You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/04 00:47:13 UTC
[2/2] ambari git commit: AMBARI-14072. Enforce granular role-based
access control for cluster functions (rlevas)
AMBARI-14072. Enforce granular role-based access control for cluster functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/19194e0b
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/19194e0b
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/19194e0b
Branch: refs/heads/trunk
Commit: 19194e0b2f370c3039596b755a86dcdf02f7d8dd
Parents: e62e8ea
Author: Robert Levas <rl...@hortonworks.com>
Authored: Thu Dec 3 18:46:59 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Thu Dec 3 18:47:04 2015 -0500
----------------------------------------------------------------------
.../server/api/services/ClusterService.java | 84 +-
.../controller/AmbariManagementController.java | 11 +-
.../AmbariManagementControllerImpl.java | 77 +-
.../internal/ClusterResourceProvider.java | 114 +-
.../AmbariAuthorizationFilter.java | 2 +
.../AmbariCustomCommandExecutionHelperTest.java | 7 +-
.../AmbariManagementControllerImplTest.java | 1 +
.../AmbariManagementControllerTest.java | 85 +-
.../BackgroundCustomCommandExecutionTest.java | 7 +-
...hYarnCapacitySchedulerReleaseConfigTest.java | 20 +-
.../internal/ClusterResourceProviderTest.java | 1058 ++++--------------
.../internal/JMXHostProviderTest.java | 14 +-
.../AmbariAuthorizationFilterTest.java | 4 +-
.../ambari/server/state/ConfigHelperTest.java | 18 +
.../ambari/server/state/UpgradeHelperTest.java | 14 +-
.../server/upgrade/UpgradeCatalogTest.java | 9 +
16 files changed, 475 insertions(+), 1050 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java
index 4954a96..7200b83 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java
@@ -89,8 +89,6 @@ public class ClusterService extends BaseService {
@Produces("text/plain")
public Response getCluster(String body, @Context HttpHeaders headers, @Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.GET, clusterName);
return handleRequest(headers, body, ui, Request.Type.GET, createClusterResource(clusterName));
}
@@ -106,8 +104,6 @@ public class ClusterService extends BaseService {
@GET
@Produces("text/plain")
public Response getClusters(String body, @Context HttpHeaders headers, @Context UriInfo ui) {
-
- hasPermission(Request.Type.GET, null);
return handleRequest(headers, body, ui, Request.Type.GET, createClusterResource(null));
}
@@ -126,8 +122,6 @@ public class ClusterService extends BaseService {
@Produces("text/plain")
public Response createCluster(String body, @Context HttpHeaders headers, @Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.POST, clusterName);
return handleRequest(headers, body, ui, Request.Type.POST, createClusterResource(clusterName));
}
@@ -146,8 +140,6 @@ public class ClusterService extends BaseService {
@Produces("text/plain")
public Response updateCluster(String body, @Context HttpHeaders headers, @Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.PUT, clusterName);
return handleRequest(headers, body, ui, Request.Type.PUT, createClusterResource(clusterName));
}
@@ -166,8 +158,6 @@ public class ClusterService extends BaseService {
@Produces("text/plain")
public Response deleteCluster(@Context HttpHeaders headers, @Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.DELETE, clusterName);
return handleRequest(headers, null, ui, Request.Type.DELETE, createClusterResource(clusterName));
}
@@ -189,8 +179,6 @@ public class ClusterService extends BaseService {
@Context HttpHeaders headers,
@Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.GET, clusterName);
return handleRequest(headers, body, ui, Request.Type.GET,
createArtifactResource(clusterName, null));
}
@@ -215,10 +203,7 @@ public class ClusterService extends BaseService {
@Context UriInfo ui,
@PathParam("clusterName") String clusterName,
@PathParam("artifactName") String artifactName) {
-
- hasPermission(Request.Type.GET, clusterName);
- return handleRequest(headers, body, ui, Request.Type.GET,
- createArtifactResource(clusterName, artifactName));
+ return handleRequest(headers, body, ui, Request.Type.GET, createArtifactResource(clusterName, artifactName));
}
/**
@@ -240,8 +225,6 @@ public class ClusterService extends BaseService {
@Context UriInfo ui,
@PathParam("clusterName") String clusterName,
@PathParam("artifactName") String artifactName) {
-
- hasPermission(Request.Type.POST, clusterName);
return handleRequest(headers, body, ui, Request.Type.POST,
createArtifactResource(clusterName, artifactName));
}
@@ -263,8 +246,6 @@ public class ClusterService extends BaseService {
@Context HttpHeaders headers,
@Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.PUT, clusterName);
return handleRequest(headers, body, ui, Request.Type.PUT,
createArtifactResource(clusterName, null));
}
@@ -288,8 +269,6 @@ public class ClusterService extends BaseService {
@Context UriInfo ui,
@PathParam("clusterName") String clusterName,
@PathParam("artifactName") String artifactName) {
-
- hasPermission(Request.Type.PUT, clusterName);
return handleRequest(headers, body, ui, Request.Type.PUT,
createArtifactResource(clusterName, artifactName));
}
@@ -313,8 +292,6 @@ public class ClusterService extends BaseService {
@Context UriInfo ui,
@PathParam("clusterName") String clusterName,
@PathParam("artifactName") String artifactName) {
-
- hasPermission(Request.Type.DELETE, clusterName);
return handleRequest(headers, body, ui, Request.Type.DELETE,
createArtifactResource(clusterName, artifactName));
}
@@ -336,8 +313,6 @@ public class ClusterService extends BaseService {
@Context HttpHeaders headers,
@Context UriInfo ui,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.DELETE, clusterName);
return handleRequest(headers, body, ui, Request.Type.DELETE,
createArtifactResource(clusterName, null));
}
@@ -352,8 +327,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/hosts")
public HostService getHostHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new HostService(clusterName);
}
@@ -367,8 +340,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/services")
public ServiceService getServiceHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ServiceService(clusterName);
}
@@ -382,8 +353,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/configurations")
public ConfigurationService getConfigurationHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ConfigurationService(clusterName);
}
@@ -397,8 +366,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/requests")
public RequestService getRequestHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new RequestService(clusterName);
}
@@ -413,8 +380,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/host_components")
public HostComponentService getHostComponentHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new HostComponentService(clusterName, null);
}
@@ -429,8 +394,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/kerberos_identities")
public HostKerberosIdentityService getHostKerberosIdentityHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new HostKerberosIdentityService(clusterName, null);
}
@@ -445,8 +408,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/components")
public ComponentService getComponentHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ComponentService(clusterName, null);
}
@@ -460,8 +421,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/workflows")
public WorkflowService getWorkflowHandler(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new WorkflowService(clusterName);
}
@@ -475,8 +434,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/config_groups")
public ConfigGroupService getConfigGroupService(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ConfigGroupService(clusterName);
}
@@ -491,8 +448,6 @@ public class ClusterService extends BaseService {
@Path("{clusterName}/request_schedules")
public RequestScheduleService getRequestScheduleService
(@Context javax.ws.rs.core.Request request, @PathParam ("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new RequestScheduleService(clusterName);
}
@@ -507,8 +462,6 @@ public class ClusterService extends BaseService {
@Path("{clusterName}/alert_definitions")
public AlertDefinitionService getAlertDefinitionService(
@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new AlertDefinitionService(clusterName);
}
@@ -525,8 +478,6 @@ public class ClusterService extends BaseService {
public AlertGroupService getAlertGroups(
@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new AlertGroupService(clusterName);
}
@@ -542,8 +493,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/privileges")
public PrivilegeService getPrivilegeService(@Context javax.ws.rs.core.Request request, @PathParam ("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ClusterPrivilegeService(clusterName);
}
@@ -558,8 +507,6 @@ public class ClusterService extends BaseService {
@Path("{clusterName}/alerts")
public AlertService getAlertService(
@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new AlertService(clusterName, null, null);
}
@@ -577,8 +524,6 @@ public class ClusterService extends BaseService {
public AlertHistoryService getAlertHistoryService(
@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new AlertHistoryService(clusterName, null, null);
}
@@ -596,8 +541,6 @@ public class ClusterService extends BaseService {
public AlertNoticeService getAlertNoticeService(
@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new AlertNoticeService(clusterName);
}
@@ -614,8 +557,6 @@ public class ClusterService extends BaseService {
@Path("{clusterName}/stack_versions")
public ClusterStackVersionService getClusterStackVersionService(@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new ClusterStackVersionService(clusterName);
}
@@ -631,8 +572,6 @@ public class ClusterService extends BaseService {
public UpgradeService getUpgradeService(
@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
-
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new UpgradeService(clusterName);
}
@@ -646,7 +585,6 @@ public class ClusterService extends BaseService {
*/
@Path("{clusterName}/rolling_upgrades_check")
public PreUpgradeCheckService getPreUpgradeCheckService(@Context javax.ws.rs.core.Request request, @PathParam("clusterName") String clusterName) {
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new PreUpgradeCheckService(clusterName);
}
@@ -681,7 +619,6 @@ public class ClusterService extends BaseService {
public CredentialService getCredentials(
@Context javax.ws.rs.core.Request request,
@PathParam("clusterName") String clusterName) {
- hasPermission(Request.Type.valueOf(request.getMethod()), clusterName);
return new CredentialService(clusterName);
}
@@ -714,23 +651,4 @@ public class ClusterService extends BaseService {
return createResource(Resource.Type.Artifact, mapIds);
}
-
- /**
- * Determine whether or not the access specified by the given request type is
- * permitted for the current user on the cluster resource identified by the
- * given cluster name.
- *
- * @param requestType
- * the request method type
- * @param clusterName
- * the name of the cluster resource
- *
- * @throws WebApplicationException
- * if access is forbidden
- */
- private void hasPermission(Request.Type requestType, String clusterName) throws WebApplicationException {
- if (!clusters.checkPermission(clusterName, requestType == Request.Type.GET)) {
- throw new WebApplicationException(Response.Status.FORBIDDEN);
- }
- }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
index b446121..424678e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -74,8 +74,9 @@ public interface AmbariManagementController {
* @param request the request object which defines the cluster to be created
*
* @throws AmbariException thrown if the cluster cannot be created
+ * @throws AuthorizationException thrown if the authenticated user is not authorized to perform this operation
*/
- public void createCluster(ClusterRequest request) throws AmbariException;
+ public void createCluster(ClusterRequest request) throws AmbariException, AuthorizationException;
/**
* Create the host component defined by the attributes in the given request object.
@@ -135,9 +136,10 @@ public interface AmbariManagementController {
* @return a set of cluster responses
*
* @throws AmbariException thrown if the resource cannot be read
+ * @throws AuthorizationException thrown if the authenticated user is not authorized to perform this operation
*/
public Set<ClusterResponse> getClusters(Set<ClusterRequest> requests)
- throws AmbariException;
+ throws AmbariException, AuthorizationException;
/**
* Get the host components identified by the given request objects.
@@ -224,10 +226,11 @@ public interface AmbariManagementController {
* @return a track action response
*
* @throws AmbariException thrown if the resource cannot be updated
+ * @throws AuthorizationException thrown if the authenticated user is not authorized to perform this operation
*/
public RequestStatusResponse updateClusters(Set<ClusterRequest> requests,
Map<String, String> requestProperties)
- throws AmbariException;
+ throws AmbariException, AuthorizationException;
/**
* Updates the users specified.
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
index de8b413..2266a13 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -48,6 +48,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
@@ -107,10 +108,10 @@ import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
import org.apache.ambari.server.scheduler.ExecutionScheduleManager;
import org.apache.ambari.server.security.authorization.AuthorizationException;
-import org.apache.ambari.server.security.authorization.ResourceType;
-import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.Group;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.User;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
@@ -920,7 +921,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
private Set<ClusterResponse> getClusters(ClusterRequest request)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
Set<ClusterResponse> response = new HashSet<ClusterResponse>();
@@ -932,10 +933,21 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
Cluster singleCluster = null;
- if (request.getClusterName() != null) {
- singleCluster = clusters.getCluster(request.getClusterName());
- } else if (request.getClusterId() != null) {
- singleCluster = clusters.getClusterById(request.getClusterId());
+ try {
+ if (request.getClusterName() != null) {
+ singleCluster = clusters.getCluster(request.getClusterName());
+ } else if (request.getClusterId() != null) {
+ singleCluster = clusters.getClusterById(request.getClusterId());
+ }
+ }
+ catch(ClusterNotFoundException e) {
+ // the user shouldn't know the difference between a cluster that does not exist or one that
+ // he doesn't have access to.
+ if (AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_ADD_DELETE_CLUSTERS)) {
+ throw e;
+ } else {
+ throw new AuthorizationException();
+ }
}
if (singleCluster != null) {
@@ -943,7 +955,19 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
cr.setDesiredConfigs(singleCluster.getDesiredConfigs());
cr.setDesiredServiceConfigVersions(singleCluster.getActiveServiceConfigVersions());
cr.setCredentialStoreServiceProperties(getCredentialStoreServiceProperties());
+
+ // If the user is authorized to view information about this cluster, add it to the respons
+// TODO: Uncomment this when the UI doesn't require view access for View-only users.
+// if (AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cr.getClusterId(),
+// RoleAuthorization.AUTHORIZATIONS_VIEW_CLUSTER)) {
response.add(cr);
+// }
+// else {
+// // the user shouldn't know the difference between a cluster that does not exist or one that
+// // he doesn't have access to.
+// throw new AuthorizationException();
+// }
+
return response;
}
@@ -957,7 +981,13 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
continue;
}
}
+
+// TODO: Uncomment this when the UI doesn't require view access for View-only users.
+// If the user is authorized to view information about this cluster, add it to the response
+// if (AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, c.getClusterId(),
+// RoleAuthorization.AUTHORIZATIONS_VIEW_CLUSTER)) {
response.add(c.convertToResponse());
+// }
}
StringBuilder builder = new StringBuilder();
if (LOG.isDebugEnabled()) {
@@ -1260,7 +1290,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
@Override
public synchronized RequestStatusResponse updateClusters(Set<ClusterRequest> requests,
Map<String, String> requestProperties)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
RequestStatusResponse response = null;
@@ -1337,7 +1367,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
private synchronized RequestStatusResponse updateCluster(ClusterRequest request, Map<String, String> requestProperties)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
RequestStageContainer requestStageContainer = null;
@@ -1375,6 +1405,11 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
if (LOG.isDebugEnabled()) {
LOG.debug("Received cluster name change request from " + cluster.getClusterName() + " to " + request.getClusterName());
}
+
+ if(!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, EnumSet.of(RoleAuthorization.AMBARI_RENAME_CLUSTER))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to rename the cluster");
+ }
+
cluster.setClusterName(request.getClusterName());
}
@@ -1469,6 +1504,10 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
configs.add(cluster.getConfig(cr.getType(), cr.getVersionTag()));
}
if (!configs.isEmpty()) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.SERVICE_MODIFY_CONFIGS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to modify service configurations");
+ }
+
String authName = getAuthName();
serviceConfigVersionResponse = cluster.addDesiredConfig(authName, configs, note);
if (serviceConfigVersionResponse != null) {
@@ -1488,6 +1527,10 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
// Set the current version value if its not already set
if (currentVersion == null) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to modify stack version");
+ }
+
cluster.setCurrentStackVersion(desiredVersion);
}
// Stack Upgrade: unlike the workflow for creating a cluster, updating a cluster via the API will not
@@ -1540,6 +1583,10 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
if (null != request.getServiceConfigVersionRequest()) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.SERVICE_MODIFY_CONFIGS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to modify service configurations");
+ }
+
ServiceConfigVersionRequest serviceConfigVersionRequest = request.getServiceConfigVersionRequest();
if (StringUtils.isEmpty(serviceConfigVersionRequest.getServiceName()) ||
null == serviceConfigVersionRequest.getVersion()) {
@@ -1579,6 +1626,10 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
// if any custom operations are valid and requested, the process of executing them should be initiated,
// most of the validation logic will be left to the KerberosHelper to avoid polluting the controller
if (kerberosHelper.shouldExecuteCustomOperations(securityType, requestProperties)) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to perform Kerberos-specific operations");
+ }
+
try {
requestStageContainer = kerberosHelper.executeCustomOperations(cluster, requestProperties, requestStageContainer,
kerberosHelper.getManageIdentitiesDirective(requestProperties));
@@ -1590,6 +1641,10 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
cluster.getSecurityType().name(), securityType.name());
if ((securityType == SecurityType.KERBEROS) || (securityType == SecurityType.NONE)) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to enable or disable Kerberos");
+ }
+
// Since the security state of the cluster has changed, invoke toggleKerberos to handle
// adding or removing Kerberos from the cluster. This may generate multiple stages
// or not depending the current state of the cluster.
@@ -3050,7 +3105,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
@Override
- public Set<ClusterResponse> getClusters(Set<ClusterRequest> requests) throws AmbariException {
+ public Set<ClusterResponse> getClusters(Set<ClusterRequest> requests) throws AmbariException, AuthorizationException {
Set<ClusterResponse> response = new HashSet<ClusterResponse>();
for (ClusterRequest request : requests) {
try {
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java
index 84c13b9..2add289 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java
@@ -36,6 +36,10 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.state.SecurityType;
import org.apache.ambari.server.topology.InvalidTopologyException;
import org.apache.ambari.server.topology.InvalidTopologyTemplateException;
@@ -43,10 +47,12 @@ import org.apache.ambari.server.topology.SecurityConfiguration;
import org.apache.ambari.server.topology.SecurityConfigurationFactory;
import org.apache.ambari.server.topology.TopologyManager;
import org.apache.ambari.server.topology.TopologyRequestFactory;
+import org.springframework.security.core.Authentication;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -154,13 +160,53 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
*/
ClusterResourceProvider(AmbariManagementController managementController) {
super(propertyIds, keyPropertyIds, managementController);
- }
+ setRequiredCreateAuthorizations(EnumSet.of(RoleAuthorization.AMBARI_ADD_DELETE_CLUSTERS));
+ setRequiredDeleteAuthorizations(EnumSet.of(RoleAuthorization.AMBARI_ADD_DELETE_CLUSTERS));
+ setRequiredGetAuthorizations(RoleAuthorization.AUTHORIZATIONS_VIEW_CLUSTER);
+ setRequiredUpdateAuthorizations(RoleAuthorization.AUTHORIZATIONS_UPDATE_CLUSTER);
+ }
// ----- ResourceProvider ------------------------------------------------
@Override
- public RequestStatus createResources(Request request)
+ protected Set<String> getPKPropertyIds() {
+ return pkPropertyIds;
+ }
+
+ /**
+ * {@inheritDoc} Overridden to support configuration.
+ */
+ @Override
+ public Set<String> checkPropertyIds(Set<String> propertyIds) {
+ Set<String> baseUnsupported = super.checkPropertyIds(propertyIds);
+
+ // extract to own method
+ baseUnsupported.remove("blueprint");
+ baseUnsupported.remove("host_groups");
+ baseUnsupported.remove("default_password");
+ baseUnsupported.remove("configurations");
+ baseUnsupported.remove("credentials");
+ baseUnsupported.remove("config_recommendation_strategy");
+
+ return checkConfigPropertyIds(baseUnsupported, "Clusters");
+ }
+
+
+ // ----- AbstractAuthorizedResourceProvider ------------------------------------------------
+
+ @Override
+ protected boolean isAuthorizedToCreateResources(Authentication authentication, Request request) {
+ return AuthorizationHelper.isAuthorized(authentication, ResourceType.AMBARI, null, getRequiredCreateAuthorizations());
+ }
+
+ @Override
+ protected boolean isAuthorizedToDeleteResources(Authentication authentication, Predicate predicate) throws SystemException {
+ return AuthorizationHelper.isAuthorized(authentication, ResourceType.AMBARI, null, getRequiredDeleteAuthorizations());
+ }
+
+ @Override
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -194,9 +240,11 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
}
Set<String> requestedIds = getRequestPropertyIds(request, predicate);
+ // Authorization checks are performed internally. If the user is not allowed to access a particular
+ // cluster, it should not show up in the responses.
Set<ClusterResponse> responses = getResources(new Command<Set<ClusterResponse>>() {
@Override
- public Set<ClusterResponse> invoke() throws AmbariException {
+ public Set<ClusterResponse> invoke() throws AmbariException, AuthorizationException {
return getManagementController().getClusters(requests);
}
});
@@ -208,10 +256,6 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
}
// Allow internal call to bypass permissions check.
- Map<String, String> requestInfoProperties = request.getRequestInfoProperties();
- boolean ignorePermissions = requestInfoProperties == null ? false :
- Boolean.valueOf(requestInfoProperties.get(GET_IGNORE_PERMISSIONS_PROPERTY_ID));
-
for (ClusterResponse response : responses) {
String clusterName = response.getClusterName();
@@ -235,15 +279,14 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
LOG.debug("Adding ClusterResponse to resource"
+ ", clusterResponse=" + response.toString());
}
- if (ignorePermissions || includeCluster(clusterName, true)) {
- resources.add(resource);
- }
+
+ resources.add(resource);
}
return resources;
}
@Override
- public RequestStatus updateResources(final Request request, Predicate predicate)
+ protected RequestStatus updateResourcesAuthorized(final Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<ClusterRequest> requests = new HashSet<ClusterRequest>();
@@ -253,14 +296,12 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
Set<Map<String, Object>> propertyMaps = getPropertyMaps(requestPropertyMap, predicate);
for (Map<String, Object> propertyMap : propertyMaps) {
ClusterRequest clusterRequest = getRequest(propertyMap);
- if (includeCluster(clusterRequest.getClusterName(), false)) {
- requests.add(clusterRequest);
- }
+ requests.add(clusterRequest);
}
}
response = modifyResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
return getManagementController().updateClusters(requests, request.getRequestInfoProperties());
}
});
@@ -304,12 +345,11 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
for (Map<String, Object> propertyMap : getPropertyMaps(predicate)) {
final ClusterRequest clusterRequest = getRequest(propertyMap);
- if (includeCluster(clusterRequest.getClusterName(), false)) {
modifyResources(new Command<Void>() {
@Override
public Void invoke() throws AmbariException {
@@ -317,35 +357,11 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
return null;
}
});
- }
}
notifyDelete(Resource.Type.Cluster, predicate);
return getRequestStatus(null);
}
- @Override
- protected Set<String> getPKPropertyIds() {
- return pkPropertyIds;
- }
-
- /**
- * {@inheritDoc} Overridden to support configuration.
- */
- @Override
- public Set<String> checkPropertyIds(Set<String> propertyIds) {
- Set<String> baseUnsupported = super.checkPropertyIds(propertyIds);
-
- // extract to own method
- baseUnsupported.remove("blueprint");
- baseUnsupported.remove("host_groups");
- baseUnsupported.remove("default_password");
- baseUnsupported.remove("configurations");
- baseUnsupported.remove("credentials");
- baseUnsupported.remove("config_recommendation_strategy");
-
- return checkConfigPropertyIds(baseUnsupported, "Clusters");
- }
-
// ----- ClusterResourceProvider -------------------------------------------
@@ -534,26 +550,12 @@ public class ClusterResourceProvider extends AbstractControllerResourceProvider
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
getManagementController().createCluster(getRequest(properties));
return null;
}
});
}
- /**
- * Determine whether or not the cluster resource identified
- * by the given cluster name should be included based on the
- * permissions granted to the current user.
- *
- * @param clusterName the cluster name
- * @param readOnly indicate whether or not this is for a read only operation
- *
- * @return true if the cluster should be included based on the permissions of the current user
- */
- private boolean includeCluster(String clusterName, boolean readOnly) {
- return getManagementController().getClusters().checkPermission(clusterName, readOnly);
- }
-
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 15f0fe6..2bc749f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -64,6 +64,7 @@ public class AmbariAuthorizationFilter implements Filter {
private static final String API_USERS_ALL_PATTERN = API_VERSION_PREFIX + "/users.*";
private static final String API_PRIVILEGES_ALL_PATTERN = API_VERSION_PREFIX + "/privileges.*";
private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*";
+ private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?";
private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*";
private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*";
private static final String API_PERSIST_ALL_PATTERN = API_VERSION_PREFIX + "/persist.*";
@@ -252,6 +253,7 @@ public class AmbariAuthorizationFilter implements Filter {
return requestURI.matches(API_USERS_ALL_PATTERN) ||
requestURI.matches(API_GROUPS_ALL_PATTERN) ||
requestURI.matches(API_CREDENTIALS_ALL_PATTERN) ||
+ requestURI.matches(API_CLUSTERS_PATTERN) ||
requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
index baa394c..ba952c0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
@@ -43,6 +43,7 @@ import org.apache.ambari.server.controller.internal.ServiceResourceProviderTest;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Host;
import org.apache.ambari.server.state.HostState;
@@ -144,7 +145,7 @@ public class AmbariCustomCommandExecutionHelperTest {
Assert.assertEquals(1, command.getForceRefreshConfigTags().size());
Assert.assertEquals("capacity-scheduler", command.getForceRefreshConfigTags().iterator().next());
- } catch (AmbariException e) {
+ } catch (Exception e) {
Assert.fail(e.getMessage());
}
}
@@ -289,7 +290,7 @@ public class AmbariCustomCommandExecutionHelperTest {
Assert.assertFalse(helper.isTopologyRefreshRequired("STOP", "c1", "HDFS"));
}
- private void createClusterFixture(String stackVersion) throws AmbariException {
+ private void createClusterFixture(String stackVersion) throws AmbariException, AuthorizationException {
createCluster("c1", stackVersion);
addHost("c6401","c1");
addHost("c6402","c1");
@@ -329,7 +330,7 @@ public class AmbariCustomCommandExecutionHelperTest {
host.setHostAttributes(hostAttributes);
}
- private void createCluster(String clusterName, String stackVersion) throws AmbariException {
+ private void createCluster(String clusterName, String stackVersion) throws AmbariException, AuthorizationException {
ClusterRequest r = new ClusterRequest(null, clusterName, State.INSTALLED.name(),
SecurityType.NONE, stackVersion, null);
controller.createCluster(r);
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
index e2ec5e0..6d6cea6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java
@@ -896,6 +896,7 @@ public class AmbariManagementControllerImplTest {
expect(clusterRequest.getClusterId()).andReturn(1L).times(6);
expect(clusterRequest.getSecurityType()).andReturn(SecurityType.NONE).anyTimes();
expect(clusters.getClusterById(1L)).andReturn(cluster).times(2);
+ expect(cluster.getClusterId()).andReturn(1L).times(2);
expect(cluster.getClusterName()).andReturn("cluster").times(2);
expect(cluster.getSecurityType()).andReturn(SecurityType.KERBEROS).anyTimes();
expect(cluster.getCurrentClusterVersion()).andReturn(null).anyTimes();
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
index bed55c5..9dbfcff 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
@@ -104,6 +104,7 @@ import org.apache.ambari.server.orm.entities.HostRoleCommandEntity;
import org.apache.ambari.server.orm.entities.WidgetEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
import org.apache.ambari.server.serveraction.ServerAction;
@@ -293,7 +294,7 @@ public class AmbariManagementControllerTest {
* @param clusterName Cluster name
* @throws AmbariException
*/
- private void createCluster(String clusterName) throws AmbariException {
+ private void createCluster(String clusterName) throws AmbariException, AuthorizationException {
ClusterRequest r = new ClusterRequest(null, clusterName, State.INSTALLED.name(), SecurityType.NONE, "HDP-0.1", null);
controller.createCluster(r);
}
@@ -546,7 +547,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateClusterSimple() throws AmbariException {
+ public void testCreateClusterSimple() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Set<ClusterResponse> r =
@@ -570,7 +571,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateClusterWithHostMapping() throws AmbariException {
+ public void testCreateClusterWithHostMapping() throws AmbariException, AuthorizationException {
Set<String> hostNames = new HashSet<String>();
hostNames.add("h1");
hostNames.add("h2");
@@ -648,7 +649,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServicesSimple() throws AmbariException {
+ public void testCreateServicesSimple() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName = "HDFS";
@@ -779,7 +780,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServiceWithInvalidInfo() throws AmbariException {
+ public void testCreateServiceWithInvalidInfo() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName = "HDFS";
@@ -849,7 +850,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServiceComponentSimple() throws AmbariException {
+ public void testCreateServiceComponentSimple() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName = "HDFS";
@@ -1289,7 +1290,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServiceComponentHostSimple() throws AmbariException {
+ public void testCreateServiceComponentHostSimple() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -1390,7 +1391,7 @@ public class AmbariManagementControllerTest {
@Test
public void testCreateServiceComponentHostMultiple()
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName = "HDFS";
@@ -2117,7 +2118,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetClusters() throws AmbariException {
+ public void testGetClusters() throws AmbariException, AuthorizationException {
clusters.addCluster("c1", new StackId("HDP-0.1"));
Cluster c1 = clusters.getCluster("c1");
@@ -2141,7 +2142,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetClustersWithFilters() throws AmbariException {
+ public void testGetClustersWithFilters() throws AmbariException, AuthorizationException {
clusters.addCluster("c1", new StackId("HDP-0.1"));
clusters.addCluster("c2", new StackId("HDP-0.1"));
clusters.addCluster("c3", new StackId("HDP-1.2.0"));
@@ -2446,7 +2447,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetServiceComponentHosts() throws AmbariException {
+ public void testGetServiceComponentHosts() throws AmbariException, AuthorizationException {
Cluster c1 = setupClusterWithHosts("c1", "HDP-0.1", new ArrayList<String>() {{
add("h1");
}}, "centos5");
@@ -2495,7 +2496,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetServiceComponentHostsWithStaleConfigFilter() throws AmbariException {
+ public void testGetServiceComponentHostsWithStaleConfigFilter() throws AmbariException, AuthorizationException {
final String host1 = "h1";
final String host2 = "h2";
@@ -2681,7 +2682,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testHbaseDecommission() throws AmbariException {
+ public void testHbaseDecommission() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -2830,7 +2831,7 @@ public class AmbariManagementControllerTest {
}
private Cluster setupClusterWithHosts(String clusterName, String stackId, List<String> hosts,
- String osType) throws AmbariException {
+ String osType) throws AmbariException, AuthorizationException {
ClusterRequest r = new ClusterRequest(null, clusterName, stackId, null);
controller.createCluster(r);
Cluster c1 = clusters.getCluster(clusterName);
@@ -2841,7 +2842,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetServiceComponentHostsWithFilters() throws AmbariException {
+ public void testGetServiceComponentHostsWithFilters() throws AmbariException, AuthorizationException {
Cluster c1 = setupClusterWithHosts("c1", "HDP-0.2",
new ArrayList<String>() {{
add("h1");
@@ -2998,7 +2999,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testGetHosts() throws AmbariException {
+ public void testGetHosts() throws AmbariException, AuthorizationException {
setupClusterWithHosts("c1", "HDP-0.2",
new ArrayList<String>() {{
add("h1");
@@ -3062,7 +3063,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testServiceUpdateBasic() throws AmbariException {
+ public void testServiceUpdateBasic() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName = "HDFS";
@@ -3105,7 +3106,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testServiceUpdateInvalidRequest() throws AmbariException {
+ public void testServiceUpdateInvalidRequest() throws AmbariException, AuthorizationException {
// multiple clusters
// dup services
// multiple diff end states
@@ -3191,7 +3192,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testServiceUpdateRecursive() throws AmbariException {
+ public void testServiceUpdateRecursive() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -3441,7 +3442,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testServiceComponentUpdateRecursive() throws AmbariException {
+ public void testServiceComponentUpdateRecursive() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
String serviceName1 = "HDFS";
@@ -4301,7 +4302,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testComponentCategorySentWithRestart() throws AmbariException {
+ public void testComponentCategorySentWithRestart() throws AmbariException, AuthorizationException {
setupClusterWithHosts("c1", "HDP-2.0.7",
new ArrayList<String>() {{
add("h1");
@@ -4851,7 +4852,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testRcaOnJobtrackerHost() throws AmbariException {
+ public void testRcaOnJobtrackerHost() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -5430,7 +5431,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testReConfigureServiceClient() throws AmbariException {
+ public void testReConfigureServiceClient() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -5715,7 +5716,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testClientServiceSmokeTests() throws AmbariException {
+ public void testClientServiceSmokeTests() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -5808,7 +5809,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testSkipTaskOnUnhealthyHosts() throws AmbariException {
+ public void testSkipTaskOnUnhealthyHosts() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -5943,7 +5944,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testServiceCheckWhenHostIsUnhealthy() throws AmbariException {
+ public void testServiceCheckWhenHostIsUnhealthy() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -6049,7 +6050,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testReInstallForInstallFailedClient() throws AmbariException {
+ public void testReInstallForInstallFailedClient() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -6178,7 +6179,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testReInstallClientComponentFromServiceChange() throws AmbariException {
+ public void testReInstallClientComponentFromServiceChange() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -6411,7 +6412,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testResourceFiltersWithCustomActions() throws AmbariException {
+ public void testResourceFiltersWithCustomActions() throws AmbariException, AuthorizationException {
setupClusterWithHosts("c1", "HDP-2.0.6",
new ArrayList<String>() {{
add("h1");
@@ -6513,7 +6514,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testResourceFiltersWithCustomCommands() throws AmbariException {
+ public void testResourceFiltersWithCustomCommands() throws AmbariException, AuthorizationException {
setupClusterWithHosts("c1", "HDP-2.0.6",
new ArrayList<String>() {{
add("h1");
@@ -6624,7 +6625,7 @@ public class AmbariManagementControllerTest {
@Test
- public void testConfigsAttachedToServiceChecks() throws AmbariException {
+ public void testConfigsAttachedToServiceChecks() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -6706,7 +6707,7 @@ public class AmbariManagementControllerTest {
@Test
@Ignore("Unsuported feature !")
- public void testConfigsAttachedToServiceNotCluster() throws AmbariException {
+ public void testConfigsAttachedToServiceNotCluster() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName).setDesiredStackVersion(new StackId("HDP-0.1"));
@@ -6786,7 +6787,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testHostLevelParamsSentWithCommands() throws AmbariException {
+ public void testHostLevelParamsSentWithCommands() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
clusters.getCluster(clusterName)
@@ -6844,7 +6845,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testConfigGroupOverridesWithHostActions() throws AmbariException {
+ public void testConfigGroupOverridesWithHostActions() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -7011,7 +7012,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testConfigGroupOverridesWithDecommissionDatanode() throws AmbariException {
+ public void testConfigGroupOverridesWithDecommissionDatanode() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -7114,7 +7115,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testConfigGroupOverridesWithServiceCheckActions() throws AmbariException {
+ public void testConfigGroupOverridesWithServiceCheckActions() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
createCluster(clusterName);
Cluster cluster = clusters.getCluster(clusterName);
@@ -7455,7 +7456,7 @@ public class AmbariManagementControllerTest {
// disabled as upgrade feature is disabled
@Ignore
@Test
- public void testUpdateClusterVersionBasic() throws AmbariException {
+ public void testUpdateClusterVersionBasic() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
String serviceName = "MAPREDUCE";
String host1 = "h1";
@@ -7587,7 +7588,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testUpdateClusterUpgradabilityCheck() throws AmbariException {
+ public void testUpdateClusterUpgradabilityCheck() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
StackId currentStackId = new StackId("HDP-0.2");
@@ -7619,7 +7620,7 @@ public class AmbariManagementControllerTest {
// disabled as cluster upgrade feature is disabled
@Ignore
@Test
- public void testUpdateClusterVersionCombinations() throws AmbariException {
+ public void testUpdateClusterVersionCombinations() throws AmbariException, AuthorizationException {
String clusterName = "foo1";
String pigServiceName = "PIG";
String mrServiceName = "MAPREDUCE";
@@ -8912,7 +8913,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testApplyConfigurationWithTheSameTag() {
+ public void testApplyConfigurationWithTheSameTag() throws AuthorizationException {
Injector injector = Guice.createInjector(new AbstractModule() {
@Override
protected void configure() {
@@ -10457,7 +10458,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testConfigAttributesStaleConfigFilter() throws AmbariException {
+ public void testConfigAttributesStaleConfigFilter() throws AmbariException, AuthorizationException {
final String host1 = "h1";
final String host2 = "h2";
@@ -10556,7 +10557,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testSecretReferences() throws AmbariException {
+ public void testSecretReferences() throws AmbariException, AuthorizationException {
final String host1 = "h1";
final String host2 = "h2";
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
index 30be261..e1e9104 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
@@ -42,6 +42,7 @@ import org.apache.ambari.server.controller.internal.RequestResourceFilter;
import org.apache.ambari.server.controller.internal.ServiceResourceProviderTest;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Host;
import org.apache.ambari.server.state.HostState;
@@ -148,12 +149,12 @@ public class BackgroundCustomCommandExecutionTest {
Assert.assertEquals(AgentCommandType.BACKGROUND_EXECUTION_COMMAND, command.getCommandType());
Assert.assertEquals("{\"threshold\":13}", command.getCommandParams().get("namenode"));
- } catch (AmbariException e) {
+ } catch (Exception e) {
Assert.fail(e.getMessage());
}
}
- private void createClusterFixture() throws AmbariException {
+ private void createClusterFixture() throws AmbariException, AuthorizationException {
createCluster("c1");
addHost("c6401","c1");
addHost("c6402","c1");
@@ -182,7 +183,7 @@ public class BackgroundCustomCommandExecutionTest {
host.setHostAttributes(hostAttributes);
}
- private void createCluster(String clusterName) throws AmbariException {
+ private void createCluster(String clusterName) throws AmbariException, AuthorizationException {
ClusterRequest r = new ClusterRequest(null, clusterName, State.INSTALLED.name(), SecurityType.NONE, "HDP-2.0.6", null);
controller.createCluster(r);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/19194e0b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
index e93a479..c871ec7 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
@@ -32,6 +32,8 @@ import org.apache.ambari.server.controller.internal.ComponentResourceProviderTes
import org.apache.ambari.server.controller.internal.ServiceResourceProviderTest;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.ConfigHelper;
@@ -49,6 +51,8 @@ import org.junit.Test;
import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.persist.PersistService;
+import org.springframework.security.core.context.SecurityContextHolder;
+
@SuppressWarnings("serial")
public class RefreshYarnCapacitySchedulerReleaseConfigTest {
@@ -68,16 +72,24 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
clusters = injector.getInstance(Clusters.class);
configHelper = injector.getInstance(ConfigHelper.class);
ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+
+ // Set the authenticated user
+ // TODO: remove this or replace the authenticated user to test authorization rules
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
}
+
@After
public void teardown() {
injector.getInstance(PersistService.class).stop();
+
+ // Clear the authenticated user
+ SecurityContextHolder.getContext().setAuthentication(null);
}
@Test
- public void testRMRequiresRestart() throws AmbariException{
+ public void testRMRequiresRestart() throws AmbariException, AuthorizationException {
createClusterFixture("HDP-2.0.7");
@@ -100,7 +112,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
}
@Test
- public void testAllRequiresRestart() throws AmbariException{
+ public void testAllRequiresRestart() throws AmbariException, AuthorizationException {
createClusterFixture("HDP-2.0.7");
Cluster cluster = clusters.getCluster("c1");
@@ -145,7 +157,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
}
}
- private void createClusterFixture(String stackName) throws AmbariException {
+ private void createClusterFixture(String stackName) throws AmbariException, AuthorizationException {
createCluster("c1", stackName);
addHost("c6401","c1");
addHost("c6402","c1");
@@ -182,7 +194,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
host.setHostAttributes(hostAttributes);
}
- private void createCluster(String clusterName, String stackName) throws AmbariException {
+ private void createCluster(String clusterName, String stackName) throws AmbariException, AuthorizationException {
ClusterRequest r = new ClusterRequest(null, clusterName, State.INSTALLED.name(), SecurityType.NONE, stackName, null);
controller.createCluster(r);
}