You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2016/10/21 20:01:58 UTC
[2/4] ambari git commit: Revert "AMBARI-1365. Authorizations given to
roles, should use generic role-based principals rather than hard-coded
pseudo-role-based principals (rlevas)"
Revert "AMBARI-1365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)"
This reverts commit b3dda4ffe9c8bc47725fd9292dc621568df45610.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b90b2863
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b90b2863
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b90b2863
Branch: refs/heads/trunk
Commit: b90b286366e67b7b494b2f2cf886dc4eab4ff006
Parents: 0dd7770
Author: Robert Levas <rl...@hortonworks.com>
Authored: Fri Oct 21 16:01:10 2016 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Fri Oct 21 16:01:10 2016 -0400
----------------------------------------------------------------------
.../controllers/ambariViews/ViewsEditCtrl.js | 16 +-
.../ui/admin-web/app/scripts/i18n.config.js | 10 +-
.../app/scripts/services/PermissionLoader.js | 11 +-
.../app/scripts/services/PermissionsSaver.js | 8 +-
.../ui/admin-web/app/scripts/services/View.js | 12 +-
.../admin-web/app/views/ambariViews/edit.html | 4 +-
.../test/unit/services/PermissionSaver_test.js | 16 +-
...ClusterPrivilegeChangeRequestAuditEvent.java | 21 +-
.../ViewPrivilegeChangeRequestAuditEvent.java | 18 +-
.../eventcreator/PrivilegeEventCreator.java | 4 +-
.../eventcreator/ViewPrivilegeEventCreator.java | 4 +-
.../ambari/server/controller/AmbariServer.java | 2 +-
.../AmbariPrivilegeResourceProvider.java | 9 +-
.../ClusterPrivilegeResourceProvider.java | 3 +-
.../GroupPrivilegeResourceProvider.java | 18 +-
.../internal/PrivilegeResourceProvider.java | 114 +++-------
.../internal/UserPrivilegeResourceProvider.java | 49 +++--
.../internal/ViewPrivilegeResourceProvider.java | 8 +-
.../ambari/server/orm/dao/PermissionDAO.java | 35 +--
.../ambari/server/orm/dao/PrincipalDAO.java | 13 +-
.../ambari/server/orm/dao/PrincipalTypeDAO.java | 29 +--
.../server/orm/entities/PermissionEntity.java | 6 -
.../orm/entities/PrincipalTypeEntity.java | 17 +-
.../authorization/AuthorizationHelper.java | 56 ++++-
.../ClusterInheritedPermissionHelper.java | 213 +++++++++++++++++++
.../server/security/authorization/Users.java | 145 ++-----------
.../server/upgrade/UpgradeCatalog242.java | 100 ---------
.../apache/ambari/server/view/ViewRegistry.java | 75 ++++---
.../view/configuration/AutoInstanceConfig.java | 43 ++--
.../main/resources/Ambari-DDL-Derby-CREATE.sql | 10 +
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 5 +
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 10 +
.../resources/Ambari-DDL-Postgres-CREATE.sql | 5 +
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 10 +
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 5 +
.../AbstractPrivilegeResourceProviderTest.java | 38 ----
.../AmbariPrivilegeResourceProviderTest.java | 21 +-
.../ClusterPrivilegeResourceProviderTest.java | 8 +
.../GroupPrivilegeResourceProviderTest.java | 67 +++---
.../UserPrivilegeResourceProviderTest.java | 113 ++++------
.../ViewPrivilegeResourceProviderTest.java | 5 +-
.../authorization/AuthorizationHelperTest.java | 66 ++++++
.../server/upgrade/UpgradeCatalog242Test.java | 134 +-----------
.../configuration/AutoInstanceConfigTest.java | 17 +-
44 files changed, 716 insertions(+), 857 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
index 834efdb..bd74b16 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
$scope.identity = angular.identity;
$scope.isConfigurationEmpty = true;
$scope.isSettingsEmpty = true;
- $scope.permissionRoles = View.permissionRoles;
+ $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
$scope.constants = {
instance: $t('views.instance'),
props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
}
});
- $scope.removeAllRolePermissions();
+ $scope.clearClusterInheritedPermissions();
}
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
});
};
- $scope.removeAllRolePermissions = function() {
- angular.forEach(View.permissionRoles, function(key) {
- $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
+ $scope.clearClusterInheritedPermissions = function() {
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ $scope.permissionsEdit["VIEW.USER"][key] = false;
})
};
@@ -510,9 +510,11 @@ angular.module('ambariAdminConsole')
};
function setAllViewRoles(value) {
- var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
+ var viewRoles = $scope.permissionsEdit["VIEW.USER"];
for (var role in viewRoles) {
- $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
+ if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
+ viewRoles[role] = value;
+ }
}
}
}]);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
index cd9b922..af22d7f 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
@@ -234,11 +234,11 @@ angular.module('ambariAdminConsole')
'clusterPermissions': {
'label': 'Local Cluster Permissions',
- 'clusteradministrator': 'Cluster Administrator',
- 'clusteroperator': 'Cluster Operator',
- 'clusteruser': 'Cluster User',
- 'serviceadministrator': 'Service Administrator',
- 'serviceoperator': 'Service Operator',
+ 'allclusteradministrator': 'Cluster Administrator',
+ 'allclusteroperator': 'Cluster Operator',
+ 'allclusteruser': 'Cluster User',
+ 'allserviceadministrator': 'Service Administrator',
+ 'allserviceoperator': 'Service Operator',
'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
},
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
index 9cc04e4..988986b 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
@@ -28,9 +28,8 @@ angular.module('ambariAdminConsole')
angular.forEach(permissions, function(permission) {
permission.GROUP = [];
permission.USER = [];
- permission.ROLE = {};
- angular.forEach(View.permissionRoles, function(key) {
- permission.ROLE[key] = false;
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ permission[key] = false;
});
permissionsInner[permission.PermissionInfo.permission_name] = permission;
});
@@ -38,10 +37,10 @@ angular.module('ambariAdminConsole')
// Now we can get privileges
resource.getPrivileges(params).then(function(privileges) {
angular.forEach(privileges, function(privilege) {
- if(privilege.PrivilegeInfo.principal_type == "ROLE") {
- permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
- } else {
+ if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+ } else {
+ permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
}
});
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
index c170235..c7b9295 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
}
}));
- angular.forEach(View.permissionRoles, function(key) {
- if(permission.ROLE[key] === true) {
+ angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+ if(permission[key] === true) {
arr.push({
'PrivilegeInfo': {
'permission_name': 'VIEW.USER',
- 'principal_name': key,
- 'principal_type': 'ROLE'
+ 'principal_name': '*',
+ 'principal_type': key
}
});
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
index f549b29..5bc0509 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
self.versionsList = item.versions;
}
- View.permissionRoles = [
- "CLUSTER.ADMINISTRATOR",
- "CLUSTER.OPERATOR",
- "SERVICE.OPERATOR",
- "SERVICE.ADMINISTRATOR",
- "CLUSTER.USER"
+ View.clusterInheritedPermissionKeys = [
+ "ALL.CLUSTER.ADMINISTRATOR",
+ "ALL.CLUSTER.OPERATOR",
+ "ALL.SERVICE.OPERATOR",
+ "ALL.SERVICE.ADMINISTRATOR",
+ "ALL.CLUSTER.USER"
];
View.getInstance = function(viewName, version, instanceName) {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
index 418c115..69eb1c1 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
@@ -287,10 +287,10 @@
<span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
</div>
<div class="col-sm-offset-2 col-sm-10">
- <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
+ <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
<div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
<label>
- <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
+ <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
</label>
</div>
</div>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
index 6c662f2..fa36d98 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
@@ -178,13 +178,11 @@ describe('PermissionSaver Service', function () {
'PermissionInfo': {
permission_name: 'VIEW.USER'
},
- 'ROLE': {
- 'CLUSTER.ADMINISTRATOR': true,
- 'CLUSTER.OPERATOR': false,
- 'SERVICE.OPERATOR': false,
- 'SERVICE.ADMINISTRATOR': false,
- 'CLUSTER.USER': false
- },
+ 'ALL.CLUSTER.ADMINISTRATOR': true,
+ 'ALL.CLUSTER.OPERATOR': false,
+ 'ALL.SERVICE.OPERATOR': false,
+ 'ALL.SERVICE.ADMINISTRATOR': false,
+ 'ALL.CLUSTER.USER': false,
'USER': ['u0', 'u1', 'g0'],
'GROUP': ['g0', 'g1', 'u0']
}
@@ -235,8 +233,8 @@ describe('PermissionSaver Service', function () {
{
PrivilegeInfo: {
permission_name: 'VIEW.USER',
- principal_name: 'CLUSTER.ADMINISTRATOR',
- principal_type: 'ROLE'
+ principal_name: '*',
+ principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
}
}
];
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
index 29fb7b4..b28bb2a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
package org.apache.ambari.server.audit.event.request;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -45,16 +47,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
/**
* Roles for groups
- * group name -> list of roles
+ * groupname -> list fo roles
*/
private Map<String, List<String>> groups;
- /**
- * Roles for roles
- * role name -> list of roles
- */
- private Map<String, List<String>> roles;
-
public ClusterPrivilegeChangeRequestAuditEventBuilder() {
super.withOperation("Role change");
}
@@ -76,10 +72,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
- roleSet.addAll(roles.keySet());
builder.append(", Roles(");
- if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -93,9 +88,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
- if (roles.get(role) != null && !roles.get(role).isEmpty()) {
- lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
- }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -112,11 +104,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
-
- public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
- this.roles = roles;
- return this;
- }
}
protected ClusterPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
index 73c1aa6..11c558c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
package org.apache.ambari.server.audit.event.request;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -48,11 +50,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
private Map<String, List<String>> groups;
/**
- * Roles with their roles
- */
- private Map<String, List<String>> roles;
-
- /**
* View name
*/
private String name;
@@ -97,10 +94,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
SortedSet<String> roleSet = new TreeSet<String>();
roleSet.addAll(users.keySet());
roleSet.addAll(groups.keySet());
- roleSet.addAll(roles.keySet());
builder.append(", Permissions(");
- if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
+ if (!users.isEmpty() || !groups.isEmpty()) {
builder.append(System.lineSeparator());
}
@@ -114,9 +110,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
if (groups.get(role) != null && !groups.get(role).isEmpty()) {
lines.add(" Groups: " + StringUtils.join(groups.get(role), ", "));
}
- if (roles.get(role) != null && !roles.get(role).isEmpty()) {
- lines.add(" Roles: " + StringUtils.join(roles.get(role), ", "));
- }
}
builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -148,11 +141,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
this.groups = groups;
return this;
}
-
- public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
- this.roles = roles;
- return this;
- }
}
protected ViewPrivilegeChangeRequestAuditEvent() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
index a7be8e1..5c476c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
@@ -33,6 +33,8 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
@@ -86,7 +88,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
- Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
switch (request.getRequestType()) {
case PUT:
@@ -98,7 +99,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
.withRemoteIp(request.getRemoteAddress())
.withUsers(users)
.withGroups(groups)
- .withRoles(roles)
.build();
case POST:
String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
index 47983ff..56d35c0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
@@ -32,6 +32,8 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import com.google.common.collect.ImmutableSet;
@@ -85,7 +87,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
- Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
return ViewPrivilegeChangeRequestAuditEvent.builder()
.withTimestamp(System.currentTimeMillis())
@@ -98,7 +99,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
.withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
.withUsers(users)
.withGroups(groups)
- .withRoles(roles)
.build();
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 68ee67f..56e2398 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -876,7 +876,7 @@ public class AmbariServer {
injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
- injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
+ injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index bd17b6a..e5c95cb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -22,7 +22,6 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -149,10 +148,8 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
- Map<Long, Object> resourceEntities,
- Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Map<Long, Object> resourceEntities, Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ResourceEntity resourceEntity = privilegeEntity.getResource();
ResourceTypeEntity type = resourceEntity.getResourceType();
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index fb7bff3..8f37764 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -147,11 +147,10 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
Map<Long, ClusterEntity> resourceEntities,
Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
index 4b71b47..94d1cad 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
@@ -28,6 +28,7 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -37,7 +38,6 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.*;
-import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * Users (helper) object used to obtain privilege entities.
+ * Data access object used to obtain privilege entities.
*/
@Inject
- protected static Users users;
+ protected static PrivilegeDAO privilegeDAO;
/**
* The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param users the users helper instance
+ * @param privilegeDAO
*/
public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, Users users) {
+ ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
GroupPrivilegeResourceProvider.groupDAO = groupDAO;
GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- GroupPrivilegeResourceProvider.users = users;
+ GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
}
@SuppressWarnings("serial")
@@ -180,7 +180,11 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("Group " + groupName + " was not found");
}
- final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
+ final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
+
+ Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+ ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+ privileges.addAll(allViewPrivilegesWithClusterPermission);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, groupName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 07b98bd..34111df 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.commons.lang.StringUtils;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
/**
* Abstract resource provider for privilege resources.
@@ -195,58 +195,35 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
resourceIds.addAll(resourceEntities.keySet());
- Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
- List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
- List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
- List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+ Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
+ List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
List<PrivilegeEntity> entities = privilegeDAO.findAll();
for(PrivilegeEntity privilegeEntity : entities){
if (resourceIds.contains(privilegeEntity.getResource().getId())) {
PrincipalEntity principal = privilegeEntity.getPrincipal();
- String principalType = principal.getPrincipalType().getName();
-
entitySet.add(privilegeEntity);
-
- if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- userPrincipals.add(principal);
- }
- else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- groupPrincipals.add(principal);
- }
- else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
- rolePrincipals.add(principal);
- }
+ principalList.add(principal);
}
}
Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
- if(!userPrincipals.isEmpty()) {
- List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
- for (UserEntity userEntity : userList) {
- userEntities.put(userEntity.getPrincipal().getId(), userEntity);
- }
+ List<UserEntity> userList = userDAO.findUsersByPrincipal(principalList);
+
+ for (UserEntity userEntity : userList) {
+ userEntities.put(userEntity.getPrincipal().getId(), userEntity);
}
Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
- if(!groupPrincipals.isEmpty()) {
- List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
- for (GroupEntity groupEntity : groupList) {
- groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
- }
- }
+ List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(principalList);
- Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
- if (!rolePrincipals.isEmpty()){
- List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
- for (PermissionEntity roleEntity : roleList) {
- roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
- }
+ for (GroupEntity groupEntity : groupList) {
+ groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
}
for(PrivilegeEntity privilegeEntity : entitySet){
- Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null && (predicate == null || predicate.evaluate(resource))) {
resources.add(resource);
}
@@ -304,7 +281,6 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
* @param privilegeEntity the privilege entity to be converted
* @param userEntities the map of user entities keyed by resource id
* @param groupEntities the map of group entities keyed by resource id
- * @param roleEntities the map of role entities keyed by resource id
* @param resourceEntities the map of resource entities keyed by resource id
* @param requestedIds the requested property ids
*
@@ -313,48 +289,29 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
Map<Long, T> resourceEntities,
Set<String> requestedIds) {
Resource resource = new ResourceImpl(resourceType);
- PrincipalEntity principal = privilegeEntity.getPrincipal();
- String principalTypeName = null;
- String resourcePropertyName = null;
-
- if(principal != null) {
- PrincipalTypeEntity principalType = principal.getPrincipalType();
-
- if (principalType != null) {
- Long principalId = principal.getId();
-
- principalTypeName = principalType.getName();
-
- if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- GroupEntity groupEntity = groupEntities.get(principalId);
- if (groupEntity != null) {
- resourcePropertyName = groupEntity.getGroupName();
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- PermissionEntity roleEntity = roleEntities.get(principalId);
- if (roleEntity != null) {
- resourcePropertyName = roleEntity.getPermissionName();
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
- UserEntity userEntity = userEntities.get(principalId);
- if (userEntity != null) {
- resourcePropertyName = userEntity.getUserName();
- }
- }
- }
+ setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
+ privilegeEntity.getId(), requestedIds);
+ setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
+ privilegeEntity.getPermission().getPermissionName(), requestedIds);
+ setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
+ privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+
+ PrincipalEntity principal = privilegeEntity.getPrincipal();
+ Long principalId = principal.getId();
+
+ if (userEntities.containsKey(principalId)) {
+ UserEntity userEntity = userEntities.get(principalId);
+ setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
+ } else if (groupEntities.containsKey(principalId)){
+ GroupEntity groupEntity = groupEntities.get(principalId);
+ setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
}
- setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
- setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
- setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
- setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
- setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
-
+ setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
return resource;
}
@@ -382,21 +339,18 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
- if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
+ if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
if (groupEntity != null) {
entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
}
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
- PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
- if (permissionEntity != null) {
- entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
- }
- } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
+ } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
UserEntity userEntity = userDAO.findUserByName(principalName);
if (userEntity != null) {
entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
}
+ } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
+ entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
} else {
throw new AmbariException("Unknown principal type " + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index 009c38b..bdd73a6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -17,6 +17,8 @@
*/
package org.apache.ambari.server.controller.internal;
+import com.google.common.base.Function;
+import com.google.common.collect.FluentIterable;
import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
import org.apache.ambari.server.controller.spi.NoSuchResourceException;
import org.apache.ambari.server.controller.spi.Predicate;
@@ -26,23 +28,26 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import java.util.Collection;
+import javax.annotation.Nullable;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
@@ -54,17 +59,17 @@ import java.util.Set;
*/
public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
- protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
- protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
- protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
- protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
+ protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+ protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+ protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+ protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
/**
* Data access object used to obtain user entities.
@@ -87,9 +92,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
protected static ViewInstanceDAO viewInstanceDAO;
/**
- * Helper to obtain privilege data for requested users
+ * DAO used to obtain privilege entities.
*/
- private static Users users;
+ protected static PrivilegeDAO privilegeDAO;
/**
* The property ids for a privilege resource.
@@ -115,15 +120,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
* @param clusterDAO the cluster data access object
* @param groupDAO the group data access object
* @param viewInstanceDAO the view instance data access object
- * @param users the Users helper object
+ * @param privilegeDAO
*/
public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
- ViewInstanceDAO viewInstanceDAO, Users users) {
+ ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
UserPrivilegeResourceProvider.userDAO = userDAO;
UserPrivilegeResourceProvider.clusterDAO = clusterDAO;
UserPrivilegeResourceProvider.groupDAO = groupDAO;
UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
- UserPrivilegeResourceProvider.users = users;
+ UserPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
}
@SuppressWarnings("serial")
@@ -194,7 +199,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
throw new SystemException("User " + userName + " was not found");
}
- final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
+ final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
+
+ for (MemberEntity membership : userEntity.getMemberEntities()) {
+ privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
+ }
+
+ Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+ ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+ privileges.addAll(allViewPrivilegesWithClusterPermission);
for (PrivilegeEntity privilegeEntity : privileges) {
resources.add(toResource(privilegeEntity, userName, requestedIds));
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index 7182f4c..e5bd224 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -191,10 +191,8 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
protected Resource toResource(PrivilegeEntity privilegeEntity,
Map<Long, UserEntity> userEntities,
Map<Long, GroupEntity> groupEntities,
- Map<Long, PermissionEntity> roleEntities,
- Map<Long, ViewInstanceEntity> resourceEntities,
- Set<String> requestedIds) {
- Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+ Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
+ Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
if (resource != null) {
ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
index c844ab6..88d9775 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,7 +18,6 @@
package org.apache.ambari.server.orm.dao;
-import java.util.Collections;
import java.util.List;
import javax.persistence.EntityManager;
@@ -26,7 +25,6 @@ import javax.persistence.TypedQuery;
import org.apache.ambari.server.orm.RequiresSession;
import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import com.google.inject.Inject;
@@ -82,37 +80,6 @@ public class PermissionDAO {
}
/**
- * Find a permission entity with the given name.
- *
- * @param name permission name
- *
- * @return a matching permission entity or null
- */
- @RequiresSession
- public PermissionEntity findByName(String name) {
- TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
- query.setParameter("permissionName", name);
- return daoUtils.selectSingle(query);
- }
-
- /**
- * Find the permission entities for the given list of principals
- *
- * @param principalList the list of principal entities
- *
- * @return the list of permissions (or roles) matching the query
- */
- @RequiresSession
- public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
- if (principalList == null || principalList.isEmpty()) {
- return Collections.emptyList();
- }
- TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
- query.setParameter("principalList", principalList);
- return daoUtils.selectList(query);
- }
-
- /**
* Find all permission entities.
*
* @return all entities or an empty List
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
index 45a1658..efbdfab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -121,15 +121,4 @@ public class PrincipalDAO {
public PrincipalEntity merge(PrincipalEntity entity) {
return entityManagerProvider.get().merge(entity);
}
-
- /**
- * Remove the entity instance.
- *
- * @param entity entity to remove
- */
- @Transactional
- public void remove(PrincipalEntity entity) {
- entityManagerProvider.get().remove(entity);
- }
-
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
index 17628c6..7823d56 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -60,20 +60,6 @@ public class PrincipalTypeDAO {
}
/**
- * Find a principal type entity with the given name.
- *
- * @param name principal type name
- *
- * @return a matching principal type entity or null
- */
- @RequiresSession
- public PrincipalTypeEntity findByName(String name) {
- TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
- query.setParameter("name", name);
- return daoUtils.selectSingle(query);
- }
-
- /**
* Find all principal types.
*
* @return all principal types or an empty List
@@ -100,16 +86,6 @@ public class PrincipalTypeDAO {
}
/**
- * Remove the entity instance.
- *
- * @param entity entity to remove
- */
- @Transactional
- public void remove(PrincipalTypeEntity entity) {
- entityManagerProvider.get().remove(entity);
- }
-
- /**
* Creates and returns principal type if it wasn't persisted yet.
*
* @param principalType id of principal type
@@ -128,9 +104,6 @@ public class PrincipalTypeDAO {
case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
break;
- case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
- principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
- break;
default:
throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index b6f1557..f091bab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -29,8 +29,6 @@ import javax.persistence.JoinColumns;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.ManyToOne;
-import javax.persistence.NamedQueries;
-import javax.persistence.NamedQuery;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import javax.persistence.TableGenerator;
@@ -46,10 +44,6 @@ import java.util.Collection;
, pkColumnValue = "permission_id_seq"
, initialValue = 100
)
-@NamedQueries({
- @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
- @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
-})
public class PermissionEntity {
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
index 31e11e6..716d4f7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,9 +30,6 @@ import javax.persistence.*;
, pkColumnValue = "principal_type_id_seq"
, initialValue = 100
)
-@NamedQueries({
- @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
-})
public class PrincipalTypeEntity {
/**
@@ -40,11 +37,19 @@ public class PrincipalTypeEntity {
*/
public static final int USER_PRINCIPAL_TYPE = 1;
public static final int GROUP_PRINCIPAL_TYPE = 2;
- public static final int ROLE_PRINCIPAL_TYPE = 8;
+ public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
+ public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
+ public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
+ public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
+ public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
public static final String USER_PRINCIPAL_TYPE_NAME = "USER";
public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
- public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
+ public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
+ public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
+ public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
+ public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
+ public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
/**
* The type id.
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index e875e8a..8639a2f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -17,6 +17,9 @@
*/
package org.apache.ambari.server.security.authorization;
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -27,6 +30,7 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
@@ -43,10 +47,10 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
+@Singleton
/**
* Provides utility methods for authentication functionality
*/
-@Singleton
public class AuthorizationHelper {
private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
@@ -226,8 +230,56 @@ public class AuthorizationHelper {
}
}
- return false;
+ // Check if the resourceId is a view.
+ // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
+ // type.
+ // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
+ // cluster resource with the permission.
+ // Then if the permission type matches the cluster/service type principal(names) then the user should have access
+ // to those views.
+
+ if(resourceId == null) {
+ return false;
+ }
+
+ ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
+
+ ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
+ if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
+ return false;
+ }
+
+ PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
+
+ final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
+ .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+ .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
+ .toSet();
+
+ return FluentIterable.from(authentication.getAuthorities())
+ .filter(new Predicate<GrantedAuthority>() {
+ @Override
+ public boolean apply(GrantedAuthority grantedAuthority) {
+ AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+ PrivilegeEntity privilege = authority.getPrivilegeEntity();
+ String resourceTypeName = privilege.getResource().getResourceType().getName();
+ return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+ }
+ }).transform(new Function<GrantedAuthority, PermissionEntity>() {
+ @Override
+ public PermissionEntity apply(GrantedAuthority grantedAuthority) {
+ AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+ PrivilegeEntity privilege = authority.getPrivilegeEntity();
+ return privilege.getPermission();
+ }
+ }).anyMatch(new Predicate<PermissionEntity>() {
+ @Override
+ public boolean apply(PermissionEntity input) {
+ return privilegeNames.contains(input.getPermissionName());
+ }
+ });
}
+
}
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
new file mode 100644
index 0000000..9922bb2
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+
+import javax.annotation.Nullable;
+import java.util.Collection;
+import java.util.Set;
+
+
+/**
+ * Helper class to take care of the cluster inherited permission for any view.
+ */
+public class ClusterInheritedPermissionHelper {
+
+ /**
+ * Predicate which validates if the principalType passed is valid or not.
+ */
+ public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
+ @Override
+ public boolean apply(String principalType) {
+ return isValidPrincipalType(principalType);
+ }
+ };
+
+ /**
+ * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
+ */
+ public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
+ return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+ }
+ };
+
+ /**
+ * Predicate which validates if view instance entity is cluster associated
+ */
+ public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
+ @Override
+ public boolean apply(ViewInstanceEntity viewInstanceEntity) {
+ return viewInstanceEntity.getClusterHandle() != null;
+ }
+ };
+
+ /**
+ * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
+ */
+ public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
+ return principalTypeName.startsWith("ALL.");
+ }
+ };
+
+ /**
+ * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
+ */
+ public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
+ @Override
+ public String apply(PrivilegeEntity input) {
+ return input.getPrincipal().getPrincipalType().getName().substring(4);
+ }
+ };
+
+ /**
+ * Mapper to return resources from view instance entity.
+ */
+ public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
+ @Override
+ public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
+ return viewInstanceEntity.getResource();
+ }
+ };
+
+ /**
+ * Mapper to return all privileges from resource entity
+ */
+ public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
+ @Override
+ public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
+ return resourceEntity.getPrivileges();
+ }
+ };
+
+ /**
+ * Mapper to return permission name from privilege
+ */
+ public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
+ @Override
+ public String apply(PrivilegeEntity privilegeEntity) {
+ return privilegeEntity.getPermission().getPermissionName();
+ }
+ };
+
+ /**
+ * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
+ * @param validSet - valid set of permission types
+ * @return Predicate to check the condition
+ */
+ public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
+ return new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity privilegeEntity) {
+ String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
+ return validSet.contains(permissionName);
+ }
+ };
+ }
+
+ /**
+ * Predicate to filter out privileges which are already existing in the passed privileges set.
+ * @param existingPrivileges - Privileges set to which the comparison will be made
+ * @return Predicate to check the validation
+ */
+ public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
+ return new Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(final PrivilegeEntity privilegeEntity) {
+ return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
+ @Override
+ public boolean apply(PrivilegeEntity directPrivilegeEntity) {
+ return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
+ && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
+ }
+ });
+ }
+ };
+ }
+
+ /**
+ * Validates if the principal type is valid for cluster inherited permissions.
+ * @param principalType - Principal type
+ * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
+ * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
+ */
+ public static boolean isValidPrincipalType(String principalType) {
+ return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+ || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
+ }
+
+ /**
+ * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
+ * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
+ * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
+ * the user should have privilege.
+ * @param userDirectPrivileges - direct privileges for the user.
+ * @return - Filtered list of privileges for view resource for which the user should have access.
+ */
+ public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
+ final Set<PrivilegeEntity> userDirectPrivileges) {
+
+ final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
+ .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
+ .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
+ .toSet();
+
+ Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
+ .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
+ .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
+ .transform(new Function<ResourceEntity, Long>() {
+ @Nullable
+ @Override
+ public Long apply(@Nullable ResourceEntity input) {
+ return input.getId();
+ }
+ }).toSet();
+
+ Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
+ .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
+ @Nullable
+ @Override
+ public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
+ return privilegeDAO.findByResourceId(input);
+ }
+ }).toSet();
+
+ return FluentIterable.from(allPrivileges)
+ .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+ .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
+ .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
+ .toSet();
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index eee721a..a4f0031 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -705,96 +705,6 @@ public class Users {
}
/**
- * Gets the explicit and implicit privileges for the given user.
- * <p>
- * The explicit privileges are the privileges that have be explicitly set by assigning roles to
- * a user. For example the Cluster Operator role on a given cluster gives that the ability to
- * start and stop services in that cluster, among other privileges for that particular cluster.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the users that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all users who have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param userEntity the relevant user
- * @return the collection of implicit and explicit privileges
- */
- public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
- if (userEntity == null) {
- return Collections.emptyList();
- }
-
- // get all of the privileges for the user
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
- principalEntities.add(userEntity.getPrincipal());
-
- List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
-
- for (MemberEntity memberEntity : memberEntities) {
- principalEntities.add(memberEntity.getGroup().getPrincipal());
- }
-
- List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
- List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
- List<PrivilegeEntity> privilegeEntities;
-
- if(implicitPrivilegeEntities.isEmpty()) {
- privilegeEntities = explicitPrivilegeEntities;
- }
- else {
- privilegeEntities = new LinkedList<PrivilegeEntity>();
- privilegeEntities.addAll(explicitPrivilegeEntities);
- privilegeEntities.addAll(implicitPrivilegeEntities);
- }
-
- return privilegeEntities;
- }
-
- /**
- * Gets the explicit and implicit privileges for the given group.
- * <p>
- * The explicit privileges are the privileges that have be explicitly set by assigning roles to
- * a group. For example the Cluster Operator role on a given cluster gives that the ability to
- * start and stop services in that cluster, among other privileges for that particular cluster.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the groups that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all groups that have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param groupEntity the relevant group
- * @return the collection of implicit and explicit privileges
- */
- public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
- if (groupEntity == null) {
- return Collections.emptyList();
- }
-
- // get all of the privileges for the group
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
- principalEntities.add(groupEntity.getPrincipal());
-
- List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
- List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
- List<PrivilegeEntity> privilegeEntities;
-
- if(implicitPrivilegeEntities.isEmpty()) {
- privilegeEntities = explicitPrivilegeEntities;
- }
- else {
- privilegeEntities = new LinkedList<PrivilegeEntity>();
- privilegeEntities.addAll(explicitPrivilegeEntities);
- privilegeEntities.addAll(implicitPrivilegeEntities);
- }
-
- return privilegeEntities;
- }
-
- /**
* Gets the explicit and implicit authorities for the given user.
* <p>
* The explicit authorities are the authorities that have be explicitly set by assigning roles to
@@ -817,59 +727,50 @@ public class Users {
return Collections.emptyList();
}
- Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
-
- Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
- for (PrivilegeEntity privilegeEntity : privilegeEntities) {
- authorities.add(new AmbariGrantedAuthority(privilegeEntity));
- }
+ // get all of the privileges for the user
+ List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
- return authorities;
- }
+ principalEntities.add(userEntity.getPrincipal());
- /**
- * Gets the implicit privileges based on the set of roles found in a collection of privileges.
- * <p>
- * The implicit privileges are the privileges that have been given to the roles themselves which
- * in turn are granted to the groups that have been assigned those roles. For example if the
- * Cluster User role for a given cluster has been given View User access on a specified File View
- * instance, then all groups that have the Cluster User role for that cluster will implicitly be
- * granted View User access on that File View instance.
- *
- * @param privilegeEntities the relevant privileges
- * @return the collection explicit privileges
- */
- private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+ List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
- if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
- return Collections.emptyList();
+ for (MemberEntity memberEntity : memberEntities) {
+ principalEntities.add(memberEntity.getGroup().getPrincipal());
}
- List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
+ List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
// A list of principals representing roles/permissions. This collection of roles will be used to
- // find additional inherited privileges based on the assigned roles.
+ // find additional authorizations inherited by the authenticated user based on the assigned roles.
// For example a File View instance may be set to be accessible to all authenticated user with
// the Cluster User role.
List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
+ Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
+
for (PrivilegeEntity privilegeEntity : privilegeEntities) {
// Add the principal representing the role associated with this PrivilegeEntity to the collection
- // of roles.
+ // of roles for the authenticated user.
PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
- if (rolePrincipal != null) {
+ if(rolePrincipal != null) {
rolePrincipals.add(rolePrincipal);
}
+
+ authorities.add(new AmbariGrantedAuthority(privilegeEntity));
}
- // If the collections of assigned roles is not empty find the inherited priviliges.
- if (!rolePrincipals.isEmpty()) {
+ // If the collections of assigned roles is not empty find the inherited authorizations that are
+ // give to the roles and add them to the collection of (Granted) authorities for the user.
+ if(!rolePrincipals.isEmpty()) {
// For each "role" see if any privileges have been granted...
- implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
+ List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
+
+ for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
+ authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+ }
}
- return implicitPrivileges;
+ return authorities;
}
}