEntity permissionEntity = createMock(PermissionEntity.class);
-
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
-
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ expect(users.getAnyUser(requestedUsername)).andReturn(createMockUser(requestedUsername)).atLeastOnce();
- Collection<? extends GrantedAuthority> currentAuthorities = Collections.singleton(new AmbariGrantedAuthority(privilegeEntity));
+ replayAll();
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
-
- users.setUserActive("User100", false);
- expectLastCall().once();
-
- expect(user.getUserName()).andReturn("User100").once();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).once();
- expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION).once();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(currentAuthorities).once();
-
- // replay
- replay(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ ResourceProvider provider = getResourceProvider(managementController);
- // add the property map to a set for the request.
- Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ Set<String> propertyIds = new HashSet<String>();
+ propertyIds.add(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
+ propertyIds.add(UserResourceProvider.USER_PASSWORD_PROPERTY_ID);
- properties.put(UserResourceProvider.USER_ACTIVE_PROPERTY_ID, "false");
+ Request request = PropertyHelper.getReadRequest(propertyIds);
- // create the request
- Request request = PropertyHelper.getUpdateRequest(properties, null);
+ Set<Resource> resources = provider.getResources(request, createPredicate(requestedUsername));
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ Assert.assertEquals(1, resources.size());
+ for (Resource resource : resources) {
+ String userName = (String) resource.getPropertyValue(UserResourceProvider.USER_USERNAME_PROPERTY_ID);
+ Assert.assertEquals(requestedUsername, userName);
+ }
- // verify
- verify(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ verifyAll();
}
- @Test(expected = IllegalArgumentException.class)
- public void testUpdateResources_SetActive_AsNonActiveUser() throws Exception {
- Resource.Type type = Resource.Type.User;
+ public void updateResources_SetAdmin(Authentication authentication, String requestedUsername) throws Exception {
Injector injector = createInjector();
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
+ expect(users.getAnyUser(requestedUsername)).andReturn(createMockUser(requestedUsername)).once();
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ if ("admin".equals(authentication.getName())) {
+ users.grantAdminPrivilege(requestedUsername.hashCode());
+ expectLastCall().once();
+ }
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ replayAll();
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(Collections.emptyList()).once();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- // replay
- replay(securityHelper, user, users, response);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ ResourceProvider provider = getResourceProvider(managementController);
// add the property map to a set for the request.
Map<String, Object> properties = new LinkedHashMap<String, Object>();
-
- properties.put(UserResourceProvider.USER_ACTIVE_PROPERTY_ID, "false");
+ properties.put(UserResourceProvider.USER_ADMIN_PROPERTY_ID, "true");
// create the request
Request request = PropertyHelper.getUpdateRequest(properties, null);
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ provider.updateResources(request, createPredicate(requestedUsername));
- // verify
- verify(securityHelper, user, users, response);
+ verifyAll();
}
- @Test
- public void testUpdateResources_SetPassword_AsAdminUser() throws Exception {
- Resource.Type type = Resource.Type.User;
+ public void updateResources_SetActive(Authentication authentication, String requestedUsername) throws Exception {
Injector injector = createInjector();
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
- PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
- PermissionEntity permissionEntity = createMock(PermissionEntity.class);
-
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ expect(users.getAnyUser(requestedUsername)).andReturn(createMockUser(requestedUsername)).once();
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
-
- Collection<? extends GrantedAuthority> currentAuthorities = Collections.singleton(new AmbariGrantedAuthority(privilegeEntity));
-
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
-
- users.modifyPassword("User100", "old_password", "password");
- expectLastCall().once();
+ if ("admin".equals(authentication.getName())) {
+ users.setUserActive(requestedUsername, true);
+ expectLastCall().once();
+ }
- expect(user.getUserName()).andReturn("User100").once();
+ replayAll();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION).anyTimes();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(currentAuthorities).anyTimes();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- // replay
- replay(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ ResourceProvider provider = getResourceProvider(managementController);
// add the property map to a set for the request.
Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ properties.put(UserResourceProvider.USER_ACTIVE_PROPERTY_ID, "true");
- properties.put(UserResourceProvider.USER_PASSWORD_PROPERTY_ID, "password");
- properties.put(UserResourceProvider.USER_OLD_PASSWORD_PROPERTY_ID, "old_password");
-
- // create the request
Request request = PropertyHelper.getUpdateRequest(properties, null);
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ provider.updateResources(request, createPredicate(requestedUsername));
- // verify
- verify(securityHelper, user, users, privilegeEntity, permissionEntity, response);
+ verifyAll();
}
- @Test
- public void testUpdateResources_SetPassword_AsNonActiveUser() throws Exception {
- Resource.Type type = Resource.Type.User;
+ public void updateResources_SetPassword(Authentication authentication, String requestedUsername) throws Exception {
Injector injector = createInjector();
- SecurityHelper securityHelper = injector.getInstance(SecurityHelper.class);
Users users = injector.getInstance(Users.class);
- User user = createMock(User.class);
-
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
-
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
-
- // set expectations
- expect(users.getAnyUser("User100")).andReturn(user).once();
-
- users.modifyPassword("User100", "old_password", "password");
+ expect(users.getAnyUser(requestedUsername)).andReturn(createMockUser(requestedUsername)).once();
+ users.modifyPassword(requestedUsername, "old_password", "new_password");
expectLastCall().once();
- expect(user.getUserName()).andReturn("User100").once();
+ replayAll();
- securityHelper.getCurrentAuthorities();
- expectLastCall().andReturn(Collections.emptyList()).anyTimes();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
- // replay
- replay(securityHelper, user, users, response);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(managementController);
// add the property map to a set for the request.
Map<String, Object> properties = new LinkedHashMap<String, Object>();
-
- properties.put(UserResourceProvider.USER_PASSWORD_PROPERTY_ID, "password");
properties.put(UserResourceProvider.USER_OLD_PASSWORD_PROPERTY_ID, "old_password");
+ properties.put(UserResourceProvider.USER_PASSWORD_PROPERTY_ID, "new_password");
// create the request
Request request = PropertyHelper.getUpdateRequest(properties, null);
- Predicate predicate = new PredicateBuilder()
- .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
- .equals("User100")
- .toPredicate();
- provider.updateResources(request, predicate);
+ provider.updateResources(request, createPredicate(requestedUsername));
- // verify
- verify(securityHelper, user, users, response);
+ verifyAll();
}
- @Test
- public void testDeleteResources() throws Exception {
- Resource.Type type = Resource.Type.User;
+ private void deleteResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
- AmbariManagementController managementController = createMock(AmbariManagementController.class);
- RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ User user = createMockUser(requestedUsername);
- // set expectations
- managementController.deleteUsers(AbstractResourceProviderTest.Matcher.getUserRequestSet("User100"));
+ Users users = injector.getInstance(Users.class);
+ expect(users.getAnyUser(requestedUsername)).andReturn(user).atLeastOnce();
+ users.removeUser(user);
+ expectLastCall().atLeastOnce();
// replay
- replay(managementController, response);
+ replayAll();
- ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
- type,
- PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController);
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- Predicate predicate = new PredicateBuilder().property(UserResourceProvider.USER_USERNAME_PROPERTY_ID).
- equals("User100").toPredicate();
- provider.deleteResources(predicate);
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(managementController);
+
+ provider.deleteResources(createPredicate(requestedUsername));
// verify
- verify(managementController, response);
+ verifyAll();
}
- private Injector createInjector() {
- return Guice.createInjector(new AbstractModule() {
- @Override
- protected void configure() {
- bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
- bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
- bind(ActionDBAccessor.class).toInstance(createNiceMock(ActionDBAccessor.class));
- bind(ExecutionScheduler.class).toInstance(createNiceMock(ExecutionScheduler.class));
- bind(SecurityHelper.class).toInstance(createMock(SecurityHelper.class));
- bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
- bind(AmbariMetaInfo.class).toInstance(createMock(AmbariMetaInfo.class));
- bind(ActionManager.class).toInstance(createNiceMock(ActionManager.class));
- bind(RequestFactory.class).toInstance(createNiceMock(RequestFactory.class));
- bind(RequestExecutionFactory.class).toInstance(createNiceMock(RequestExecutionFactory.class));
- bind(StageFactory.class).toInstance(createNiceMock(StageFactory.class));
- bind(RoleGraphFactory.class).to(RoleGraphFactoryImpl.class);
- bind(Clusters.class).toInstance(createNiceMock(Clusters.class));
- bind(AbstractRootServiceResponseFactory.class).toInstance(createNiceMock(AbstractRootServiceResponseFactory.class));
- bind(StackManagerFactory.class).toInstance(createNiceMock(StackManagerFactory.class));
- bind(ConfigFactory.class).toInstance(createNiceMock(ConfigFactory.class));
- bind(ConfigGroupFactory.class).toInstance(createNiceMock(ConfigGroupFactory.class));
- bind(ServiceFactory.class).toInstance(createNiceMock(ServiceFactory.class));
- bind(ServiceComponentFactory.class).toInstance(createNiceMock(ServiceComponentFactory.class));
- bind(ServiceComponentHostFactory.class).toInstance(createNiceMock(ServiceComponentHostFactory.class));
- bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
- bind(KerberosHelper.class).toInstance(createNiceMock(KerberosHelper.class));
- bind(Users.class).toInstance(createMock(Users.class));
- bind(AmbariManagementController.class).to(AmbariManagementControllerImpl.class);
- bind(CredentialStoreService.class).to(CredentialStoreServiceImpl.class);
- }
- });
+ private Predicate createPredicate(String requestedUsername) {
+ return new PredicateBuilder()
+ .property(UserResourceProvider.USER_USERNAME_PROPERTY_ID)
+ .equals(requestedUsername)
+ .toPredicate();
+ }
+
+ private User createMockUser(String username) {
+ User user = createMock(User.class);
+ expect(user.getUserId()).andReturn(username.hashCode()).anyTimes();
+ expect(user.getUserName()).andReturn(username).anyTimes();
+ expect(user.getUserType()).andReturn(UserType.LOCAL).anyTimes();
+ expect(user.isLdapUser()).andReturn(false).anyTimes();
+ expect(user.isActive()).andReturn(true).anyTimes();
+ expect(user.isAdmin()).andReturn(false).anyTimes();
+ expect(user.getGroups()).andReturn(Collections.<String>emptyList()).anyTimes();
+
+ return user;
+ }
+
+ private ResourceProvider getResourceProvider(AmbariManagementController managementController) {
+ return AbstractControllerResourceProvider.getResourceProvider(
+ Resource.Type.User,
+ PropertyHelper.getPropertyIds(Resource.Type.User),
+ PropertyHelper.getKeyPropertyIds(Resource.Type.User),
+ managementController);
}
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
index 8400efd..d85b37b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
@@ -42,6 +42,7 @@ import org.apache.ambari.server.orm.entities.ViewEntityTest;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntityTest;
import org.apache.ambari.server.security.SecurityHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.view.ViewInstanceHandlerList;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.ViewRegistryTest;
@@ -50,6 +51,7 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
+import org.springframework.security.core.context.SecurityContextHolder;
import java.util.Collections;
import java.util.LinkedList;
@@ -149,6 +151,8 @@ public class ViewPrivilegeResourceProviderTest {
replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
userEntity, principalEntity, permissionEntity, principalTypeEntity);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+
PrivilegeResourceProvider provider = new ViewPrivilegeResourceProvider();
Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
new file mode 100644
index 0000000..634d840
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security;
+
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+
+public class TestAuthenticationFactory {
+ public static Authentication createAdministrator(String name) {
+ return new TestAuthorization(name, Collections.singleton(createAdministratorGrantedAuthority()));
+ }
+
+ public static Authentication createClusterAdministrator(String name) {
+ return new TestAuthorization(name, Collections.singleton(createClusterAdministratorGrantedAuthority()));
+ }
+
+ private static GrantedAuthority createAdministratorGrantedAuthority() {
+ return new AmbariGrantedAuthority(createAdministratorPrivilegeEntity());
+ }
+
+ private static GrantedAuthority createClusterAdministratorGrantedAuthority() {
+ return new AmbariGrantedAuthority(createClusterAdministratorPrivilegeEntity());
+ }
+
+ private static PrivilegeEntity createAdministratorPrivilegeEntity() {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setResource(createAmbariResourceEntity());
+ privilegeEntity.setPermission(createAdministratorPermission());
+ return privilegeEntity;
+ }
+
+ private static PrivilegeEntity createClusterAdministratorPrivilegeEntity() {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setResource(createClusterResourceEntity());
+ privilegeEntity.setPermission(createClusterAdministratorPermission());
+ return privilegeEntity;
+ }
+
+ private static PermissionEntity createAdministratorPermission() {
+ PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
+
+ Collection<RoleAuthorizationEntity> authorizations = new ArrayList<RoleAuthorizationEntity>();
+ for (RoleAuthorization roleAuthorization : RoleAuthorization.values()) {
+ authorizations.add(createRoleAuthorizationEntity(roleAuthorization));
+ }
+
+ permissionEntity.setAuthorizations(authorizations);
+
+ return permissionEntity;
+ }
+
+ private static PermissionEntity createClusterAdministratorPermission() {
+ PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+ permissionEntity.setAuthorizations(Arrays.asList(
+ createRoleAuthorizationEntity(RoleAuthorization.CLUSTER_VIEW_ALERTS),
+ createRoleAuthorizationEntity(RoleAuthorization.CLUSTER_TOGGLE_ALERTS)));
+
+ return permissionEntity;
+ }
+
+ private static ResourceEntity createAmbariResourceEntity() {
+ ResourceEntity resourceEntity = new ResourceEntity();
+ resourceEntity.setId(null);
+ resourceEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
+ return resourceEntity;
+ }
+
+ private static ResourceEntity createClusterResourceEntity() {
+ ResourceEntity resourceEntity = new ResourceEntity();
+ resourceEntity.setId(2L);
+ resourceEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+ return resourceEntity;
+ }
+
+ private static ResourceTypeEntity createResourceTypeEntity(ResourceType resourceType) {
+ ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
+ resourceTypeEntity.setId(resourceType.getId());
+ resourceTypeEntity.setName(resourceType.name());
+ return resourceTypeEntity;
+ }
+
+ private static RoleAuthorizationEntity createRoleAuthorizationEntity(RoleAuthorization authorization) {
+ RoleAuthorizationEntity roleAuthorizationEntity = new RoleAuthorizationEntity();
+ roleAuthorizationEntity.setAuthorizationId(authorization.getId());
+ roleAuthorizationEntity.setAuthorizationName(authorization.name());
+ return roleAuthorizationEntity;
+ }
+
+ private static class TestAuthorization implements Authentication {
+ private final String name;
+ private final Collection<? extends GrantedAuthority> authorities;
+
+ private TestAuthorization(String name, Collection<? extends GrantedAuthority> authorities) {
+ this.name = name;
+ this.authorities = authorities;
+ }
+
+ @Override
+ public Collection<? extends GrantedAuthority> getAuthorities() {
+ return authorities;
+ }
+
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
+
+ @Override
+ public Object getDetails() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return null;
+ }
+
+ @Override
+ public boolean isAuthenticated() {
+ return true;
+ }
+
+ @Override
+ public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 2efab89..d4b7d5a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -43,9 +43,11 @@ import junit.framework.Assert;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO;
+import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
import org.apache.ambari.server.view.ViewRegistry;
import org.easymock.EasyMock;
import org.easymock.IAnswer;
+import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
@@ -58,6 +60,13 @@ import com.google.common.collect.Table.Cell;
import org.springframework.security.core.context.SecurityContextHolder;
public class AmbariAuthorizationFilterTest {
+ @BeforeClass
+ public static void setupAuthentication() {
+ // Set authenticated user so that authorization checks will pass
+ InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin");
+ authenticationToken.setAuthenticated(true);
+ SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+ }
@Test
public void testDoFilter_postPersist_hasOperatePermission() throws Exception {
@@ -184,7 +193,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", true);
- performGeneralDoFilterTest("admin", new int[] {PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest("admin", new int[]{PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false);
}
@Test
@@ -210,14 +219,14 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
urlTests.put("/api/v1/users/user1", "GET", true);
urlTests.put("/api/v1/users/user1", "POST", true);
- urlTests.put("/api/v1/users/user2", "GET", false);
- urlTests.put("/api/v1/users/user2", "POST", false);
+ urlTests.put("/api/v1/users/user2", "GET", true);
+ urlTests.put("/api/v1/users/user2", "POST", true);
urlTests.put("/api/v1/groups", "GET", false);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
- performGeneralDoFilterTest("user1", new int[] {PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest("user1", new int[]{PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false);
}
@Test
@@ -243,8 +252,8 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
urlTests.put("/api/v1/users/user1", "GET", true);
urlTests.put("/api/v1/users/user1", "POST", true);
- urlTests.put("/api/v1/users/user2", "GET", false);
- urlTests.put("/api/v1/users/user2", "POST", false);
+ urlTests.put("/api/v1/users/user2", "GET", true);
+ urlTests.put("/api/v1/users/user2", "POST", true);
urlTests.put("/api/v1/groups", "GET", false);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
@@ -276,8 +285,8 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
urlTests.put("/api/v1/users/user1", "GET", true);
urlTests.put("/api/v1/users/user1", "POST", true);
- urlTests.put("/api/v1/users/user2", "GET", false);
- urlTests.put("/api/v1/users/user2", "POST", false);
+ urlTests.put("/api/v1/users/user2", "GET", true);
+ urlTests.put("/api/v1/users/user2", "POST", true);
urlTests.put("/api/v1/groups", "GET", false);
urlTests.put("/api/v1/ldap_sync_events", "GET", false);
urlTests.put("/any/other/URL", "GET", true);
@@ -307,8 +316,8 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
- urlTests.put("/api/v1/users/user1", "GET", false);
- urlTests.put("/api/v1/users/user1", "POST", false);
+ urlTests.put("/api/v1/users/user1", "GET", true);
+ urlTests.put("/api/v1/users/user1", "POST", true);
urlTests.put("/api/v1/users/user2", "GET", true);
urlTests.put("/api/v1/users/user2", "POST", true);
urlTests.put("/any/other/URL", "GET", true);
@@ -437,54 +446,6 @@ public class AmbariAuthorizationFilterTest {
}
@Test
- public void testParseUserName() throws Exception {
- final String[] pathesToTest = {
- "/api/v1/users/user",
- "/api/v1/users/user?fields=*",
- "/api/v22/users/user?fields=*"
- };
- for (String contextPath: pathesToTest) {
- final String username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("user", username);
- }
- }
-
- @Test
- public void testParseUserNameSpecial() throws Exception {
- String contextPath = "/api/v1/users/user%3F";
- String username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("user?", username);
-
- contextPath = "/api/v1/users/a%20b";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a b", username);
-
- contextPath = "/api/v1/users/a%2Bb";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a+b", username);
-
- contextPath = "/api/v1/users/a%21";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a!", username);
-
- contextPath = "/api/v1/users/a%3D";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a=", username);
-
- contextPath = "/api/v1/users/a%2Fb";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a/b", username);
-
- contextPath = "/api/v1/users/a%23";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("a#", username);
-
- contextPath = "/api/v1/users/%3F%3F";
- username = AmbariAuthorizationFilter.parseUserName(contextPath);
- Assert.assertEquals("??", username);
- }
-
- @Test
public void testParseViewContextPath() throws Exception {
final String[] pathesToTest = {
AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1",
[3/3] ambari git commit: AMBARI-13977. Enforce granular role-based
access control for user functions (rlevas)
Posted by rl...@apache.org.
AMBARI-13977. Enforce granular role-based access control for user functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/7d45f1f7
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/7d45f1f7
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/7d45f1f7
Branch: refs/heads/trunk
Commit: 7d45f1f71f9b569d3d541ebb7cbd6b79bfd8fdb4
Parents: e158472
Author: Robert Levas <rl...@hortonworks.com>
Authored: Mon Nov 23 18:57:44 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Nov 23 18:57:44 2015 -0500
----------------------------------------------------------------------
.../controller/AmbariManagementController.java | 5 +-
.../AmbariManagementControllerImpl.java | 96 +--
.../internal/AbstractResourceProvider.java | 5 +-
.../ActiveWidgetLayoutResourceProvider.java | 43 +-
.../AmbariPrivilegeResourceProvider.java | 8 +
.../ClusterPrivilegeResourceProvider.java | 29 +-
.../internal/PrivilegeResourceProvider.java | 10 +-
.../UserAuthorizationResourceProvider.java | 22 +-
.../internal/UserPrivilegeResourceProvider.java | 18 +
.../internal/UserResourceProvider.java | 14 +-
.../AmbariAuthorizationFilter.java | 46 +-
.../authorization/AuthorizationHelper.java | 33 +-
.../AmbariManagementControllerImplTest.java | 11 +
.../AmbariManagementControllerTest.java | 11 +
.../ActiveWidgetLayoutResourceProviderTest.java | 458 ++++++++-----
.../AmbariPrivilegeResourceProviderTest.java | 626 +++++++++++++-----
.../ClusterPrivilegeResourceProviderTest.java | 501 +++++++++++---
.../UserAuthorizationResourceProviderTest.java | 172 +++--
.../UserPrivilegeResourceProviderTest.java | 140 ++--
.../internal/UserResourceProviderTest.java | 646 +++++++++----------
.../ViewPrivilegeResourceProviderTest.java | 4 +
.../security/TestAuthenticationFactory.java | 164 +++++
.../AmbariAuthorizationFilterTest.java | 77 +--
23 files changed, 2157 insertions(+), 982 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
index ea7603f..b446121 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
@@ -32,6 +32,7 @@ import org.apache.ambari.server.controller.internal.RequestStageContainer;
import org.apache.ambari.server.controller.metrics.timeline.cache.TimelineMetricCacheProvider;
import org.apache.ambari.server.metadata.RoleCommandOrder;
import org.apache.ambari.server.scheduler.ExecutionScheduleManager;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.ldap.LdapBatchDto;
import org.apache.ambari.server.security.ldap.LdapSyncDto;
import org.apache.ambari.server.stageplanner.RoleGraphFactory;
@@ -182,7 +183,7 @@ public interface AmbariManagementController {
* @throws AmbariException if the users could not be read
*/
public Set<UserResponse> getUsers(Set<UserRequest> requests)
- throws AmbariException;
+ throws AmbariException, AuthorizationException;
/**
* Gets the user groups identified by the given request objects.
@@ -235,7 +236,7 @@ public interface AmbariManagementController {
*
* @throws AmbariException if the resources cannot be updated
*/
- public void updateUsers(Set<UserRequest> requests) throws AmbariException;
+ public void updateUsers(Set<UserRequest> requests) throws AmbariException, AuthorizationException;
/**
* Updates the groups specified.
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
index 443c715..7cb7f7d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
@@ -100,16 +100,15 @@ import org.apache.ambari.server.orm.dao.WidgetLayoutDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.ClusterVersionEntity;
import org.apache.ambari.server.orm.entities.OperatingSystemEntity;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.RepositoryEntity;
import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
import org.apache.ambari.server.orm.entities.WidgetEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
import org.apache.ambari.server.scheduler.ExecutionScheduleManager;
-import org.apache.ambari.server.security.SecurityHelper;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.Group;
import org.apache.ambari.server.security.authorization.User;
@@ -170,7 +169,6 @@ import org.apache.commons.lang.math.NumberUtils;
import org.apache.http.client.utils.URIBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.security.core.GrantedAuthority;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
@@ -262,9 +260,6 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
*/
private KerberosHelper kerberosHelper;
- @Inject
- private SecurityHelper securityHelper;
-
final private String masterHostname;
final private Integer masterPort;
final private String masterProtocol;
@@ -2780,22 +2775,30 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
* the requested properties
*/
@Override
- public synchronized void updateUsers(Set<UserRequest> requests) throws AmbariException {
+ public synchronized void updateUsers(Set<UserRequest> requests) throws AmbariException, AuthorizationException {
+ boolean isUserAdministrator = AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null,
+ RoleAuthorization.AMBARI_MANAGE_USERS);
+ String authenticatedUsername = AuthorizationHelper.getAuthenticatedName();
+
for (UserRequest request : requests) {
- User u = users.getAnyUser(request.getUsername());
- if (null == u) {
- continue;
+ String requestedUsername = request.getUsername();
+
+ // An administrator can modify any user, else a user can only modify themself.
+ if (!isUserAdministrator && (!authenticatedUsername.equalsIgnoreCase(requestedUsername))) {
+ throw new AuthorizationException();
}
- if (null != request.getOldPassword() && null != request.getPassword()) {
- users.modifyPassword(u.getUserName(), request.getOldPassword(),
- request.getPassword());
+ User u = users.getAnyUser(requestedUsername);
+ if (null == u) {
+ continue;
}
if (null != request.isActive()) {
// If this value is being set, make sure the authenticated user is an administrator before
// allowing to change it. Only administrators should be able to change a user's active state
- verifyAuthorization();
+ if (!isUserAdministrator) {
+ throw new AuthorizationException("The authenticated user is not authorized to update the requested resource property");
+ }
users.setUserActive(u.getUserName(), request.isActive());
}
@@ -2803,13 +2806,21 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
// If this value is being set, make sure the authenticated user is an administrator before
// allowing to change it. Only administrators should be able to change a user's administrative
// privileges
- verifyAuthorization();
+ if (!isUserAdministrator) {
+ throw new AuthorizationException("The authenticated user is not authorized to update the requested resource property");
+ }
+
if (request.isAdmin()) {
users.grantAdminPrivilege(u.getUserId());
} else {
users.revokeAdminPrivilege(u.getUserId());
}
}
+
+ if (null != request.getOldPassword() && null != request.getPassword()) {
+ users.modifyPassword(u.getUserName(), request.getOldPassword(),
+ request.getPassword());
+ }
}
}
@@ -3162,7 +3173,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
@Override
public Set<UserResponse> getUsers(Set<UserRequest> requests)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
Set<UserResponse> responses = new HashSet<UserResponse>();
@@ -3172,8 +3183,25 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
LOG.debug("Received a getUsers request"
+ ", userRequest=" + r.toString());
}
+
+ String requestedUsername = r.getUsername();
+ String authenticatedUsername = AuthorizationHelper.getAuthenticatedName();
+
+ // A user resource may be retrieved by an administrator or the same user.
+ if(!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_USERS)) {
+ if (null == requestedUsername) {
+ // Since the authenticated user is not the administrator, force only that user's resource
+ // to be returned
+ requestedUsername = authenticatedUsername;
+ } else if (!requestedUsername.equalsIgnoreCase(authenticatedUsername)) {
+ // Since the authenticated user is not the administrator and is asking for a different user,
+ // throw an AuthorizationException
+ throw new AuthorizationException();
+ }
+ }
+
// get them all
- if (null == r.getUsername()) {
+ if (null == requestedUsername) {
for (User u : users.getAllUsers()) {
UserResponse resp = new UserResponse(u.getUserName(), u.getUserType(), u.isLdapUser(), u.isActive(), u
.isAdmin());
@@ -3182,13 +3210,13 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
} else {
- User u = users.getAnyUser(r.getUsername());
+ User u = users.getAnyUser(requestedUsername);
if (null == u) {
if (requests.size() == 1) {
// only throw exceptin if there is a single request
// if there are multiple requests, this indicates an OR predicate
throw new ObjectNotFoundException("Cannot find user '"
- + r.getUsername() + "'");
+ + requestedUsername + "'");
}
} else {
UserResponse resp = new UserResponse(u.getUserName(), u.getUserType(), u.isLdapUser(), u.isActive(), u
@@ -4378,32 +4406,6 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
}
- /**
- * Determine whether or not the authenticated user has administrator privileges
- *
- * @throws IllegalArgumentException if the authenticated user does not have administrator privileges.
- */
- protected void verifyAuthorization() throws AmbariException {
- boolean isAuthorized = false;
-
- for (GrantedAuthority grantedAuthority : securityHelper.getCurrentAuthorities()) {
- if (grantedAuthority instanceof AmbariGrantedAuthority) {
- AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
- PrivilegeEntity privilegeEntity = authority.getPrivilegeEntity();
- Integer permissionId = privilegeEntity.getPermission().getId();
-
- if (permissionId.equals(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION)) {
- isAuthorized = true;
- break;
- }
- }
- }
-
- if (!isAuthorized) {
- throw new IllegalArgumentException("You do not have authorization to update the requested resource property.");
- }
- }
-
@Override
public TimelineMetricCacheProvider getTimelineMetricCacheProvider() {
return injector.getInstance(TimelineMetricCacheProvider.class);
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java
index 3464c19..ac9935d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java
@@ -38,6 +38,7 @@ import org.apache.ambari.server.controller.predicate.EqualsPredicate;
import org.apache.ambari.server.controller.spi.*;
import org.apache.ambari.server.controller.utilities.PredicateHelper;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.utils.RetryHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -441,7 +442,7 @@ public abstract class AbstractResourceProvider extends BaseProvider implements R
}
//invoke command with retry support in case of database fail
- private <T> T invokeWithRetry(Command<T> command) throws AmbariException {
+ private <T> T invokeWithRetry(Command<T> command) throws AmbariException, AuthorizationException {
RetryHelper.clearAffectedClusters();
int retryAttempts = RetryHelper.getOperationsRetryAttempts();
do {
@@ -485,6 +486,6 @@ public abstract class AbstractResourceProvider extends BaseProvider implements R
*
* @throws AmbariException thrown if a problem occurred during invocation
*/
- public T invoke() throws AmbariException;
+ public T invoke() throws AmbariException, AuthorizationException;
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
index 52b0d56..10eecac 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
@@ -21,7 +21,6 @@ import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import com.google.inject.Inject;
import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.ObjectNotFoundException;
import org.apache.ambari.server.StaticallyInject;
import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.WidgetResponse;
@@ -43,14 +42,14 @@ import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.WidgetEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
-import org.apache.commons.lang.ObjectUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.LinkedHashSet;
-import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -111,6 +110,16 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
private static Gson gson;
/**
+ * For testing purposes
+ */
+ public static void init(UserDAO userDAO, WidgetDAO widgetDAO, WidgetLayoutDAO widgetLayoutDAO, Gson gson){
+ ActiveWidgetLayoutResourceProvider.userDAO = userDAO;
+ ActiveWidgetLayoutResourceProvider.widgetDAO = widgetDAO;
+ ActiveWidgetLayoutResourceProvider.widgetLayoutDAO = widgetLayoutDAO;
+ ActiveWidgetLayoutResourceProvider.gson = gson;
+ }
+
+ /**
* Create a new resource provider.
*
*/
@@ -137,9 +146,18 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
List<WidgetLayoutEntity> layoutEntities = new ArrayList<WidgetLayoutEntity>();
+ boolean isUserAdministrator = AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null,
+ RoleAuthorization.AMBARI_MANAGE_USERS);
+
for (Map<String, Object> propertyMap: propertyMaps) {
final String userName = propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString();
- java.lang.reflect.Type type = new TypeToken<Set<Map<String, String>>>(){}.getType();
+
+ // Ensure that the authenticated user has authorization to get this information
+ if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
+ throw new AuthorizationException();
+ }
+
+ java.lang.reflect.Type type = new TypeToken<Set<Map<String, String>>>(){}.getType();
Set<Map<String, String>> activeWidgetLayouts = gson.fromJson(userDAO.findUserByName(userName).getActiveWidgetLayouts(), type);
if (activeWidgetLayouts != null) {
for (Map<String, String> widgetLayoutId : activeWidgetLayouts) {
@@ -187,8 +205,17 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
modifyResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
+ boolean isUserAdministrator = AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null,
+ RoleAuthorization.AMBARI_MANAGE_USERS);
+
for (Map<String, Object> propertyMap : propertyMaps) {
+ // Ensure that the authenticated user has authorization to get this information
+ String userName = propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString();
+ if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
+ throw new AuthorizationException();
+ }
+
Set<HashMap> widgetLayouts = (Set) propertyMap.get(WIDGETLAYOUT);
for (HashMap<String, String> widgetLayout : widgetLayouts) {
final Long layoutId;
@@ -202,7 +229,7 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
throw new AmbariException("There is no widget layout with id " + layoutId);
}
}
- UserEntity user = userDAO.findUserByName(propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString());
+ UserEntity user = userDAO.findUserByName(userName);
user.setActiveWidgetLayouts(gson.toJson(propertyMap.get(WIDGETLAYOUT)));
userDAO.merge(user);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index 3670775..e5c95cb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -29,8 +29,10 @@ import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.view.ViewRegistry;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -88,6 +90,12 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
*/
public AmbariPrivilegeResourceProvider() {
super(propertyIds, keyPropertyIds, Resource.Type.AmbariPrivilege);
+
+ EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_ASSIGN_ROLES);
+ setRequiredCreateAuthorizations(requiredAuthorizations);
+ setRequiredDeleteAuthorizations(requiredAuthorizations);
+ setRequiredGetAuthorizations(requiredAuthorizations);
+ setRequiredUpdateAuthorizations(requiredAuthorizations);
}
// ----- AmbariPrivilegeResourceProvider ---------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index bbcd4a1..8f37764 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -28,8 +28,10 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import java.util.Collections;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -74,17 +76,6 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
keyPropertyIds.put(Resource.Type.ClusterPrivilege, PRIVILEGE_ID_PROPERTY_ID);
}
- /**
- * The built-in VIEW.USER permission.
- */
- private final PermissionEntity clusterReadPermission;
-
- /**
- * The built-in VIEW.USER permission.
- */
- private final PermissionEntity clusterOperatePermission;
-
-
// ----- Constructors ------------------------------------------------------
/**
@@ -92,8 +83,12 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
*/
public ClusterPrivilegeResourceProvider() {
super(propertyIds, keyPropertyIds, Resource.Type.ClusterPrivilege);
- clusterReadPermission = permissionDAO.findById(PermissionEntity.CLUSTER_USER_PERMISSION);
- clusterOperatePermission = permissionDAO.findById(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION);
+
+ EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_ASSIGN_ROLES);
+ setRequiredCreateAuthorizations(requiredAuthorizations);
+ setRequiredDeleteAuthorizations(requiredAuthorizations);
+ setRequiredGetAuthorizations(requiredAuthorizations);
+ setRequiredUpdateAuthorizations(requiredAuthorizations);
}
@@ -105,7 +100,7 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
* @param dao the cluster data access object
*/
public static void init(ClusterDAO dao) {
- clusterDAO = dao;
+ clusterDAO = dao;
}
@@ -165,9 +160,7 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
@Override
protected PermissionEntity getPermission(String permissionName, ResourceEntity resourceEntity) throws AmbariException {
- return (permissionName.equals(PermissionEntity.CLUSTER_USER_PERMISSION_NAME)) ? clusterReadPermission :
- permissionName.equals(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION_NAME) ? clusterOperatePermission :
- super.getPermission(permissionName, resourceEntity);
+ return super.getPermission(permissionName, resourceEntity);
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 88e9906..4a44375 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -55,7 +55,7 @@ import org.apache.ambari.server.orm.entities.UserEntity;
/**
* Abstract resource provider for privilege resources.
*/
-public abstract class PrivilegeResourceProvider<T> extends AbstractResourceProvider {
+public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedResourceProvider {
/**
* Data access object used to obtain privilege entities.
@@ -160,7 +160,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractResourceProvi
// ----- ResourceProvider --------------------------------------------------
@Override
- public RequestStatus createResources(Request request)
+ public RequestStatus createResourcesAuthorized(Request request)
throws SystemException, UnsupportedPropertyException,
ResourceAlreadyExistsException, NoSuchParentResourceException {
for (Map<String, Object> properties : request.getProperties()) {
@@ -172,7 +172,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractResourceProvi
}
@Override
- public Set<Resource> getResources(Request request, Predicate predicate)
+ public Set<Resource> getResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
Set<Resource> resources = new HashSet<Resource>();
Set<String> requestedIds = getRequestPropertyIds(request, predicate);
@@ -233,7 +233,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractResourceProvi
}
@Override
- public RequestStatus updateResources(Request request, Predicate predicate)
+ public RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
modifyResources(getUpdateCommand(request, predicate));
notifyUpdate(resourceType, request, predicate);
@@ -241,7 +241,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractResourceProvi
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ public RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
modifyResources(getDeleteCommand(predicate));
notifyDelete(resourceType, predicate);
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
index 15aa0ec..ef3cd32 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
@@ -39,8 +39,11 @@ import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -112,6 +115,14 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
private final ClusterController clusterController;
/**
+ * For testing purposes
+ */
+ public static void init(PermissionDAO permissionDAO, ResourceTypeDAO resourceTypeDAO) {
+ UserAuthorizationResourceProvider.permissionDAO = permissionDAO;
+ UserAuthorizationResourceProvider.resourceTypeDAO = resourceTypeDAO;
+ }
+
+ /**
* Create a new resource provider.
*/
public UserAuthorizationResourceProvider(AmbariManagementController managementController) {
@@ -131,8 +142,17 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
// is used to generate a composite set of authorizations the user has been granted.
ResourceProvider userPrivilegeProvider = clusterController.ensureResourceProvider(Type.UserPrivilege);
+ boolean isUserAdministrator = AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null,
+ RoleAuthorization.AMBARI_MANAGE_USERS);
+
for (Map<String, Object> propertyMap : getPropertyMaps(predicate)) {
String username = (String) propertyMap.get(USERNAME_PROPERTY_ID);
+
+ // Ensure that the authenticated user has authorization to get this information
+ if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(username)) {
+ throw new AuthorizationException();
+ }
+
Request internalRequest = createUserPrivilegeRequest();
Predicate internalPredicate = createUserPrivilegePredicate(username);
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index a8a9909..cef8a11 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -17,6 +17,7 @@
*/
package org.apache.ambari.server.controller.internal;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
@@ -41,7 +42,10 @@ import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.UserType;
/**
@@ -137,6 +141,12 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
*/
public UserPrivilegeResourceProvider() {
super(propertyIds, keyPropertyIds, null);
+
+ EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_ASSIGN_ROLES);
+ setRequiredCreateAuthorizations(requiredAuthorizations);
+ setRequiredDeleteAuthorizations(requiredAuthorizations);
+ setRequiredGetAuthorizations(requiredAuthorizations);
+ setRequiredUpdateAuthorizations(requiredAuthorizations);
}
// ----- PrivilegeResourceProvider -----------------------------------------
@@ -153,9 +163,17 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
final Set<Resource> resources = new HashSet<Resource>();
final Set<String> requestedIds = getRequestPropertyIds(request, predicate);
+ boolean isUserAdministrator = AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null,
+ RoleAuthorization.AMBARI_MANAGE_USERS);
+
for (Map<String, Object> propertyMap : getPropertyMaps(predicate)) {
final String userName = (String) propertyMap.get(PRIVILEGE_USER_NAME_PROPERTY_ID);
+ // Ensure that the authenticated user has authorization to get this information
+ if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
+ throw new AuthorizationException();
+ }
+
if (userName != null) {
UserEntity userEntity = userDAO.findLocalUserByName(userName);
if (userEntity == null) {
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
index b993450..fee1826 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
@@ -23,8 +23,11 @@ import org.apache.ambari.server.controller.UserRequest;
import org.apache.ambari.server.controller.UserResponse;
import org.apache.ambari.server.controller.spi.*;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -57,10 +60,13 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
Map<Resource.Type, String> keyPropertyIds,
AmbariManagementController managementController) {
super(propertyIds, keyPropertyIds, managementController);
+
+ setRequiredCreateAuthorizations(EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS));
+ setRequiredDeleteAuthorizations(EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS));
}
@Override
- public RequestStatus createResources(Request request)
+ public RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -97,7 +103,7 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
Set<UserResponse> responses = getResources(new Command<Set<UserResponse>>() {
@Override
- public Set<UserResponse> invoke() throws AmbariException {
+ public Set<UserResponse> invoke() throws AmbariException, AuthorizationException {
return getManagementController().getUsers(requests);
}
});
@@ -151,7 +157,7 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
modifyResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
getManagementController().updateUsers(requests);
return null;
}
@@ -161,7 +167,7 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ public RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<UserRequest> requests = new HashSet<UserRequest>();
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 81794d8..7a2f7d2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -19,8 +19,6 @@
package org.apache.ambari.server.security.authorization;
import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -57,8 +55,8 @@ public class AmbariAuthorizationFilter implements Filter {
private static final String VIEWS_CONTEXT_PATH_PATTERN = VIEWS_CONTEXT_PATH_PREFIX + "([^/]+)/([^/]+)/([^/]+)(.*)";
private static final String VIEWS_CONTEXT_ALL_PATTERN = VIEWS_CONTEXT_PATH_PREFIX + ".*";
- private static final String API_USERS_USERNAME_PATTERN = API_VERSION_PREFIX + "/users/([^/?]+)(.*)";
private static final String API_USERS_ALL_PATTERN = API_VERSION_PREFIX + "/users.*";
+ private static final String API_PRIVILEGES_ALL_PATTERN = API_VERSION_PREFIX + "/privileges.*";
private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*";
private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*";
private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*";
@@ -106,7 +104,7 @@ public class AmbariAuthorizationFilter implements Filter {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Authentication required");
}
}
- } else {
+ } else if(!authorizationPerformedInternally(requestURI)) {
boolean authorized = false;
for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
@@ -168,19 +166,11 @@ public class AmbariAuthorizationFilter implements Filter {
authorized = getViewRegistry().checkPermission(dto.getViewName(), dto.getVersion(), dto.getInstanceName(), true);
}
- // allow all types of requests for /users/{current_user}
- if (!authorized && requestURI.matches(API_USERS_USERNAME_PATTERN)) {
- final SecurityContext securityContext = getSecurityContext();
- final String currentUserName = securityContext.getAuthentication().getName();
- final String urlUserName = parseUserName(requestURI);
- authorized = currentUserName.equalsIgnoreCase(urlUserName);
- }
// allow GET for everything except /views, /api/v1/users, /api/v1/groups, /api/v1/ldap_sync_events
if (!authorized &&
(!httpRequest.getMethod().equals("GET")
|| requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)
- || requestURI.matches(API_USERS_ALL_PATTERN)
|| requestURI.matches(API_GROUPS_ALL_PATTERN)
|| requestURI.matches(API_CREDENTIALS_ALL_PATTERN)
|| requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) {
@@ -198,6 +188,18 @@ public class AmbariAuthorizationFilter implements Filter {
chain.doFilter(request, response);
}
+ /**
+ * Tests the URI to determine if authorization checks are performed internally or should be
+ * performed in the filter.
+ *
+ * @param requestURI the request uri
+ * @return true if handled internally; otherwise false
+ */
+ private boolean authorizationPerformedInternally(String requestURI) {
+ return requestURI.matches(API_USERS_ALL_PATTERN) ||
+ requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
+ }
+
@Override
public void destroy() {
// do nothing
@@ -244,26 +246,6 @@ public class AmbariAuthorizationFilter implements Filter {
}
}
- /**
- * Parses url to get user name.
- *
- * @param url the url
- * @return null if url doesn't match correct pattern
- */
- static String parseUserName(String url) {
- final Pattern pattern = Pattern.compile(API_USERS_USERNAME_PATTERN);
- final Matcher matcher = pattern.matcher(url);
- if (!matcher.matches()) {
- return null;
- } else {
- try {
- return URLDecoder.decode(matcher.group(1), "UTF-8");
- } catch (UnsupportedEncodingException e) {
- throw new RuntimeException("Unable to decode URI: " + e, e);
- }
- }
- }
-
SecurityContext getSecurityContext() {
return SecurityContextHolder.getContext();
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index 198e209..e303066 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -77,7 +77,22 @@ public class AuthorizationHelper {
/**
* Determines if the authenticated user (from application's security context) is authorized to
- * perform an operation on the the specific resource by matching the authenticated user's
+ * perform an operation on the specific resource by matching the authenticated user's
+ * authorizations with the one indicated.
+ *
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorization the required authorization
+ * @return true if authorized; otherwise false
+ * @see #isAuthorized(Authentication, ResourceType, Long, Set)
+ */
+ public static boolean isAuthorized(ResourceType resourceType, Long resourceId, RoleAuthorization requiredAuthorization) {
+ return isAuthorized(getAuthentication(), resourceType, resourceId, EnumSet.of(requiredAuthorization));
+ }
+
+ /**
+ * Determines if the authenticated user (from application's security context) is authorized to
+ * perform an operation on the specific resource by matching the authenticated user's
* authorizations with one from the provided set of authorizations.
*
* @param resourceType a resource type being acted upon
@@ -92,6 +107,22 @@ public class AuthorizationHelper {
/**
* Determines if the specified authenticated user is authorized to perform an operation on the
+ * specific resource by matching the authenticated user's authorizations with the one indicated.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorization the required authorization
+ * @return true if authorized; otherwise false
+ * @see #isAuthorized(Authentication, ResourceType, Long, Set)
+ */
+ public static boolean isAuthorized(Authentication authentication, ResourceType resourceType, Long resourceId,
+ RoleAuthorization requiredAuthorization) {
+ return isAuthorized(authentication, resourceType, resourceId, EnumSet.of(requiredAuthorization));
+ }
+
+ /**
+ * Determines if the specified authenticated user is authorized to perform an operation on the
* the specific resource by matching the authenticated user's authorizations with one from the
* provided set of authorizations.
* <p/>
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
index 1d9e53d..ca3ca36 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
@@ -44,6 +44,7 @@ import org.apache.ambari.server.orm.entities.ClusterVersionEntity;
import org.apache.ambari.server.orm.entities.LdapSyncSpecEntity;
import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
import org.apache.ambari.server.security.authorization.Users;
+import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
import org.apache.ambari.server.security.encryption.CredentialStoreService;
import org.apache.ambari.server.security.encryption.CredentialStoreType;
import org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator;
@@ -64,7 +65,9 @@ import org.apache.ambari.server.state.StackId;
import org.apache.ambari.server.state.State;
import org.easymock.Capture;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.Test;
+import org.springframework.security.core.context.SecurityContextHolder;
import javax.persistence.RollbackException;
import java.lang.reflect.Field;
@@ -103,6 +106,14 @@ public class AmbariManagementControllerImplTest {
private static final Users users = createMock(Users.class);
private static final AmbariSessionManager sessionManager = createNiceMock(AmbariSessionManager.class);
+ @BeforeClass
+ public static void setupAuthentication() {
+ // Set authenticated user so that authorization checks will pass
+ InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin");
+ authenticationToken.setAuthenticated(true);
+ SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+ }
+
@Before
public void before() throws Exception {
reset(ldapDataPopulator, clusters, actionDBAccessor, ambariMetaInfo, users, sessionManager);
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
index 385e3f7..3bf6cad 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
@@ -105,6 +105,7 @@ import org.apache.ambari.server.orm.entities.WidgetEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
import org.apache.ambari.server.security.authorization.Users;
+import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
import org.apache.ambari.server.serveraction.ServerAction;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
@@ -146,6 +147,7 @@ import org.easymock.Capture;
import org.easymock.EasyMock;
import org.junit.After;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
@@ -161,6 +163,7 @@ import com.google.inject.Injector;
import com.google.inject.persist.PersistService;
import junit.framework.Assert;
+import org.springframework.security.core.context.SecurityContextHolder;
public class AmbariManagementControllerTest {
@@ -215,6 +218,14 @@ public class AmbariManagementControllerTest {
@Rule
public ExpectedException expectedException = ExpectedException.none();
+ @BeforeClass
+ public static void setupAuthentication() {
+ // Set authenticated user so that authorization checks will pass
+ InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin");
+ authenticationToken.setAuthenticated(true);
+ SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+ }
+
@Before
public void setup() throws Exception {
InMemoryDefaultTestModule module = new InMemoryDefaultTestModule();
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
index e74520e..9b47bf7 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -17,243 +17,383 @@
*/
package org.apache.ambari.server.controller.internal;
-import com.google.inject.Binder;
+import com.google.gson.Gson;
+import com.google.inject.AbstractModule;
import com.google.inject.Guice;
import com.google.inject.Injector;
-import com.google.inject.Module;
-import com.google.inject.util.Modules;
+import org.apache.ambari.server.actionmanager.ActionDBAccessor;
+import org.apache.ambari.server.actionmanager.ActionManager;
+import org.apache.ambari.server.actionmanager.StageFactory;
+import org.apache.ambari.server.api.services.AmbariMetaInfo;
+import org.apache.ambari.server.controller.AbstractRootServiceResponseFactory;
import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.AmbariManagementControllerImpl;
+import org.apache.ambari.server.controller.KerberosHelper;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.ResourceProvider;
+import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
-import org.apache.ambari.server.metadata.ActionMetadata;
-import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.dao.WidgetDAO;
import org.apache.ambari.server.orm.dao.WidgetLayoutDAO;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
+import org.apache.ambari.server.scheduler.ExecutionScheduler;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.Users;
+import org.apache.ambari.server.security.encryption.CredentialStoreService;
+import org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl;
+import org.apache.ambari.server.stack.StackManagerFactory;
+import org.apache.ambari.server.stageplanner.RoleGraphFactory;
+import org.apache.ambari.server.stageplanner.RoleGraphFactoryImpl;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
-import org.easymock.EasyMock;
+import org.apache.ambari.server.state.ConfigFactory;
+import org.apache.ambari.server.state.ServiceComponentFactory;
+import org.apache.ambari.server.state.ServiceComponentHostFactory;
+import org.apache.ambari.server.state.ServiceFactory;
+import org.apache.ambari.server.state.configgroup.ConfigGroupFactory;
+import org.apache.ambari.server.state.scheduler.RequestExecutionFactory;
+import org.apache.ambari.server.state.stack.OsFamily;
+import org.easymock.Capture;
+import org.easymock.EasyMockSupport;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
-import java.util.ArrayList;
+import javax.persistence.EntityManager;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
-import static org.easymock.EasyMock.anyLong;
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.createMock;
-import static org.easymock.EasyMock.createStrictMock;
+import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.verify;
-import static org.junit.Assert.assertEquals;
+import static org.easymock.EasyMock.expectLastCall;
+import static org.easymock.EasyMock.newCapture;
/**
* ActiveWidgetLayout tests
*/
-public class ActiveWidgetLayoutResourceProviderTest {
-
- private WidgetLayoutDAO widgetLayoutDAO = null;
- private UserDAO userDAO = null;
- private Injector m_injector;
+public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
@Before
public void before() {
- widgetLayoutDAO = createStrictMock(WidgetLayoutDAO.class);
- userDAO = createStrictMock(UserDAO.class);
+ resetAll();
+ }
- m_injector = Guice.createInjector(Modules.override(
- new InMemoryDefaultTestModule()).with(new MockModule()));
+
+ @Test
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
}
- /**
- * @throws Exception
- */
@Test
- public void testGetSingleResource() throws Exception {
- Request request = PropertyHelper.getReadRequest(
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_CLUSTER_NAME_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_ID_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_DISPLAY_NAME_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_LAYOUT_NAME_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SECTION_NAME_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SCOPE_PROPERTY_ID,
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_WIDGETS_PROPERTY_ID);
-
- AmbariManagementController amc = createMock(AmbariManagementController.class);
- Clusters clusters = createMock(Clusters.class);
- Cluster cluster = createMock(Cluster.class);
- UserEntity userEntity = createMock(UserEntity.class);
- expect(amc.getClusters()).andReturn(clusters).atLeastOnce();
- expect(clusters.getClusterById(1L)).andReturn(cluster).atLeastOnce();
- expect(cluster.getClusterName()).andReturn("c1").anyTimes();
+ public void testGetResources_NonAdministrator_Self() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- Predicate predicate = new PredicateBuilder().property(
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID).equals("username").toPredicate();
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_NonAdministrator_Other() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
+ @Test(expected = SystemException.class)
+ public void testCreateResources_Administrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- expect(userDAO.findUserByName("username")).andReturn(userEntity);
- expect(userEntity.getActiveWidgetLayouts()).andReturn("[{\"id\":\"1\"},{\"id\":\"2\"}]");
- expect(widgetLayoutDAO.findById(1L)).andReturn(getMockEntities().get(0));
- expect(widgetLayoutDAO.findById(2L)).andReturn(getMockEntities().get(1));
+ @Test(expected = SystemException.class)
+ public void testCreateResources_NonAdministrator_Self() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- replay(amc, clusters, cluster, widgetLayoutDAO, userEntity, userDAO);
+ @Test(expected = SystemException.class)
+ public void testCreateResources_NonAdministrator_Other() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
- ActiveWidgetLayoutResourceProvider provider = createProvider(amc);
- Set<Resource> results = provider.getResources(request, predicate);
+ @Test
+ public void testUpdateResources_Administrator() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- assertEquals(2, results.size());
+ @Test
+ public void testUpdateResources_NonAdministrator_Self() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- Resource r = results.iterator().next();
- Assert.assertEquals("section0", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SECTION_NAME_PROPERTY_ID));
- Assert.assertEquals("CLUSTER", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SCOPE_PROPERTY_ID));
- Assert.assertEquals("username", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID));
- Assert.assertEquals("displ_name", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_DISPLAY_NAME_PROPERTY_ID));
- Assert.assertEquals("layout name0", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_LAYOUT_NAME_PROPERTY_ID));
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_NonAdministrator_Other() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
- Assert.assertEquals("[]", r.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_WIDGETS_PROPERTY_ID).toString());
+ @Test(expected = SystemException.class)
+ public void testDeleteResources_Administrator() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- verify(amc, clusters, cluster, widgetLayoutDAO, userEntity, userDAO);
+ @Test(expected = SystemException.class)
+ public void testDeleteResources_NonAdministrator_Self() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
}
+ @Test(expected = SystemException.class)
+ public void testDeleteResources_NonAdministrator_Other() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
- /**
- * @throws Exception
- */
- @Test
- public void testCreateResources() throws Exception {
- AmbariManagementController amc = createMock(AmbariManagementController.class);
+ private void getResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
- replay(amc);
+ UserEntity userEntity = createMockUserEntity(requestedUsername);
- ActiveWidgetLayoutResourceProvider provider = createProvider(amc);
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
- Map<String, Object> requestProps = new HashMap<String, Object>();
+ WidgetLayoutDAO widgetLayoutDAO = injector.getInstance(WidgetLayoutDAO.class);
+ expect(widgetLayoutDAO.findById(1L)).andReturn(createMockWidgetLayout(1L, requestedUsername)).atLeastOnce();
+ expect(widgetLayoutDAO.findById(2L)).andReturn(createMockWidgetLayout(2L, requestedUsername)).atLeastOnce();
- Request request = PropertyHelper.getCreateRequest(Collections.singleton(requestProps), null);
- try {
- provider.createResources(request);
- } catch (Exception e) {
- //Expected exception
+ Cluster cluster = createNiceMock(Cluster.class);
+ expect(cluster.getClusterName()).andReturn("c1").atLeastOnce();
+
+ Clusters clusters = injector.getInstance(Clusters.class);
+ expect(clusters.getClusterById(2L)).andReturn(cluster).atLeastOnce();
+
+ replayAll();
+
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(injector, managementController);
+
+ Set<String> propertyIds = PropertyHelper.getPropertyIds(Resource.Type.ActiveWidgetLayout);
+
+ Request request = PropertyHelper.getReadRequest(propertyIds);
+
+ Set<Resource> resources = provider.getResources(request, createPredicate(requestedUsername));
+
+ Assert.assertEquals(2, resources.size());
+ for (Resource resource : resources) {
+
+ Long id = (Long) resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_ID_PROPERTY_ID);
+
+ Assert.assertEquals("section" + id, resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SECTION_NAME_PROPERTY_ID));
+ Assert.assertEquals("CLUSTER", resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_SCOPE_PROPERTY_ID));
+ Assert.assertEquals(requestedUsername, resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID));
+ Assert.assertEquals("display name" + id, resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_DISPLAY_NAME_PROPERTY_ID));
+ Assert.assertEquals("layout name" + id, resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_LAYOUT_NAME_PROPERTY_ID));
+
+ Assert.assertEquals("[]", resource.getPropertyValue(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_WIDGETS_PROPERTY_ID).toString());
}
+ verifyAll();
}
- /**
- * @throws Exception
- */
- @Test
- public void testUpdateResources() throws Exception {
- AmbariManagementController amc = createMock(AmbariManagementController.class);
+ private void createResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ replayAll();
+
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(injector, managementController);
- expect(widgetLayoutDAO.findById(anyLong())).andReturn(getMockEntities().get(0)).anyTimes();
- UserEntity userEntity = new UserEntity();
- expect(userDAO.findUserByName("username")).andReturn(userEntity);
- expect(userDAO.merge((UserEntity) anyObject())).andReturn(userEntity).anyTimes();
+ // add the property map to a set for the request. add more maps for multiple creates
+ Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
- replay(amc, widgetLayoutDAO, userDAO);
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+
+ // add properties to the request map
+ properties.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID, requestedUsername);
+
+ propertySet.add(properties);
+
+ // create the request
+ Request request = PropertyHelper.getCreateRequest(propertySet, null);
+
+ provider.createResources(request);
+
+ verifyAll();
+ }
+
+ private void updateResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ Capture<? extends String> widgetLayoutJsonCapture = newCapture();
+
+ UserEntity userEntity = createMockUserEntity(requestedUsername);
+ userEntity.setActiveWidgetLayouts(capture(widgetLayoutJsonCapture));
+ expectLastCall().once();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
+ expect(userDAO.merge(userEntity)).andReturn(userEntity).atLeastOnce();
+
+ WidgetLayoutDAO widgetLayoutDAO = injector.getInstance(WidgetLayoutDAO.class);
+ expect(widgetLayoutDAO.findById(1L)).andReturn(createMockWidgetLayout(1L, requestedUsername)).atLeastOnce();
+ expect(widgetLayoutDAO.findById(2L)).andReturn(createMockWidgetLayout(2L, requestedUsername)).atLeastOnce();
+
+ replayAll();
+
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- Predicate predicate = new PredicateBuilder().property(
- ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID).equals("username").toPredicate();
Set<Map<String, String>> widgetLayouts = new HashSet<Map<String, String>>();
- HashMap<String, String> layout = new HashMap<String, String>();
- layout.put("id","1");
+ HashMap<String, String> layout;
+
+ layout = new HashMap<String, String>();
+ layout.put("id", "1");
widgetLayouts.add(layout);
- layout.put("id","2");
+
+ layout = new HashMap<String, String>();
+ layout.put("id", "2");
widgetLayouts.add(layout);
+
HashMap<String, Object> requestProps = new HashMap<String, Object>();
requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT, widgetLayouts);
- requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID, "username");
+ requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID, requestedUsername);
Request request = PropertyHelper.getUpdateRequest(requestProps, null);
- ActiveWidgetLayoutResourceProvider provider = createProvider(amc);
- provider.updateResources(request, predicate);
+ ResourceProvider provider = getResourceProvider(injector, managementController);
+
+ provider.updateResources(request, createPredicate(requestedUsername));
- Assert.assertTrue(userEntity.getActiveWidgetLayouts().equals("[{\"id\":\"2\"},{\"id\":\"2\"}]"));
- verify(amc, widgetLayoutDAO, userDAO);
+ verifyAll();
+
+ String json = widgetLayoutJsonCapture.getValue();
+ Assert.assertNotNull(json);
+
+ Set capturedWidgetLayouts = new Gson().fromJson(json, widgetLayouts.getClass());
+ Assert.assertEquals(widgetLayouts, capturedWidgetLayouts);
}
- /**
- * @throws Exception
- */
- @Test
- public void testDeleteResources() throws Exception {
- AmbariManagementController amc = createMock(AmbariManagementController.class);
+ private void deleteResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
- replay(amc);
+ UserEntity userEntity = createMockUserEntity(requestedUsername);
- ActiveWidgetLayoutResourceProvider provider = createProvider(amc);
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
- Map<String, Object> requestProps = new HashMap<String, Object>();
- Predicate predicate = new PredicateBuilder().property(
- WidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID).equals("username").toPredicate();
- try {
- provider.deleteResources(predicate);
- } catch (Exception e) {
- //Expected exception
- }
+ replayAll();
+
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ ResourceProvider provider = getResourceProvider(injector, managementController);
+
+ provider.deleteResources(createPredicate(requestedUsername));
+
+ verifyAll();
}
- /**
- * @param amc
- * @return
- */
- private ActiveWidgetLayoutResourceProvider createProvider(AmbariManagementController amc) {
- return new ActiveWidgetLayoutResourceProvider(amc);
+ private ResourceProvider getResourceProvider(Injector injector, AmbariManagementController managementController) throws Exception {
+ ActiveWidgetLayoutResourceProvider.init(injector.getInstance(UserDAO.class),
+ injector.getInstance(WidgetDAO.class),
+ injector.getInstance(WidgetLayoutDAO.class),
+ new Gson());
+
+ return AbstractControllerResourceProvider.getResourceProvider(
+ Resource.Type.ActiveWidgetLayout,
+ PropertyHelper.getPropertyIds(Resource.Type.ActiveWidgetLayout),
+ PropertyHelper.getKeyPropertyIds(Resource.Type.ActiveWidgetLayout),
+ managementController);
}
- /**
- * @return
- */
- private List<WidgetLayoutEntity> getMockEntities() throws Exception {
- List<WidgetLayoutEntity> widgetLayoutEntities = new ArrayList<WidgetLayoutEntity>();
- for (int i=1; i<3; i++) {
- WidgetLayoutEntity widgetLayoutEntity = new WidgetLayoutEntity();
- widgetLayoutEntity.setId((long) i);
- widgetLayoutEntity.setClusterId(Long.valueOf(1L));
- widgetLayoutEntity.setLayoutName("layout name0");
- widgetLayoutEntity.setSectionName("section0");
- widgetLayoutEntity.setUserName("username");
- widgetLayoutEntity.setScope("CLUSTER");
- widgetLayoutEntity.setDisplayName("displ_name");
- List<WidgetLayoutUserWidgetEntity> layoutUserWidgetEntityList = new LinkedList<WidgetLayoutUserWidgetEntity>();
- widgetLayoutEntity.setListWidgetLayoutUserWidgetEntity(layoutUserWidgetEntityList);
-
- widgetLayoutEntities.add(widgetLayoutEntity);
- }
- return widgetLayoutEntities;
+ private Predicate createPredicate(String requestedUsername) {
+ return new PredicateBuilder()
+ .property(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID)
+ .equals(requestedUsername)
+ .toPredicate();
}
- /**
- *
- */
- private class MockModule implements Module {
- /**
- *
- */
- @Override
- public void configure(Binder binder) {
- binder.bind(WidgetLayoutDAO.class).toInstance(widgetLayoutDAO);
- binder.bind(UserDAO.class).toInstance(userDAO);
- binder.bind(Clusters.class).toInstance(
- EasyMock.createNiceMock(Clusters.class));
- binder.bind(Cluster.class).toInstance(
- EasyMock.createNiceMock(Cluster.class));
- binder.bind(ActionMetadata.class);
- }
+ private WidgetLayoutEntity createMockWidgetLayout(Long id, String username) {
+ WidgetLayoutEntity widgetLayoutEntity = createMock(WidgetLayoutEntity.class);
+ expect(widgetLayoutEntity.getId()).andReturn(id).anyTimes();
+ expect(widgetLayoutEntity.getUserName()).andReturn(username).anyTimes();
+ expect(widgetLayoutEntity.getLayoutName()).andReturn("layout name" + id).anyTimes();
+ expect(widgetLayoutEntity.getSectionName()).andReturn("section" + id).anyTimes();
+ expect(widgetLayoutEntity.getScope()).andReturn("CLUSTER").anyTimes();
+ expect(widgetLayoutEntity.getDisplayName()).andReturn("display name" + id).anyTimes();
+ expect(widgetLayoutEntity.getClusterId()).andReturn(2L).anyTimes();
+ expect(widgetLayoutEntity.getListWidgetLayoutUserWidgetEntity()).andReturn(Collections.<WidgetLayoutUserWidgetEntity>emptyList()).anyTimes();
+ return widgetLayoutEntity;
+ }
+
+ private UserEntity createMockUserEntity(String username) {
+ UserEntity userEntity = createMock(UserEntity.class);
+ expect(userEntity.getUserId()).andReturn(username.hashCode()).anyTimes();
+ expect(userEntity.getUserName()).andReturn(username).anyTimes();
+ expect(userEntity.getUserType()).andReturn(UserType.LOCAL).anyTimes();
+ expect(userEntity.getActiveWidgetLayouts()).andReturn("[{\"id\":\"1\"},{\"id\":\"2\"}]").anyTimes();
+
+ return userEntity;
+ }
+
+ private Injector createInjector() throws Exception {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(ActionDBAccessor.class).toInstance(createNiceMock(ActionDBAccessor.class));
+ bind(ExecutionScheduler.class).toInstance(createNiceMock(ExecutionScheduler.class));
+ bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
+ bind(AmbariMetaInfo.class).toInstance(createMock(AmbariMetaInfo.class));
+ bind(ActionManager.class).toInstance(createNiceMock(ActionManager.class));
+ bind(org.apache.ambari.server.actionmanager.RequestFactory.class).toInstance(createNiceMock(org.apache.ambari.server.actionmanager.RequestFactory.class));
+ bind(RequestExecutionFactory.class).toInstance(createNiceMock(RequestExecutionFactory.class));
+ bind(StageFactory.class).toInstance(createNiceMock(StageFactory.class));
+ bind(RoleGraphFactory.class).to(RoleGraphFactoryImpl.class);
+ bind(Clusters.class).toInstance(createNiceMock(Clusters.class));
+ bind(AbstractRootServiceResponseFactory.class).toInstance(createNiceMock(AbstractRootServiceResponseFactory.class));
+ bind(StackManagerFactory.class).toInstance(createNiceMock(StackManagerFactory.class));
+ bind(ConfigFactory.class).toInstance(createNiceMock(ConfigFactory.class));
+ bind(ConfigGroupFactory.class).toInstance(createNiceMock(ConfigGroupFactory.class));
+ bind(ServiceFactory.class).toInstance(createNiceMock(ServiceFactory.class));
+ bind(ServiceComponentFactory.class).toInstance(createNiceMock(ServiceComponentFactory.class));
+ bind(ServiceComponentHostFactory.class).toInstance(createNiceMock(ServiceComponentHostFactory.class));
+ bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
+ bind(KerberosHelper.class).toInstance(createNiceMock(KerberosHelper.class));
+ bind(Users.class).toInstance(createMock(Users.class));
+ bind(AmbariManagementController.class).to(AmbariManagementControllerImpl.class);
+ bind(CredentialStoreService.class).to(CredentialStoreServiceImpl.class);
+ bind(UserDAO.class).toInstance(createMock(UserDAO.class));
+ bind(WidgetLayoutDAO.class).toInstance(createMock(WidgetLayoutDAO.class));
+ }
+ });
}
}
[2/3] ambari git commit: AMBARI-13977. Enforce granular role-based
access control for user functions (rlevas)
Posted by rl...@apache.org.
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
index 68f1467..4357a24 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,27 +18,27 @@
package org.apache.ambari.server.controller.internal;
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.createMock;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.createStrictMock;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.reset;
-import static org.easymock.EasyMock.verify;
-
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.ResourceProvider;
+import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.MemberDAO;
@@ -62,110 +62,112 @@ import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.SecurityHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.view.ViewInstanceHandlerList;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.ViewRegistryTest;
-import org.easymock.EasyMock;
+import org.easymock.EasyMockSupport;
+import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
-import org.junit.BeforeClass;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import javax.persistence.EntityManager;
+
+import static org.easymock.EasyMock.*;
/**
* AmbariPrivilegeResourceProvider tests.
*/
-public class AmbariPrivilegeResourceProviderTest {
- private final static PrivilegeDAO privilegeDAO = createStrictMock(PrivilegeDAO.class);
- private final static ClusterDAO clusterDAO = createStrictMock(ClusterDAO.class);
- private final static UserDAO userDAO = createStrictMock(UserDAO.class);
- private final static GroupDAO groupDAO = createStrictMock(GroupDAO.class);
- private final static PrincipalDAO principalDAO = createStrictMock(PrincipalDAO.class);
- private final static PermissionDAO permissionDAO = createStrictMock(PermissionDAO.class);
- private final static ResourceDAO resourceDAO = createStrictMock(ResourceDAO.class);
- private static final ViewDAO viewDAO = createMock(ViewDAO.class);
- private static final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
- private static final MemberDAO memberDAO = createNiceMock(MemberDAO.class);
- private static final ResourceTypeDAO resourceTypeDAO = createNiceMock(ResourceTypeDAO.class);
- private static final SecurityHelper securityHelper = createNiceMock(SecurityHelper.class);
- private static final ViewInstanceHandlerList handlerList = createNiceMock(ViewInstanceHandlerList.class);
-
- @BeforeClass
- public static void initClass() {
- PrivilegeResourceProvider.init(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO);
- AmbariPrivilegeResourceProvider.init(clusterDAO);
- }
+public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
@Before
public void resetGlobalMocks() {
- ViewRegistry.initInstance(ViewRegistryTest.getRegistry(viewDAO, viewInstanceDAO, userDAO,
- memberDAO, privilegeDAO, resourceDAO, resourceTypeDAO, securityHelper, handlerList, null, null, null));
- reset(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, clusterDAO, handlerList);
+ resetAll();
+ }
+
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
}
@Test
- public void testGetResources() throws Exception {
+ public void testCreateResources_Administrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResources_NonAdministrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
- PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
- ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- UserEntity userEntity = createNiceMock(UserEntity.class);
- PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
- PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
- PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
+ @Test
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
- principalEntities.add(principalEntity);
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_NonAdministrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
- List<UserEntity> userEntities = new LinkedList<UserEntity>();
- userEntities.add(userEntity);
+ @Test
+ public void testGetResource_Administrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "admin");
+ }
- privilegeEntities.add(privilegeEntity);
+ @Test
+ public void testGetResource_Administrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- expect(privilegeDAO.findAll()).andReturn(privilegeEntities);
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(resourceEntity.getId()).andReturn(1L).anyTimes();
- expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- expect(resourceTypeEntity.getId()).andReturn(ResourceType.AMBARI.getId()).anyTimes();
- expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name()).anyTimes();
- expect(principalEntity.getId()).andReturn(1L).anyTimes();
- expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(userEntity.getUserName()).andReturn("joe").anyTimes();
- expect(permissionEntity.getPermissionName()).andReturn("AMBARI.ADMINISTRATOR").anyTimes();
- expect(permissionEntity.getPermissionLabel()).andReturn("Administrator").anyTimes();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
- expect(principalTypeEntity.getName()).andReturn("USER").anyTimes();
+ @Test(expected = AuthorizationException.class)
+ public void testGetResource_NonAdministrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
- expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList());
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
+ @Test(expected = AuthorizationException.class)
+ public void testGetResource_NonAdministrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
- replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, clusterDAO,
- privilegeEntity, resourceEntity, resourceTypeEntity, userEntity, principalEntity,
- permissionEntity, principalTypeEntity);
+ @Test
+ public void testUpdateResources_Administrator_Self() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "admin");
+ }
- PrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
- Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
+ @Test
+ public void testUpdateResources_Administrator_Other() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
- Assert.assertEquals(1, resources.size());
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_NonAdministrator_Self() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
- Resource resource = resources.iterator().next();
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_NonAdministrator_Other() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
- Assert.assertEquals("AMBARI.ADMINISTRATOR", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID));
- Assert.assertEquals("Administrator", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID));
- Assert.assertEquals("joe", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID));
- Assert.assertEquals("USER", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID));
+ @Test
+ public void testDeleteResources_Administrator() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- verify(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
- userEntity, principalEntity, permissionEntity, principalTypeEntity);
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResources_NonAdministrator() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
}
@Test
public void testGetResources_allTypes() throws Exception {
+ Injector injector = createInjector();
PrivilegeEntity ambariPrivilegeEntity = createNiceMock(PrivilegeEntity.class);
ResourceEntity ambariResourceEntity = createNiceMock(ResourceEntity.class);
@@ -259,19 +261,25 @@ public class AmbariPrivilegeResourceProviderTest {
List<ClusterEntity> clusterEntities = new LinkedList<ClusterEntity>();
clusterEntities.add(clusterEntity);
- expect(clusterDAO.findAll()).andReturn(clusterEntities);
- expect(privilegeDAO.findAll()).andReturn(privilegeEntities);
- expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).anyTimes();
- expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).anyTimes();
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findAll()).andReturn(privilegeEntities).atLeastOnce();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).atLeastOnce();
+
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
- replay(privilegeDAO, userDAO, principalDAO, permissionDAO, groupDAO, resourceDAO, clusterDAO, ambariPrivilegeEntity,
- ambariResourceEntity, ambariResourceTypeEntity, ambariUserEntity, ambariPrincipalEntity, ambariPermissionEntity, viewPrivilegeEntity,
- viewResourceEntity, viewResourceTypeEntity, viewUserEntity, viewPrincipalEntity, viewPrincipalTypeEntity, viewPermissionEntity, clusterPrivilegeEntity,
- clusterResourceEntity, clusterResourceTypeEntity, clusterUserEntity, clusterPrincipalEntity, clusterPermissionEntity,clusterPrincipalTypeEntity,
- ambariPrincipalTypeEntity, clusterEntity, viewEntity, viewInstanceEntity);
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+
+ ResourceProvider provider = getResourceProvider(injector);
ViewRegistry.getInstance().addDefinition(viewEntity);
- PrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
Assert.assertEquals(3, resources.size());
@@ -316,61 +324,7 @@ public class AmbariPrivilegeResourceProviderTest {
Assert.assertEquals("inst1", resource3.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
Assert.assertEquals("VIEW", resource3.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
- verify(privilegeDAO, userDAO, principalDAO, permissionDAO, groupDAO, resourceDAO, clusterDAO, ambariPrivilegeEntity,
- ambariResourceEntity, ambariResourceTypeEntity, ambariUserEntity, ambariPrincipalEntity, ambariPermissionEntity, viewPrivilegeEntity,
- viewResourceEntity, viewResourceTypeEntity, viewUserEntity, viewPrincipalEntity, viewPrincipalTypeEntity, viewPermissionEntity, clusterPrivilegeEntity,
- clusterResourceEntity, clusterResourceTypeEntity, clusterUserEntity, clusterPrincipalEntity, clusterPermissionEntity,clusterPrincipalTypeEntity,
- ambariPrincipalTypeEntity, clusterEntity, viewEntity, viewInstanceEntity);
- }
-
- @Test
- public void testUpdateResources() throws Exception {
- PrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-
- PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
- ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- Request request = createNiceMock(Request.class);
- PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
- PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
- UserEntity userEntity = createNiceMock(UserEntity.class);
-
- expect(privilegeDAO.findByResourceId(1L)).andReturn(Collections.singletonList(privilegeEntity)).anyTimes();
- privilegeDAO.remove(privilegeEntity);
- EasyMock.expectLastCall().anyTimes();
- expect(request.getProperties()).andReturn(new HashSet<Map<String,Object>>() {
- {
- add(new HashMap<String, Object>() {
- {
- put(PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID, "READ");
- put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, "admin");
- put(PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID, "user");
- }
- });
- }
- }).anyTimes();
- expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList());
- expect(permissionDAO.findPermissionByNameAndType(EasyMock.eq("READ"), EasyMock.<ResourceTypeEntity> anyObject())).andReturn(permissionEntity);
- expect(resourceDAO.findById(EasyMock.anyLong())).andReturn(resourceEntity);
- expect(userDAO.findUserByName("admin")).andReturn(userEntity);
- expect(principalDAO.findById(EasyMock.anyLong())).andReturn(principalEntity);
- expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(principalEntity.getId()).andReturn(2L).anyTimes();
- expect(permissionEntity.getPermissionName()).andReturn("READ").anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(resourceTypeEntity.getId()).andReturn(3).anyTimes();
- expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- expect(permissionEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- privilegeDAO.create(EasyMock.<PrivilegeEntity> anyObject());
- EasyMock.expectLastCall().anyTimes();
-
- replay(privilegeEntity, privilegeDAO, request, permissionDAO, permissionEntity, resourceEntity, resourceDAO,
- principalEntity, principalDAO, userDAO, userEntity, resourceTypeEntity, clusterDAO);
-
- provider.updateResources(request, null);
-
- verify(privilegeEntity, privilegeDAO, request, permissionDAO, permissionEntity, resourceEntity, resourceDAO, principalEntity, principalDAO, userDAO, userEntity, resourceTypeEntity);
+ verifyAll();
}
@Test
@@ -563,4 +517,386 @@ public class AmbariPrivilegeResourceProviderTest {
verify(permissionEntity, principalTypeEntity, principalEntity, resourceTypeEntity, viewInstanceEntity, viewEntity, resourceEntity, privilegeEntity);
}
+
+ private void createResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity = createMockPrincipalEntity(2L, createMockPrincipalTypeEntity("USER"));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+
+ PrivilegeEntity privilegeEntity = createMockPrivilegeEntity(2, clusterResourceEntity, principalEntity, permissionEntity);
+
+ Set<PrivilegeEntity> privilegeEntities = new HashSet<PrivilegeEntity>();
+ privilegeEntities.add(privilegeEntity);
+
+ expect(principalEntity.getPrivileges()).andReturn(privilegeEntities).atLeastOnce();
+
+ UserEntity userEntity = createMockUserEntity(principalEntity, "User1");
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.exists(anyObject(PrivilegeEntity.class))).andReturn(false).atLeastOnce();
+ privilegeDAO.create(anyObject(PrivilegeEntity.class));
+ expectLastCall().once();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName("User1")).andReturn(userEntity).atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.findById(2L)).andReturn(principalEntity).atLeastOnce();
+ expect(principalDAO.merge(principalEntity)).andReturn(principalEntity).once();
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
+
+ ResourceDAO resourceDAO = injector.getInstance(ResourceDAO.class);
+ expect(resourceDAO.findById(1L)).andReturn(clusterResourceEntity).atLeastOnce();
+
+ PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+ expect(permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", clusterResourceTypeEntity))
+ .andReturn(permissionEntity)
+ .atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ // add the property map to a set for the request.
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ properties.put(PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID, "CLUSTER.OPERATOR");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, "User1");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID, "USER");
+
+ // create the request
+ Request request = PropertyHelper.getUpdateRequest(properties, null);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.createResources(request);
+
+ verifyAll();
+ }
+
+ private void getResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+
+ PrincipalEntity principalEntity = createMockPrincipalEntity(1L, createMockPrincipalTypeEntity("USER"));
+
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+ principalEntities.add(principalEntity);
+
+ List<UserEntity> userEntities = new LinkedList<UserEntity>();
+ userEntities.add(createMockUserEntity(principalEntity, "User1"));
+
+ ResourceTypeEntity ambariResourceTypeEntity = createMockResourceTypeEntity(ResourceType.AMBARI);
+ ResourceEntity ambariResourceEntity = createMockResourceEntity(1L, ambariResourceTypeEntity);
+
+ privilegeEntities.add(createMockPrivilegeEntity(
+ 1, ambariResourceEntity,
+ principalEntity,
+ createMockPermissionEntity("AMBARI.ADMINISTRATOR", "Administrator", ambariResourceTypeEntity)));
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findAll()).andReturn(privilegeEntities).atLeastOnce();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities).atLeastOnce();
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
+
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
+
+ Assert.assertEquals(1, resources.size());
+
+ Resource resource = resources.iterator().next();
+
+ Assert.assertEquals("AMBARI.ADMINISTRATOR", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID));
+ Assert.assertEquals("Administrator", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID));
+ Assert.assertEquals("User1", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID));
+ Assert.assertEquals("USER", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID));
+
+ verifyAll();
+ }
+
+ private void getResourceTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity1 = createMockPrincipalEntity(1L, createMockPrincipalTypeEntity("USER"));
+ PrincipalEntity principalEntity2 = createMockPrincipalEntity(2L, createMockPrincipalTypeEntity("USER"));
+
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+ principalEntities.add(principalEntity1);
+ principalEntities.add(principalEntity2);
+
+ List<UserEntity> userEntities = new LinkedList<UserEntity>();
+ userEntities.add(createMockUserEntity(principalEntity1, requestedUsername));
+ userEntities.add(createMockUserEntity(principalEntity2, "Not" + requestedUsername));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+
+ List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+ privilegeEntities.add(createMockPrivilegeEntity(1, clusterResourceEntity, principalEntity1, permissionEntity));
+ privilegeEntities.add(createMockPrivilegeEntity(2, clusterResourceEntity, principalEntity2, permissionEntity));
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findAll()).andReturn(privilegeEntities).atLeastOnce();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities).atLeastOnce();
+
+ List<ClusterEntity> clusterEntities = new ArrayList<ClusterEntity>();
+ clusterEntities.add(createMockClusterEntity("c1", clusterResourceEntity));
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
+
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), createPredicate(1L));
+
+ Assert.assertEquals(1, resources.size());
+
+ Resource resource = resources.iterator().next();
+
+ Assert.assertEquals("CLUSTER.OPERATOR", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID));
+ Assert.assertEquals("Cluster Operator", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID));
+ Assert.assertEquals(requestedUsername, resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID));
+ Assert.assertEquals("USER", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID));
+
+ verifyAll();
+ }
+
+ private void updateResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity1 = createMockPrincipalEntity(1L, createMockPrincipalTypeEntity("USER"));
+ PrincipalEntity principalEntity2 = createMockPrincipalEntity(2L, createMockPrincipalTypeEntity("USER"));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+
+ PrivilegeEntity privilegeEntity1 = createMockPrivilegeEntity(1, clusterResourceEntity, principalEntity1, permissionEntity);
+ PrivilegeEntity privilegeEntity2 = createMockPrivilegeEntity(2, clusterResourceEntity, principalEntity2, permissionEntity);
+
+ Set<PrivilegeEntity> privilege1Entities = new HashSet<PrivilegeEntity>();
+ privilege1Entities.add(privilegeEntity1);
+
+ Set<PrivilegeEntity> privilege2Entities = new HashSet<PrivilegeEntity>();
+ privilege2Entities.add(privilegeEntity2);
+
+ List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+ privilegeEntities.addAll(privilege1Entities);
+ privilegeEntities.addAll(privilege2Entities);
+
+ expect(principalEntity2.getPrivileges()).andReturn(privilege2Entities).atLeastOnce();
+
+ UserEntity userEntity = createMockUserEntity(principalEntity1, requestedUsername);
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findByResourceId(1L)).andReturn(privilegeEntities).atLeastOnce();
+ privilegeDAO.remove(privilegeEntity2);
+ expectLastCall().atLeastOnce();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.findById(1L)).andReturn(principalEntity1).atLeastOnce();
+ expect(principalDAO.merge(principalEntity2)).andReturn(principalEntity2).atLeastOnce();
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
+
+ ResourceDAO resourceDAO = injector.getInstance(ResourceDAO.class);
+ expect(resourceDAO.findById(1L)).andReturn(clusterResourceEntity).atLeastOnce();
+
+ PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+ expect(permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", clusterResourceTypeEntity))
+ .andReturn(permissionEntity)
+ .atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ // add the property map to a set for the request.
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ properties.put(PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID, "CLUSTER.OPERATOR");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, requestedUsername);
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID, "USER");
+
+ // create the request
+ Request request = PropertyHelper.getUpdateRequest(properties, null);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.updateResources(request, createPredicate(1L));
+
+ verifyAll();
+ }
+
+ private void deleteResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity1 = createMockPrincipalEntity(1L, createMockPrincipalTypeEntity("USER"));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+
+ PrivilegeEntity privilegeEntity1 = createMockPrivilegeEntity(1, clusterResourceEntity, principalEntity1, permissionEntity);
+
+ Set<PrivilegeEntity> privilege1Entities = new HashSet<PrivilegeEntity>();
+ privilege1Entities.add(privilegeEntity1);
+
+ expect(principalEntity1.getPrivileges()).andReturn(privilege1Entities).atLeastOnce();
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findById(1)).andReturn(privilegeEntity1).atLeastOnce();
+ privilegeDAO.remove(privilegeEntity1);
+ expectLastCall().atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.merge(principalEntity1)).andReturn(principalEntity1).atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.deleteResources(createPredicate(1L));
+
+ verifyAll();
+ }
+
+ private Predicate createPredicate(Long id) {
+ return new PredicateBuilder()
+ .property(AmbariPrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID)
+ .equals(id)
+ .toPredicate();
+ }
+
+ private ClusterEntity createMockClusterEntity(String clusterName, ResourceEntity resourceEntity) {
+ ClusterEntity clusterEntity = createMock(ClusterEntity.class);
+ expect(clusterEntity.getClusterName()).andReturn(clusterName).anyTimes();
+ expect(clusterEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ return clusterEntity;
+ }
+
+ private UserEntity createMockUserEntity(PrincipalEntity principalEntity, String username) {
+ UserEntity userEntity = createMock(UserEntity.class);
+ expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(userEntity.getUserName()).andReturn(username).anyTimes();
+ return userEntity;
+ }
+
+ private PermissionEntity createMockPermissionEntity(String name, String label, ResourceTypeEntity resourceTypeEntity) {
+ PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+ expect(permissionEntity.getPermissionName()).andReturn(name).anyTimes();
+ expect(permissionEntity.getPermissionLabel()).andReturn(label).anyTimes();
+ expect(permissionEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ return permissionEntity;
+ }
+
+ private PrincipalTypeEntity createMockPrincipalTypeEntity(String typeName) {
+ PrincipalTypeEntity principalTypeEntity = createMock(PrincipalTypeEntity.class);
+ expect(principalTypeEntity.getName()).andReturn(typeName).anyTimes();
+ return principalTypeEntity;
+ }
+
+ private PrincipalEntity createMockPrincipalEntity(Long id, PrincipalTypeEntity principalTypeEntity) {
+ PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
+ expect(principalEntity.getId()).andReturn(id).anyTimes();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
+ return principalEntity;
+ }
+
+ private ResourceTypeEntity createMockResourceTypeEntity(ResourceType resourceType) {
+ ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
+ expect(resourceTypeEntity.getId()).andReturn(resourceType.getId()).anyTimes();
+ expect(resourceTypeEntity.getName()).andReturn(resourceType.name()).anyTimes();
+ return resourceTypeEntity;
+ }
+
+ private ResourceEntity createMockResourceEntity(Long id, ResourceTypeEntity resourceTypeEntity) {
+ ResourceEntity resourceEntity = createMock(ResourceEntity.class);
+ expect(resourceEntity.getId()).andReturn(id).anyTimes();
+ expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ return resourceEntity;
+ }
+
+ private PrivilegeEntity createMockPrivilegeEntity(Integer id, ResourceEntity resourceEntity, PrincipalEntity principalEntity, PermissionEntity permissionEntity) {
+ PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
+ expect(privilegeEntity.getId()).andReturn(id).anyTimes();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
+ return privilegeEntity;
+ }
+
+ private ResourceProvider getResourceProvider(Injector injector) {
+ ViewRegistry.initInstance(ViewRegistryTest.getRegistry(
+ injector.getInstance(ViewDAO.class),
+ injector.getInstance(ViewInstanceDAO.class),
+ injector.getInstance(UserDAO.class),
+ injector.getInstance(MemberDAO.class),
+ injector.getInstance(PrivilegeDAO.class),
+ injector.getInstance(ResourceDAO.class),
+ injector.getInstance(ResourceTypeDAO.class),
+ injector.getInstance(SecurityHelper.class),
+ injector.getInstance(ViewInstanceHandlerList.class),
+ null,
+ null,
+ null));
+ PrivilegeResourceProvider.init(injector.getInstance(PrivilegeDAO.class),
+ injector.getInstance(UserDAO.class),
+ injector.getInstance(GroupDAO.class),
+ injector.getInstance(PrincipalDAO.class),
+ injector.getInstance(PermissionDAO.class),
+ injector.getInstance(ResourceDAO.class));
+ AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
+ return new AmbariPrivilegeResourceProvider();
+ }
+
+ private Injector createInjector() throws Exception {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(SecurityHelper.class).toInstance(createNiceMock(SecurityHelper.class));
+ bind(ViewInstanceDAO.class).toInstance(createNiceMock(ViewInstanceDAO.class));
+ bind(ViewInstanceHandlerList.class).toInstance(createNiceMock(ViewInstanceHandlerList.class));
+ bind(MemberDAO.class).toInstance(createNiceMock(MemberDAO.class));
+
+ bind(PrivilegeDAO.class).toInstance(createMock(PrivilegeDAO.class));
+ bind(PrincipalDAO.class).toInstance(createMock(PrincipalDAO.class));
+ bind(PermissionDAO.class).toInstance(createMock(PermissionDAO.class));
+ bind(UserDAO.class).toInstance(createMock(UserDAO.class));
+ bind(GroupDAO.class).toInstance(createMock(GroupDAO.class));
+ bind(ResourceDAO.class).toInstance(createMock(ResourceDAO.class));
+ bind(ClusterDAO.class).toInstance(createMock(ClusterDAO.class));
+ }
+ });
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
index 1412470..c272f2b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,16 +18,25 @@
package org.apache.ambari.server.controller.internal;
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.ResourceProvider;
+import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.MemberDAO;
import org.apache.ambari.server.orm.dao.PermissionDAO;
import org.apache.ambari.server.orm.dao.PrincipalDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ResourceDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
@@ -35,59 +44,191 @@ import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.SecurityHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.view.ViewInstanceHandlerList;
+import org.easymock.EasyMockSupport;
+import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
-import org.junit.BeforeClass;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import javax.persistence.EntityManager;
+import java.util.ArrayList;
import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
+import java.util.Map;
import java.util.Set;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.createStrictMock;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.reset;
-import static org.easymock.EasyMock.verify;
+import static org.easymock.EasyMock.*;
+import static org.easymock.EasyMock.anyObject;
/**
* ClusterPrivilegeResourceProvider tests.
*/
-public class ClusterPrivilegeResourceProviderTest {
- private final static PrivilegeDAO privilegeDAO = createStrictMock(PrivilegeDAO.class);
- private final static UserDAO userDAO = createStrictMock(UserDAO.class);
- private final static GroupDAO groupDAO = createStrictMock(GroupDAO.class);
- private final static PrincipalDAO principalDAO = createStrictMock(PrincipalDAO.class);
- private final static PermissionDAO permissionDAO = createStrictMock(PermissionDAO.class);
- private final static ResourceDAO resourceDAO = createStrictMock(ResourceDAO.class);
- private final static ClusterDAO clusterDAO = createStrictMock(ClusterDAO.class);
-
- @BeforeClass
- public static void initClass() {
- PrivilegeResourceProvider.init(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO);
- ClusterPrivilegeResourceProvider.init(clusterDAO);
- }
+public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
@Before
public void resetGlobalMocks() {
- reset(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO);
+ resetAll();
+ }
+
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
}
@Test
- public void testGetResources() throws Exception {
+ public void testCreateResources_Administrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResources_NonAdministrator() throws Exception {
+ createResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
- PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- ClusterEntity clusterEntity = createNiceMock(ClusterEntity.class);
- ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
- UserEntity userEntity = createNiceMock(UserEntity.class);
- PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
- PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
- PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_NonAdministrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+ @Test
+ public void testGetResource_Administrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "admin");
+ }
+
+ @Test
+ public void testGetResource_Administrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResource_NonAdministrator_Self() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResource_NonAdministrator_Other() throws Exception {
+ getResourceTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
+
+ @Test
+ public void testUpdateResources_Administrator_Self() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "admin");
+ }
+
+ @Test
+ public void testUpdateResources_Administrator_Other() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_NonAdministrator_Self() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testUpdateResources_NonAdministrator_Other() throws Exception {
+ updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
+
+ @Test
+ public void testDeleteResources_Administrator() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createAdministrator("admin"));
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResources_NonAdministrator() throws Exception {
+ deleteResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ }
+
+
+ private void createResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity = createMockPrincipalEntity(2L, createMockPrincipalTypeEntity("USER"));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+ PrivilegeEntity privilegeEntity = createMockPrivilegeEntity(2, clusterResourceEntity, principalEntity, permissionEntity);
+ ClusterEntity clusterEntity = createMockClusterEntity("c1", clusterResourceEntity);
+ UserEntity userEntity = createMockUserEntity(principalEntity, "User1");
+
+ Set<PrivilegeEntity> privilegeEntities = new HashSet<PrivilegeEntity>();
+ privilegeEntities.add(privilegeEntity);
+
+ expect(principalEntity.getPrivileges()).andReturn(privilegeEntities).atLeastOnce();
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.exists(anyObject(PrivilegeEntity.class))).andReturn(false).atLeastOnce();
+ privilegeDAO.create(anyObject(PrivilegeEntity.class));
+ expectLastCall().once();
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName("User1")).andReturn(userEntity).atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.findById(2L)).andReturn(principalEntity).atLeastOnce();
+ expect(principalDAO.merge(principalEntity)).andReturn(principalEntity).once();
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findByName("c1")).andReturn(clusterEntity).atLeastOnce();
+
+ ResourceDAO resourceDAO = injector.getInstance(ResourceDAO.class);
+ expect(resourceDAO.findById(1L)).andReturn(clusterResourceEntity).atLeastOnce();
+
+ PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+ expect(permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", clusterResourceTypeEntity))
+ .andReturn(permissionEntity)
+ .atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ // add the property map to a set for the request.
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ properties.put(PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID, "CLUSTER.OPERATOR");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, "User1");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID, "USER");
+ properties.put(ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, "c1");
+
+ // create the request
+ Request request = PropertyHelper.getUpdateRequest(properties, null);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.createResources(request);
+
+ verifyAll();
+ }
+
+ private void getResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ ResourceTypeEntity resourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity resourceEntity = createMockResourceEntity(20L, resourceTypeEntity);
+ PrincipalTypeEntity principalTypeEntity = createMockPrincipalTypeEntity("USER");
+ PrincipalEntity principalEntity = createMockPrincipalEntity(20L, principalTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.ADMINISTRATOR", "Cluster Administrator", resourceTypeEntity);
+ PrivilegeEntity privilegeEntity = createMockPrivilegeEntity(1, resourceEntity, principalEntity, permissionEntity);
+ ClusterEntity clusterEntity = createMockClusterEntity("c1", resourceEntity);
+ UserEntity userEntity = createMockUserEntity(principalEntity, "joe");
List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
principalEntities.add(principalEntity);
@@ -95,37 +236,29 @@ public class ClusterPrivilegeResourceProviderTest {
List<UserEntity> userEntities = new LinkedList<UserEntity>();
userEntities.add(userEntity);
+ List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
privilegeEntities.add(privilegeEntity);
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
expect(privilegeDAO.findAll()).andReturn(privilegeEntities);
- expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
- expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
- expect(resourceEntity.getId()).andReturn(20L).anyTimes();
- expect(principalEntity.getId()).andReturn(20L).anyTimes();
- expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
- expect(userEntity.getUserName()).andReturn("joe").anyTimes();
- expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").anyTimes();
- expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").anyTimes();
- expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
- expect(principalTypeEntity.getName()).andReturn("USER").anyTimes();
- expect(clusterEntity.getResource()).andReturn(resourceEntity);
List<ClusterEntity> clusterEntities = new LinkedList<ClusterEntity>();
clusterEntities.add(clusterEntity);
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
expect(clusterDAO.findAll()).andReturn(clusterEntities);
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
- expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
- expect(permissionDAO.findById(2)).andReturn(permissionEntity);
- expect(permissionDAO.findById(3)).andReturn(permissionEntity);
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
- replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, clusterDAO, privilegeEntity,
- clusterEntity, resourceEntity, userEntity, principalEntity, permissionEntity, principalTypeEntity);
+ replayAll();
+ SecurityContextHolder.getContext().setAuthentication(authentication);
- PrivilegeResourceProvider provider = new ClusterPrivilegeResourceProvider();
+ ResourceProvider provider = getResourceProvider(injector);
Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
Assert.assertEquals(1, resources.size());
@@ -137,33 +270,251 @@ public class ClusterPrivilegeResourceProviderTest {
Assert.assertEquals("joe", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID));
Assert.assertEquals("USER", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID));
- verify(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, clusterDAO, privilegeEntity,
- resourceEntity, clusterEntity, userEntity, principalEntity, permissionEntity, principalTypeEntity);
- reset(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, clusterDAO);
+ verifyAll();
}
- @Test
- public void testUpdateResources() throws Exception {
- PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
- Request request = createNiceMock(Request.class);
-
- expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").anyTimes();
- expect(permissionDAO.findById(2)).andReturn(permissionEntity);
- expect(permissionDAO.findById(3)).andReturn(permissionEntity);
-
- replay(permissionDAO, permissionEntity, request);
-
- PrivilegeResourceProvider provider = new ClusterPrivilegeResourceProvider();
- try {
- provider.updateResources(request, null);
- } catch (Exception ex) {
- // omit the exception, this method is from abstract class and tested in
- // AmbariPrivilegeResourceProvider#testUpdateResources
- // just check that permissions are okay
- }
-
- verify(permissionDAO, permissionEntity, request);
- reset(permissionDAO);
+ private void getResourceTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ ResourceTypeEntity resourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity resourceEntity = createMockResourceEntity(20L, resourceTypeEntity);
+ PrincipalTypeEntity principalTypeEntity = createMockPrincipalTypeEntity("USER");
+ PrincipalEntity principalEntity = createMockPrincipalEntity(20L, principalTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.ADMINISTRATOR", "Cluster Administrator", resourceTypeEntity);
+ PrivilegeEntity privilegeEntity = createMockPrivilegeEntity(1, resourceEntity, principalEntity, permissionEntity);
+ ClusterEntity clusterEntity = createMockClusterEntity("c1", resourceEntity);
+ UserEntity userEntity = createMockUserEntity(principalEntity, requestedUsername);
+
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+ principalEntities.add(principalEntity);
+
+ List<UserEntity> userEntities = new LinkedList<UserEntity>();
+ userEntities.add(userEntity);
+
+ List<PrivilegeEntity> privilegeEntities = new LinkedList<PrivilegeEntity>();
+ privilegeEntities.add(privilegeEntity);
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findAll()).andReturn(privilegeEntities);
+
+ List<ClusterEntity> clusterEntities = new LinkedList<ClusterEntity>();
+ clusterEntities.add(clusterEntity);
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(clusterEntities);
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
+
+ GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
+
+ Assert.assertEquals(1, resources.size());
+
+ Resource resource = resources.iterator().next();
+
+ Assert.assertEquals("CLUSTER.ADMINISTRATOR", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID));
+ Assert.assertEquals("Cluster Administrator", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID));
+ Assert.assertEquals(requestedUsername, resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID));
+ Assert.assertEquals("USER", resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID));
+
+ verifyAll();
+ }
+
+ private void updateResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
+ ResourceTypeEntity resourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.ADMINISTRATOR", "Cluster Administrator", resourceTypeEntity);
+
+ PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+ expect(permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", resourceTypeEntity)).andReturn(permissionEntity);
+
+ ResourceEntity resourceEntity = createMockResourceEntity(2L, resourceTypeEntity);
+ ClusterEntity clusterEntity = createMockClusterEntity("c1", resourceEntity);
+
+ List<ClusterEntity> clusterEntities = new LinkedList<ClusterEntity>();
+ clusterEntities.add(clusterEntity);
+
+ PrincipalTypeEntity principalTypeEntity = createMockPrincipalTypeEntity("USER");
+ PrincipalEntity principalEntity = createMockPrincipalEntity(2L, principalTypeEntity);
+ UserEntity userEntity = createMockUserEntity(principalEntity, requestedUsername);
+ PrivilegeEntity privilegeEntity = createMockPrivilegeEntity(1, resourceEntity, principalEntity, permissionEntity);
+
+ List<PrivilegeEntity> privilegeEntities = new ArrayList<PrivilegeEntity>();
+ privilegeEntities.add(privilegeEntity);
+
+ UserDAO userDAO = injector.getInstance(UserDAO.class);
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
+
+ ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ expect(clusterDAO.findAll()).andReturn(clusterEntities);
+
+ ResourceDAO resourceDAO = injector.getInstance(ResourceDAO.class);
+ expect(resourceDAO.findById(2L)).andReturn(resourceEntity).atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.findById(2L)).andReturn(principalEntity).atLeastOnce();
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findByResourceId(2L)).andReturn(privilegeEntities).atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ Map<String, Object> properties = new LinkedHashMap<String, Object>();
+ properties.put(PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID, "CLUSTER.OPERATOR");
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, requestedUsername);
+ properties.put(PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID, "USER");
+
+ Request request = PropertyHelper.getUpdateRequest(properties, null);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.updateResources(request, null);
+
+ verifyAll();
+ }
+
+ private void deleteResourcesTest(Authentication authentication) throws Exception {
+ Injector injector = createInjector();
+
+ PrincipalEntity principalEntity1 = createMockPrincipalEntity(1L, createMockPrincipalTypeEntity("USER"));
+
+ ResourceTypeEntity clusterResourceTypeEntity = createMockResourceTypeEntity(ResourceType.CLUSTER);
+ ResourceEntity clusterResourceEntity = createMockResourceEntity(1L, clusterResourceTypeEntity);
+ PermissionEntity permissionEntity = createMockPermissionEntity("CLUSTER.OPERATOR", "Cluster Operator", clusterResourceTypeEntity);
+
+ PrivilegeEntity privilegeEntity1 = createMockPrivilegeEntity(1, clusterResourceEntity, principalEntity1, permissionEntity);
+
+ Set<PrivilegeEntity> privilege1Entities = new HashSet<PrivilegeEntity>();
+ privilege1Entities.add(privilegeEntity1);
+
+ expect(principalEntity1.getPrivileges()).andReturn(privilege1Entities).atLeastOnce();
+
+ PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ expect(privilegeDAO.findById(1)).andReturn(privilegeEntity1).atLeastOnce();
+ privilegeDAO.remove(privilegeEntity1);
+ expectLastCall().atLeastOnce();
+
+ PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+ expect(principalDAO.merge(principalEntity1)).andReturn(principalEntity1).atLeastOnce();
+
+ replayAll();
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ ResourceProvider provider = getResourceProvider(injector);
+ provider.deleteResources(createPredicate(1L));
+
+ verifyAll();
+ }
+
+
+ private ResourceEntity createMockResourceEntity(Long id, ResourceTypeEntity resourceTypeEntity) {
+ ResourceEntity resourceEntity = createMock(ResourceEntity.class);
+ expect(resourceEntity.getId()).andReturn(id).anyTimes();
+ expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ return resourceEntity;
+ }
+
+ private ResourceTypeEntity createMockResourceTypeEntity(ResourceType resourceType) {
+ ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
+ expect(resourceTypeEntity.getId()).andReturn(resourceType.getId()).anyTimes();
+ expect(resourceTypeEntity.getName()).andReturn(resourceType.name()).anyTimes();
+ return resourceTypeEntity;
+ }
+
+ private PermissionEntity createMockPermissionEntity(String name, String label, ResourceTypeEntity resourceTypeEntity) {
+ PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+ expect(permissionEntity.getPermissionName()).andReturn(name).anyTimes();
+ expect(permissionEntity.getPermissionLabel()).andReturn(label).anyTimes();
+ expect(permissionEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+ return permissionEntity;
+ }
+
+ private PrincipalTypeEntity createMockPrincipalTypeEntity(String typeName) {
+ PrincipalTypeEntity principalTypeEntity = createMock(PrincipalTypeEntity.class);
+ expect(principalTypeEntity.getName()).andReturn(typeName).anyTimes();
+ return principalTypeEntity;
+ }
+
+ private PrincipalEntity createMockPrincipalEntity(Long id, PrincipalTypeEntity principalTypeEntity) {
+ PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
+ expect(principalEntity.getId()).andReturn(id).anyTimes();
+ expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
+ return principalEntity;
+ }
+
+ private PrivilegeEntity createMockPrivilegeEntity(Integer id, ResourceEntity resourceEntity, PrincipalEntity principalEntity, PermissionEntity permissionEntity) {
+ PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
+ expect(privilegeEntity.getId()).andReturn(id).anyTimes();
+ expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
+ return privilegeEntity;
+ }
+
+ private ClusterEntity createMockClusterEntity(String clusterName, ResourceEntity resourceEntity) {
+ ClusterEntity clusterEntity = createMock(ClusterEntity.class);
+ expect(clusterEntity.getClusterName()).andReturn(clusterName).anyTimes();
+ expect(clusterEntity.getResource()).andReturn(resourceEntity).anyTimes();
+ return clusterEntity;
+ }
+
+ private UserEntity createMockUserEntity(PrincipalEntity principalEntity, String username) {
+ UserEntity userEntity = createMock(UserEntity.class);
+ expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(userEntity.getUserName()).andReturn(username).anyTimes();
+ return userEntity;
+ }
+
+
+ private Predicate createPredicate(Long id) {
+ return new PredicateBuilder()
+ .property(ClusterPrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID)
+ .equals(id)
+ .toPredicate();
+ }
+
+ private ResourceProvider getResourceProvider(Injector injector) {
+ PrivilegeResourceProvider.init(injector.getInstance(PrivilegeDAO.class),
+ injector.getInstance(UserDAO.class),
+ injector.getInstance(GroupDAO.class),
+ injector.getInstance(PrincipalDAO.class),
+ injector.getInstance(PermissionDAO.class),
+ injector.getInstance(ResourceDAO.class));
+ ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
+ return new ClusterPrivilegeResourceProvider();
+ }
+
+ private Injector createInjector() throws Exception {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(SecurityHelper.class).toInstance(createNiceMock(SecurityHelper.class));
+ bind(ViewInstanceDAO.class).toInstance(createNiceMock(ViewInstanceDAO.class));
+ bind(ViewInstanceHandlerList.class).toInstance(createNiceMock(ViewInstanceHandlerList.class));
+ bind(MemberDAO.class).toInstance(createNiceMock(MemberDAO.class));
+
+ bind(PrivilegeDAO.class).toInstance(createMock(PrivilegeDAO.class));
+ bind(PrincipalDAO.class).toInstance(createMock(PrincipalDAO.class));
+ bind(PermissionDAO.class).toInstance(createMock(PermissionDAO.class));
+ bind(UserDAO.class).toInstance(createMock(UserDAO.class));
+ bind(GroupDAO.class).toInstance(createMock(GroupDAO.class));
+ bind(ResourceDAO.class).toInstance(createMock(ResourceDAO.class));
+ bind(ClusterDAO.class).toInstance(createMock(ClusterDAO.class));
+ }
+ });
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/7d45f1f7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java
index e71c219..1b1bdc3 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java
@@ -21,26 +21,54 @@ package org.apache.ambari.server.controller.internal;
import com.google.inject.AbstractModule;
import com.google.inject.Guice;
import com.google.inject.Injector;
-import com.google.inject.util.Modules;
+import org.apache.ambari.server.actionmanager.ActionDBAccessor;
+import org.apache.ambari.server.actionmanager.ActionManager;
+import org.apache.ambari.server.actionmanager.StageFactory;
+import org.apache.ambari.server.api.services.AmbariMetaInfo;
+import org.apache.ambari.server.controller.AbstractRootServiceResponseFactory;
import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.AmbariManagementControllerImpl;
+import org.apache.ambari.server.controller.KerberosHelper;
import org.apache.ambari.server.controller.spi.ClusterController;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceProvider;
+import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.DBAccessor;
-import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
import org.apache.ambari.server.orm.dao.PermissionDAO;
import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.scheduler.ExecutionScheduler;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.Users;
+import org.apache.ambari.server.security.encryption.CredentialStoreService;
+import org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl;
+import org.apache.ambari.server.stack.StackManagerFactory;
+import org.apache.ambari.server.stageplanner.RoleGraphFactory;
+import org.apache.ambari.server.stageplanner.RoleGraphFactoryImpl;
+import org.apache.ambari.server.state.Clusters;
+import org.apache.ambari.server.state.ConfigFactory;
+import org.apache.ambari.server.state.ServiceComponentFactory;
+import org.apache.ambari.server.state.ServiceComponentHostFactory;
+import org.apache.ambari.server.state.ServiceFactory;
+import org.apache.ambari.server.state.configgroup.ConfigGroupFactory;
+import org.apache.ambari.server.state.scheduler.RequestExecutionFactory;
+import org.apache.ambari.server.state.stack.OsFamily;
import org.easymock.EasyMockSupport;
+import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
import javax.persistence.EntityManager;
import java.lang.reflect.Field;
@@ -57,30 +85,73 @@ import static org.easymock.EasyMock.*;
* UserAuthorizationResourceProvider tests.
*/
public class UserAuthorizationResourceProviderTest extends EasyMockSupport {
- private Injector injector;
@Before
- public void setup() {
- reset();
-
- injector = Guice.createInjector(Modules.override(new InMemoryDefaultTestModule())
- .with(new AbstractModule() {
- @Override
- protected void configure() {
- AmbariManagementController managementController = createNiceMock(AmbariManagementController.class);
-
- bind(AmbariManagementController.class).toInstance(managementController);
- bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
- bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
- bind(PermissionDAO.class).toInstance(createMock(PermissionDAO.class));
- bind(ResourceTypeDAO.class).toInstance(createMock(ResourceTypeDAO.class));
- }
- }));
+ public void setup() throws Exception {
+ resetAll();
}
+ @After
+ public void cleanup() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
+ @Test
+ public void testGetResources_Administrator() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createAdministrator("admin"), "User1");
+ }
@Test
- public void testGetResources() throws Exception {
+ public void testGetResources_NonAdministrator_Self() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User1");
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testGetResources_NonAdministrator_Other() throws Exception {
+ getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1"), "User10");
+ }
+
+ @Test(expected = SystemException.class)
+ public void testCreateResources() throws Exception {
+ Injector injector = createInjector();
+
+ replayAll();
+ // Set the authenticated user to a non-administrator
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+ provider.createResources(createNiceMock(Request.class));
+ verifyAll();
+ }
+
+ @Test(expected = SystemException.class)
+ public void testUpdateResources() throws Exception {
+ Injector injector = createInjector();
+
+ replayAll();
+ // Set the authenticated user to a non-administrator
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+ provider.updateResources(createNiceMock(Request.class), null);
+ verifyAll();
+ }
+
+ @Test(expected = SystemException.class)
+ public void testDeleteResources() throws Exception {
+ Injector injector = createInjector();
+
+ replayAll();
+ // Set the authenticated user to a non-administrator
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1"));
+ AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+ UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+ provider.deleteResources(null);
+ verifyAll();
+ }
+
+ private void getResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
Resource clusterResource = createMock(Resource.class);
expect(clusterResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
@@ -233,12 +304,20 @@ public class UserAuthorizationResourceProviderTest extends EasyMockSupport {
replayAll();
+ AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+ ambariMetaInfo.init();
+
+ // Set the authenticated user to a administrator
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+
+ UserAuthorizationResourceProvider.init(permissionDAO, resourceTypeDAO);
UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
setClusterController(provider, clusterController);
Predicate predicate = new PredicateBuilder()
- .property(UserAuthorizationResourceProvider.USERNAME_PROPERTY_ID).equals("jdoe")
+ .property(UserAuthorizationResourceProvider.USERNAME_PROPERTY_ID).equals(requestedUsername)
.toPredicate();
Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), predicate);
@@ -288,23 +367,6 @@ public class UserAuthorizationResourceProviderTest extends EasyMockSupport {
verifyAll();
}
- @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
- public void testUpdateResources() throws Exception {
- replayAll();
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
- provider.updateResources(createNiceMock(Request.class), null);
- }
-
- @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
- public void testDeleteResources() throws Exception {
- replayAll();
- AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
- UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
- provider.deleteResources(null);
- }
-
-
private void setClusterController(UserAuthorizationResourceProvider provider, ClusterController clusterController) throws Exception {
Class<?> c = provider.getClass();
Field f = c.getDeclaredField("clusterController");
@@ -312,4 +374,38 @@ public class UserAuthorizationResourceProviderTest extends EasyMockSupport {
f.set(provider, clusterController);
}
+ private Injector createInjector() throws Exception {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(ActionDBAccessor.class).toInstance(createNiceMock(ActionDBAccessor.class));
+ bind(ExecutionScheduler.class).toInstance(createNiceMock(ExecutionScheduler.class));
+ bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
+ bind(AmbariMetaInfo.class).toInstance(createMock(AmbariMetaInfo.class));
+ bind(ActionManager.class).toInstance(createNiceMock(ActionManager.class));
+ bind(org.apache.ambari.server.actionmanager.RequestFactory.class).toInstance(createNiceMock(org.apache.ambari.server.actionmanager.RequestFactory.class));
+ bind(RequestExecutionFactory.class).toInstance(createNiceMock(RequestExecutionFactory.class));
+ bind(StageFactory.class).toInstance(createNiceMock(StageFactory.class));
+ bind(RoleGraphFactory.class).to(RoleGraphFactoryImpl.class);
+ bind(Clusters.class).toInstance(createNiceMock(Clusters.class));
+ bind(AbstractRootServiceResponseFactory.class).toInstance(createNiceMock(AbstractRootServiceResponseFactory.class));
+ bind(StackManagerFactory.class).toInstance(createNiceMock(StackManagerFactory.class));
+ bind(ConfigFactory.class).toInstance(createNiceMock(ConfigFactory.class));
+ bind(ConfigGroupFactory.class).toInstance(createNiceMock(ConfigGroupFactory.class));
+ bind(ServiceFactory.class).toInstance(createNiceMock(ServiceFactory.class));
+ bind(ServiceComponentFactory.class).toInstance(createNiceMock(ServiceComponentFactory.class));
+ bind(ServiceComponentHostFactory.class).toInstance(createNiceMock(ServiceComponentHostFactory.class));
+ bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
+ bind(KerberosHelper.class).toInstance(createNiceMock(KerberosHelper.class));
+ bind(Users.class).toInstance(createMock(Users.class));
+ bind(AmbariManagementController.class).to(AmbariManagementControllerImpl.class);
+ bind(CredentialStoreService.class).to(CredentialStoreServiceImpl.class);
+ bind(UserDAO.class).toInstance(createMock(UserDAO.class));
+ bind(ResourceTypeDAO.class).toInstance(createMock(ResourceTypeDAO.class));
+ bind(PermissionDAO.class).toInstance(createMock(PermissionDAO.class));
+ }
+ });
+ }
}