You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/17 18:41:25 UTC
[3/3] ambari git commit: AMBARI-14141. Enforce granular role-based
access control for alert functions (rlevas)
AMBARI-14141. Enforce granular role-based access control for alert functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/66e1595c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/66e1595c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/66e1595c
Branch: refs/heads/trunk
Commit: 66e1595c3f4cda4100d71a41940a18fe3ed36424
Parents: 0a62b7e
Author: Robert Levas <rl...@hortonworks.com>
Authored: Thu Dec 17 12:40:16 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Thu Dec 17 12:40:16 2015 -0500
----------------------------------------------------------------------
.../AbstractControllerResourceProvider.java | 26 +-
.../AlertDefinitionResourceProvider.java | 86 ++--
.../internal/AlertGroupResourceProvider.java | 46 ++-
.../internal/AlertHistoryResourceProvider.java | 43 ++
.../internal/AlertNoticeResourceProvider.java | 33 +-
.../internal/AlertResourceProvider.java | 45 ++-
.../internal/AlertResourceProviderUtils.java | 403 +++++++++++++++++++
.../internal/AlertTargetResourceProvider.java | 27 +-
.../internal/DefaultProviderModule.java | 2 +-
.../AmbariAuthorizationFilter.java | 10 +-
.../authorization/RoleAuthorization.java | 2 +
.../server/upgrade/UpgradeCatalog230.java | 12 +-
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 18 +-
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 16 +-
.../resources/Ambari-DDL-Postgres-CREATE.sql | 16 +-
.../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql | 16 +-
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 16 +-
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 16 +-
.../AlertDefinitionResourceProviderTest.java | 253 ++++++++++--
.../AlertGroupResourceProviderTest.java | 402 ++++++++++++++----
.../AlertHistoryResourceProviderTest.java | 146 ++++++-
.../AlertNoticeResourceProviderTest.java | 145 ++++++-
.../internal/AlertResourceProviderTest.java | 213 ++++++++--
.../AlertTargetResourceProviderTest.java | 341 +++++++++++++++-
.../security/TestAuthenticationFactory.java | 1 +
25 files changed, 2058 insertions(+), 276 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
index a29f151..cce3764 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
@@ -83,8 +83,32 @@ public abstract class AbstractControllerResourceProvider extends AbstractAuthori
* @return the resource id or null if not found
* @throws AmbariException if the named cluster does not exist
*/
+ protected Long getClusterId(String clusterName) throws AmbariException {
+ Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName);
+ return (cluster == null) ? null : cluster.getClusterId();
+ }
+
+ /**
+ * Gets the resource id for the named cluster
+ *
+ * @param clusterName the name of the relevant cluster
+ * @return the resource id or null if not found
+ * @throws AmbariException if the named cluster does not exist
+ */
protected Long getClusterResourceId(String clusterName) throws AmbariException {
- Cluster cluster = managementController.getClusters().getCluster(clusterName);
+ Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName);
+ return (cluster == null) ? null : cluster.getResourceId();
+ }
+
+ /**
+ * Gets the resource id for the cluster with the specified id
+ *
+ * @param clusterId the id of the relevant cluster
+ * @return the resource id or null if not found
+ * @throws AmbariException if the cluster does not exist
+ */
+ protected Long getClusterResourceId(Long clusterId) throws AmbariException {
+ Cluster cluster = (clusterId == null) ? null : managementController.getClusters().getClusterById(clusterId);
return (cluster == null) ? null : cluster.getResourceId();
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
index bc5f956..263a7b8 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -50,6 +50,7 @@ import org.apache.ambari.server.events.AlertHashInvalidationEvent;
import org.apache.ambari.server.events.publishers.AmbariEventPublisher;
import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.alert.AlertDefinition;
@@ -174,7 +175,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
createAlertDefinitions(request.getProperties());
return null;
}
@@ -185,7 +186,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
}
private void createAlertDefinitions(Set<Map<String, Object>> requestMaps)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
List<AlertDefinitionEntity> entities = new ArrayList<AlertDefinitionEntity>();
String clusterName = null;
@@ -235,6 +236,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
if (null != id) {
AlertDefinitionEntity entity = alertDefinitionDAO.findById(Long.parseLong(id));
if (null != entity) {
+ AlertResourceProviderUtils.verifyViewAuthorization(entity);
results.add(toResource(clusterName, entity, requestPropertyIds));
}
} else {
@@ -245,11 +247,21 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
throw new NoSuchResourceException("Parent Cluster resource doesn't exist", e);
}
- List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll(
- cluster.getClusterId());
+ List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll(cluster.getClusterId());
+
+ // Any service name that is not empty or equal to "AMBARI" indicates a service-level alert
+ boolean serviceLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("_SERVICE_NAME_", cluster.getResourceId());
+ boolean clusterLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("", cluster.getResourceId());
for (AlertDefinitionEntity entity : entities) {
- results.add(toResource(clusterName, entity, requestPropertyIds));
+ String serviceName = entity.getServiceName();
+
+ // Include the alert in the results if the authenticated user is authorized to get it
+ if((StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName))
+ ? clusterLevelAuthorization
+ : serviceLevelAuthorization) {
+ results.add(toResource(clusterName, entity, requestPropertyIds));
+ }
}
}
}
@@ -345,6 +357,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
final AlertDefinitionEntity entity = alertDefinitionDAO.findById(definitionId.longValue());
+ AlertResourceProviderUtils.verifyManageAuthorization(entity);
+
modifyResources(new Command<Void>() {
@Override
public Void invoke() throws AmbariException {
@@ -382,7 +396,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
* @throws AmbariException
*/
private void populateEntity(AlertDefinitionEntity entity,
- Map<String, Object> requestMap) throws AmbariException {
+ Map<String, Object> requestMap) throws AmbariException, AuthorizationException {
// some fields are required on creation; on update we keep what's there
boolean bCreate = true;
@@ -509,56 +523,80 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
throw new IllegalArgumentException("Source must be specified");
}
- Cluster cluster = getManagementController().getClusters().getCluster(
- clusterName);
+ Clusters clusters = getManagementController().getClusters();
+ Cluster cluster = clusters.getCluster(clusterName);
+ Long clusterId = cluster.getClusterId();
+
+ boolean managed = false;
+ boolean toggled = false;
// at this point, we have either validated all required properties or
// we are using the exiting entity properties where not defined, so we
// can do simply null checks
- entity.setClusterId(Long.valueOf(cluster.getClusterId()));
+ if (!clusterId.equals(entity.getClusterId())) {
+ entity.setClusterId(clusterId);
+ managed = true;
+ }
- if (null != componentName) {
+ if ((null != componentName) && !componentName.equals(entity.getComponentName())) {
entity.setComponentName(componentName);
+ managed = true;
}
- if (null != definitionName) {
+ if ((null != definitionName) && !definitionName.equals(entity.getDefinitionName())) {
entity.setDefinitionName(definitionName);
+ managed = true;
}
- if (null != label) {
+ if ((null != label) && !label.equals(entity.getLabel())) {
entity.setLabel(label);
+ managed = true;
}
- if (null != description) {
+ if ((null != description) && !description.equals(entity.getDescription())) {
entity.setDescription(description);
+ managed = true;
}
- if (null != enabled) {
- entity.setEnabled(enabled.booleanValue());
+ if ((null != enabled) && !enabled.equals(entity.getEnabled())) {
+ entity.setEnabled(enabled);
+ toggled = true;
}
- if (null != ignoreHost) {
- entity.setHostIgnored(ignoreHost.booleanValue());
+ if ((null != ignoreHost) && !ignoreHost.equals(entity.isHostIgnored())) {
+ entity.setHostIgnored(ignoreHost);
+ managed = true;
}
- if (null != interval) {
+ if ((null != interval) && !interval.equals(entity.getScheduleInterval())) {
entity.setScheduleInterval(interval);
+ managed = true;
}
- if (null != serviceName) {
+ if ((null != serviceName) && !serviceName.equals(entity.getServiceName())) {
entity.setServiceName(serviceName);
+ managed = true;
}
- if (null != sourceType) {
+ if ((null != sourceType) && !sourceType.equals(entity.getSourceType())) {
entity.setSourceType(sourceType);
+ managed = true;
}
if (null != source) {
entity.setSource(source.toString());
+ managed = true;
}
- if (null != scope) {
+ if ((null != scope) && !scope.equals(entity.getScope())) {
entity.setScope(scope);
+ managed = true;
+ }
+
+ if (managed) {
+ AlertResourceProviderUtils.verifyManageAuthorization(entity);
+ } else if (toggled) {
+ AlertResourceProviderUtils.verifyToggleAuthorization(entity);
}
entity.setHash(UUID.randomUUID().toString());
@@ -677,7 +715,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
*
* @param propertyMap
*/
- private void scheduleImmediateAlert(Map<String, Object> propertyMap) {
+ private void scheduleImmediateAlert(Map<String, Object> propertyMap) throws AuthorizationException {
Clusters clusters = getManagementController().getClusters();
String stringId = (String) propertyMap.get(ALERT_DEF_ID);
long id = Long.parseLong(stringId);
@@ -697,6 +735,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
return;
}
+ AlertResourceProviderUtils.verifyExecuteAuthorization(entity);
+
Set<String> hostNames = alertDefinitionHash.getAssociatedHosts(cluster,
entity.getSourceType(),
entity.getDefinitionName(), entity.getServiceName(),
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
index 215bc8e..36469c1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -45,6 +45,7 @@ import org.apache.ambari.server.orm.dao.AlertDispatchDAO;
import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
import org.apache.ambari.server.orm.entities.AlertGroupEntity;
import org.apache.ambari.server.orm.entities.AlertTargetEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.alert.AlertTarget;
import org.apache.commons.lang.StringUtils;
@@ -124,7 +125,7 @@ public class AlertGroupResourceProvider extends
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
createAlertGroups(request.getProperties());
return null;
}
@@ -153,6 +154,11 @@ public class AlertGroupResourceProvider extends
if (null != id) {
AlertGroupEntity entity = s_dao.findGroupById(Long.parseLong(id));
if (null != entity) {
+ try {
+ AlertResourceProviderUtils.verifyViewAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+ } catch (AmbariException e) {
+ throw new SystemException(e.getMessage(), e);
+ }
results.add(toResource(clusterName, entity, requestPropertyIds));
}
} else {
@@ -167,7 +173,13 @@ public class AlertGroupResourceProvider extends
List<AlertGroupEntity> entities = s_dao.findAllGroups(cluster.getClusterId());
for (AlertGroupEntity entity : entities) {
- results.add(toResource(clusterName, entity, requestPropertyIds));
+ try {
+ if (AlertResourceProviderUtils.hasViewAuthorization(entity, getClusterResourceId(entity.getClusterId()))) {
+ results.add(toResource(clusterName, entity, requestPropertyIds));
+ }
+ } catch (AmbariException e) {
+ throw new SystemException(e.getMessage(), e);
+ }
}
}
}
@@ -183,7 +195,7 @@ public class AlertGroupResourceProvider extends
modifyResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
updateAlertGroups(request.getProperties());
return null;
}
@@ -201,17 +213,25 @@ public class AlertGroupResourceProvider extends
Set<Resource> resources = getResources(new RequestImpl(null, null, null,
null), predicate);
- Set<Long> groupIds = new HashSet<Long>();
+ Map<Long, AlertGroupEntity> entities = new HashMap<Long, AlertGroupEntity>();
for (final Resource resource : resources) {
Long id = (Long) resource.getPropertyValue(ALERT_GROUP_ID);
- groupIds.add(id);
+ if (!entities.containsKey(id)) {
+ AlertGroupEntity entity = s_dao.findGroupById(id);
+
+ try {
+ AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+ entities.put(id, entity);
+ } catch (AmbariException e) {
+ LOG.warn("The default alert group for {} cannot be removed", entity.getServiceName(), e);
+ }
+ }
}
- for (Long groupId : groupIds) {
- LOG.info("Deleting alert target {}", groupId);
+ for (final AlertGroupEntity entity : entities.values()) {
+ LOG.info("Deleting alert group {}", entity.getGroupId());
- final AlertGroupEntity entity = s_dao.findGroupById(groupId.longValue());
if (entity.isDefault()) {
// default groups cannot be removed
LOG.warn("The default alert group for {} cannot be removed",
@@ -246,7 +266,7 @@ public class AlertGroupResourceProvider extends
*/
@SuppressWarnings("unchecked")
private void createAlertGroups(Set<Map<String, Object>> requestMaps)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
List<AlertGroupEntity> entities = new ArrayList<AlertGroupEntity>();
for (Map<String, Object> requestMap : requestMaps) {
@@ -290,6 +310,8 @@ public class AlertGroupResourceProvider extends
entity.setAlertDefinitions(definitions);
}
+ AlertResourceProviderUtils.verifyManageAuthorization(entity, cluster.getResourceId());
+
entities.add(entity);
}
@@ -306,7 +328,7 @@ public class AlertGroupResourceProvider extends
*/
@SuppressWarnings("unchecked")
private void updateAlertGroups(Set<Map<String, Object>> requestMaps)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
for (Map<String, Object> requestMap : requestMaps) {
String stringId = (String) requestMap.get(ALERT_GROUP_ID);
@@ -323,6 +345,8 @@ public class AlertGroupResourceProvider extends
throw new AmbariException(message);
}
+ AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+
String name = (String) requestMap.get(ALERT_GROUP_NAME);
// empty arrays are deserialized as HashSet while populated arrays
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
index 89ee69a..f52ee62 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.controller.internal;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
@@ -25,6 +26,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.StaticallyInject;
import org.apache.ambari.server.controller.AlertHistoryRequest;
import org.apache.ambari.server.controller.AmbariManagementController;
@@ -39,12 +41,18 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
import org.apache.ambari.server.orm.dao.AlertsDAO;
import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import com.google.inject.Inject;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
+import sun.net.www.protocol.http.AuthenticationHeader;
/**
* ResourceProvider for Alert History
@@ -75,6 +83,9 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple
@Inject
private static AlertsDAO s_dao = null;
+ @Inject
+ private static AlertDefinitionDAO alertDefinitionDAO = null;
+
/**
* The property ids for an alert history resource.
*/
@@ -161,6 +172,38 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple
throws SystemException, UnsupportedPropertyException,
NoSuchResourceException, NoSuchParentResourceException {
+ // Verify authorization to retrieve the requested data
+ Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate);
+ for(Map<String, Object> propertyMap: propertyMaps) {
+ try {
+ String clusterName = (String) propertyMap.get(ALERT_HISTORY_CLUSTER_NAME);
+ Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName);
+ String definitionName = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_NAME);
+ String definitionId = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_ID);
+
+ if(clusterId == null) {
+ // Make sure the user has administrative access by using -1 as the cluster id
+ AlertResourceProviderUtils.verifyViewAuthorization("", -1L);
+ }
+ else if(!StringUtils.isEmpty(definitionName)) {
+ // Make sure the user has access to the alert
+ AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName);
+ AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+ }
+ else if(StringUtils.isNumeric(definitionId)) {
+ // Make sure the user has access to the alert
+ AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId));
+ AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+ }
+ else {
+ // Make sure the user has the ability to view cluster-level alerts
+ AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName));
+ }
+ } catch (AmbariException e) {
+ throw new SystemException(e.getMessage(), e);
+ }
+ }
+
Set<Resource> results = new LinkedHashSet<Resource>();
Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate);
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
index 8f0e526..f19bea9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.controller.internal;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
@@ -25,8 +26,10 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.StaticallyInject;
import org.apache.ambari.server.controller.AlertNoticeRequest;
+import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.spi.ExtendedResourceProvider;
import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
import org.apache.ambari.server.controller.spi.NoSuchResourceException;
@@ -46,12 +49,16 @@ import org.apache.ambari.server.orm.entities.AlertTargetEntity;
import org.apache.ambari.server.orm.entities.ClusterEntity;
import com.google.inject.Inject;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
/**
* ResourceProvider for Alert History
*/
@StaticallyInject
-public class AlertNoticeResourceProvider extends AbstractResourceProvider implements ExtendedResourceProvider {
+public class AlertNoticeResourceProvider extends AbstractControllerResourceProvider implements ExtendedResourceProvider {
public static final String ALERT_NOTICE_ID = "AlertNotice/id";
public static final String ALERT_NOTICE_STATE = "AlertNotice/notification_state";
@@ -101,8 +108,8 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem
/**
* Constructor.
*/
- AlertNoticeResourceProvider() {
- super(PROPERTY_IDS, KEY_PROPERTY_IDS);
+ AlertNoticeResourceProvider(AmbariManagementController managementController) {
+ super(PROPERTY_IDS, KEY_PROPERTY_IDS, managementController);
}
/**
@@ -151,6 +158,26 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem
throws SystemException, UnsupportedPropertyException,
NoSuchResourceException, NoSuchParentResourceException {
+ // Verify authorization to retrieve the requested data
+ Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate);
+ for (Map<String, Object> propertyMap : propertyMaps) {
+ try {
+ String clusterName = (String) propertyMap.get(ALERT_NOTICE_CLUSTER_NAME);
+ Long clusterResourceId = (StringUtils.isEmpty(clusterName)) ? null : getClusterResourceId(clusterName);
+ String serviceName = (String) propertyMap.get(ALERT_NOTICE_SERVICE_NAME);
+
+ if (clusterResourceId == null) {
+ // Make sure the user had administrative access by using -1 as the cluster id
+ clusterResourceId = -1L;
+ }
+
+ // Make sure the user had access to the alert
+ AlertResourceProviderUtils.verifyViewAuthorization(serviceName, clusterResourceId);
+ } catch (AmbariException e) {
+ throw new SystemException(e.getMessage(), e);
+ }
+ }
+
Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate);
Set<Resource> results = new LinkedHashSet<Resource>();
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
index 4dc4dcf..0492860 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
@@ -25,6 +25,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.StaticallyInject;
import org.apache.ambari.server.controller.AlertCurrentRequest;
import org.apache.ambari.server.controller.AmbariManagementController;
@@ -37,12 +38,14 @@ import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
import org.apache.ambari.server.orm.dao.AlertsDAO;
import org.apache.ambari.server.orm.entities.AlertCurrentEntity;
import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
import com.google.inject.Inject;
+import org.apache.commons.lang.StringUtils;
/**
* ResourceProvider for Alert instances
@@ -75,6 +78,9 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements
@Inject
private static AlertsDAO alertsDAO;
+ @Inject
+ private static AlertDefinitionDAO alertDefinitionDAO = null;
+
/**
* The property ids for an alert defintion resource.
*/
@@ -159,17 +165,46 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements
AlertCurrentEntity entity = alertsDAO.findCurrentById(Long.parseLong(id));
if (null != entity) {
+ AlertResourceProviderUtils.verifyViewAuthorization(entity);
results.add(toResource(false, clusterName, entity, requestPropertyIds));
}
} else {
+ // Verify authorization to retrieve the requested data
+ try {
+ Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName);
+ String definitionName = (String) propertyMap.get(ALERT_DEFINITION_NAME);
+ String definitionId = (String) propertyMap.get(ALERT_DEFINITION_ID);
+
+ if(clusterId == null) {
+ // Make sure the user has administrative access by using -1 as the cluster id
+ AlertResourceProviderUtils.verifyViewAuthorization("", -1L);
+ }
+ else if(!StringUtils.isEmpty(definitionName)) {
+ // Make sure the user has access to the alert
+ AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName);
+ AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+ }
+ else if(StringUtils.isNumeric(definitionId)) {
+ // Make sure the user has access to the alert
+ AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId));
+ AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+ }
+ else {
+ // Make sure the user has the ability to view cluster-level alerts
+ AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName));
+ }
+ } catch (AmbariException e) {
+ throw new SystemException(e.getMessage(), e);
+ }
+
List<AlertCurrentEntity> entities = null;
- AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest();
- alertCurrentRequest.Predicate = predicate;
- alertCurrentRequest.Pagination = request.getPageRequest();
- alertCurrentRequest.Sort = request.getSortRequest();
+ AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest();
+ alertCurrentRequest.Predicate = predicate;
+ alertCurrentRequest.Pagination = request.getPageRequest();
+ alertCurrentRequest.Sort = request.getSortRequest();
- entities = alertsDAO.findAll(alertCurrentRequest);
+ entities = alertsDAO.findAll(alertCurrentRequest);
if (null == entities) {
entities = Collections.emptyList();
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
new file mode 100644
index 0000000..3fac049
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
@@ -0,0 +1,403 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.orm.entities.AlertCurrentEntity;
+import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
+import org.apache.ambari.server.orm.entities.AlertGroupEntity;
+import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
+import org.apache.ambari.server.orm.entities.ClusterEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
+
+import java.util.EnumSet;
+import java.util.Set;
+
+/**
+ * AlertResourceProviderUtils provides utility methods used to help perform tasks within alert-specific
+ * resource providers.
+ */
+public class AlertResourceProviderUtils {
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to view
+ * cluster-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to view
+ * service-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_SERVICE_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+ RoleAuthorization.SERVICE_VIEW_ALERTS,
+ RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+ RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to execute
+ * cluster-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS = AUTHORIZATIONS_VIEW_CLUSTER_ALERTS;
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to execute
+ * service-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS = AUTHORIZATIONS_VIEW_SERVICE_ALERTS;
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to toggle
+ * cluster-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to toggle
+ * service-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+ RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+ RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to create, update,
+ * and delete cluster-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+ /**
+ * A set of RoleAuthorizations where one is required in order to be authorized to create, update,
+ * and delete service-level alerts
+ */
+ private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_SERVICE_ALERTS = EnumSet.of(
+ RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+ RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+
+ /* ------------------------------------------------------------------------------------------
+ * Checks for VIEWING Alerts
+ * ------------------------------------------------------------------------------------------ */
+
+ /**
+ * Tests if the authenticated user is authorized to view the requested alert data
+ *
+ * @param entity an AlertGroupEntity
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @return true if the authenticated user is authorized; otherwise false
+ */
+ public static boolean hasViewAuthorization(AlertGroupEntity entity, Long clusterResourceId) {
+ return (null != entity) &&
+ hasViewAuthorization(entity.getServiceName(), clusterResourceId);
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @return true if the authenticated user is authorized; otherwise false
+ */
+ public static boolean hasViewAuthorization(String serviceName, Long clusterResourceId) {
+ return hasAuthorization(serviceName, clusterResourceId,
+ AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS);
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertCurrentEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyViewAuthorization(AlertCurrentEntity entity)
+ throws AuthorizationException {
+ if (entity != null) {
+ verifyViewAuthorization(entity.getAlertHistory());
+ }
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertHistoryEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyViewAuthorization(AlertHistoryEntity entity)
+ throws AuthorizationException {
+ if (entity != null) {
+ verifyViewAuthorization(entity.getAlertDefinition());
+ }
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertGroupEntity
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyViewAuthorization(AlertGroupEntity entity, Long clusterResourceId)
+ throws AuthorizationException {
+ if (entity != null) {
+ verifyViewAuthorization(entity.getServiceName(), clusterResourceId);
+ }
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertDefinitionEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyViewAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+ verifyAuthorization(entity, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view");
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyViewAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+ verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view");
+ }
+
+
+ /* ------------------------------------------------------------------------------------------
+ * Checks for EXECUTING Alerts
+ * ------------------------------------------------------------------------------------------ */
+
+ /**
+ * Tests if the authenticated user is authorized to execute service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertDefinitionEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyExecuteAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+ verifyAuthorization(entity, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute");
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to execute service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyExecuteAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+ verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute");
+ }
+
+
+ /* ------------------------------------------------------------------------------------------
+ * Checks for TOGGLING Alerts
+ * ------------------------------------------------------------------------------------------ */
+
+ /**
+ * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertDefinitionEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyToggleAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+ verifyAuthorization(entity, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute");
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyToggleAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+ verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute");
+ }
+
+
+ /* ------------------------------------------------------------------------------------------
+ * Checks for MANAGING Alerts
+ * ------------------------------------------------------------------------------------------ */
+
+ /**
+ * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertGroupEntity
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyManageAuthorization(AlertGroupEntity entity, Long clusterResourceId) throws AuthorizationException {
+ if (entity != null) {
+ verifyManageAuthorization(entity.getServiceName(), clusterResourceId);
+ }
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param entity an AlertDefinitionEntity
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyManageAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+ verifyAuthorization(entity, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage");
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+ * An authorization failure results in a thrown {@link AuthorizationException}.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyManageAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+ verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage");
+ }
+
+
+ /* ------------------------------------------------------------------------------------------
+ * Generic checks
+ * ------------------------------------------------------------------------------------------ */
+
+ /**
+ * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+ * alert data.
+ * <p/>
+ * If the service name is null or empty, the alert is considered to be a cluster-level alert,
+ * else it is considered to be a service-level alert.
+ * <p/>
+ * If the clusterResourceId is null, no cluster is assume and the alert is considered to be an
+ * Ambari-level alert.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+ * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+ * @return true if the authenticated user is authorized; otherwise false
+ */
+ public static boolean hasAuthorization(String serviceName, Long clusterResourceId,
+ Set<RoleAuthorization> clusterLevelAuthorizations,
+ Set<RoleAuthorization> serviceLevelAuthorizations) {
+ if (null == clusterResourceId) {
+ // Do not let clusterResourceId be null because that indicates we don't care about which cluster
+ // we are checking authorization for, but we do. Setting this to -1 ensures that no cluster
+ // will match will will give only Ambari administrators access to this.
+ clusterResourceId = -1L;
+ }
+
+ return AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+ (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName))
+ ? clusterLevelAuthorizations
+ : serviceLevelAuthorizations);
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+ * alert data. An authorization failure results in a thrown {@link AuthorizationException}.
+ * <p/>
+ * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to
+ * be a cluster-level alert, else it is considered to be a service-level alert.
+ *
+ * @param entity an AlertDefinitionEntity
+ * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+ * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+ * @param operation the name of the operation being tested for (used in error and logging messages)
+ * @throws AuthorizationException if the authenticated user is not authorized
+ * @see #verifyAuthorization(String, Long, Set, Set, String)
+ */
+ public static void verifyAuthorization(AlertDefinitionEntity entity,
+ Set<RoleAuthorization> clusterLevelAuthorizations,
+ Set<RoleAuthorization> serviceLevelAuthorizations,
+ String operation) throws AuthorizationException {
+ ClusterEntity clusterEntity = (null == entity) ? null : entity.getCluster();
+ ResourceEntity resourceEntity = (null == clusterEntity) ? null : clusterEntity.getResource();
+ Long resourceId = (null == resourceEntity) ? null : resourceEntity.getId();
+
+ verifyAuthorization((null == entity) ? null : entity.getServiceName(), resourceId,
+ clusterLevelAuthorizations, serviceLevelAuthorizations, operation);
+ }
+
+ /**
+ * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+ * alert data. An authorization failure results in a thrown {@link AuthorizationException}.
+ * <p/>
+ * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to
+ * be a cluster-level alert, else it is considered to be a service-level alert.
+ *
+ * @param serviceName the name of the relevant service - null or empty indicates a cluster-level alert
+ * @param clusterResourceId the resource id of the relevant cluster
+ * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+ * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+ * @param operation the name of the operation being tested for (used in error and logging messages)
+ * @throws AuthorizationException if the authenticated user is not authorized
+ */
+ public static void verifyAuthorization(String serviceName, Long clusterResourceId,
+ Set<RoleAuthorization> clusterLevelAuthorizations,
+ Set<RoleAuthorization> serviceLevelAuthorizations,
+ String operation) throws AuthorizationException {
+ if (null == clusterResourceId) {
+ // Do not let clusterResourceId be null because that indicates we don't care about which cluster
+ // we are checking authorization for, but we do. Setting this to -1 ensures that no cluster
+ // will match will will give only Ambari administrators access to this.
+ clusterResourceId = -1L;
+ }
+
+ // If the service name is AMBARI, than the alert is for the cluster
+ if (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName)) {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+ clusterLevelAuthorizations)) {
+ throw new AuthorizationException(String.format("The authenticated user is not authorized to %s cluster-level alerts", operation));
+ }
+ } else {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+ serviceLevelAuthorizations)) {
+ throw new AuthorizationException(String.format("The authenticated user is not authorized to %s service-level alerts", operation));
+ }
+ }
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
index a310259..d28987d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -48,6 +48,8 @@ import org.apache.ambari.server.notifications.NotificationDispatcher;
import org.apache.ambari.server.orm.dao.AlertDispatchDAO;
import org.apache.ambari.server.orm.entities.AlertGroupEntity;
import org.apache.ambari.server.orm.entities.AlertTargetEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.AlertState;
import org.apache.ambari.server.state.alert.AlertGroup;
import org.apache.ambari.server.state.alert.AlertTarget;
@@ -63,7 +65,7 @@ import com.google.inject.Inject;
*/
@StaticallyInject
public class AlertTargetResourceProvider extends
- AbstractResourceProvider {
+ AbstractAuthorizedResourceProvider {
protected static final String ALERT_TARGET = "AlertTarget";
protected static final String ALERT_TARGET_ID = "AlertTarget/id";
@@ -122,10 +124,18 @@ public class AlertTargetResourceProvider extends
*/
AlertTargetResourceProvider() {
super(PROPERTY_IDS, KEY_PROPERTY_IDS);
+
+ // For now only allow an Ambari administrator to create, update, and manage Alert Targets.
+ // If an alert target can associated with a particular cluster, than a cluster administrator
+ // should be able to do this as well.
+ EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+ setRequiredCreateAuthorizations(requiredAuthorizations);
+ setRequiredUpdateAuthorizations(requiredAuthorizations);
+ setRequiredDeleteAuthorizations(requiredAuthorizations);
}
@Override
- public RequestStatus createResources(final Request request)
+ protected RequestStatus createResourcesAuthorized(final Request request)
throws SystemException,
UnsupportedPropertyException, ResourceAlreadyExistsException,
NoSuchParentResourceException {
@@ -173,7 +183,7 @@ public class AlertTargetResourceProvider extends
}
@Override
- public RequestStatus updateResources(final Request request,
+ protected RequestStatus updateResourcesAuthorized(final Request request,
Predicate predicate)
throws SystemException, UnsupportedPropertyException,
NoSuchResourceException, NoSuchParentResourceException {
@@ -202,7 +212,7 @@ public class AlertTargetResourceProvider extends
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException,
NoSuchResourceException, NoSuchParentResourceException {
@@ -239,6 +249,11 @@ public class AlertTargetResourceProvider extends
return PK_PROPERTY_IDS;
}
+ @Override
+ protected ResourceType getResourceType(Request request, Predicate predicate) {
+ return ResourceType.AMBARI;
+ }
+
/**
* Create and persist {@link AlertTargetEntity} from the map of properties.
*
@@ -341,7 +356,7 @@ public class AlertTargetResourceProvider extends
/**
* Updates existing {@link AlertTargetEntity}s with the specified properties.
*
- * @param requestMaps
+ * @param requestMap
* a set of property maps, one map for each entity.
* @throws AmbariException
* if the entity could not be found.
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
index dde934d..3801cc3 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
@@ -95,7 +95,7 @@ public class DefaultProviderModule extends AbstractProviderModule {
case AlertGroup:
return new AlertGroupResourceProvider(managementController);
case AlertNotice:
- return new AlertNoticeResourceProvider();
+ return new AlertNoticeResourceProvider(managementController);
case Upgrade:
return new UpgradeResourceProvider(managementController);
case UpgradeGroup:
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index d817ad7..20ce7fa 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -72,9 +72,11 @@ public class AmbariAuthorizationFilter implements Filter {
private static final String API_CREDENTIALS_AMBARI_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*";
private static final String API_CLUSTER_REQUESTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/requests.*";
private static final String API_CLUSTER_SERVICES_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/services.*";
- private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*";
+ private static final String API_CLUSTER_ALERT_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/alert.*";
+ private static final String API_CLUSTER_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*";
private static final String API_STACK_VERSIONS_PATTERN = API_VERSION_PREFIX + "/stacks/.*?/versions/.*";
- private static final String API_HOSTS_ALL = API_VERSION_PREFIX + "/hosts.*";
+ private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/hosts.*";
+ private static final String API_ALERT_TARGETS_ALL_PATTERN = API_VERSION_PREFIX + "/alert_targets.*";
protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI=";
@@ -252,13 +254,15 @@ public class AmbariAuthorizationFilter implements Filter {
requestURI.matches(API_PRIVILEGES_ALL_PATTERN) ||
requestURI.matches(API_CLUSTER_REQUESTS_ALL_PATTERN) ||
requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) ||
+ requestURI.matches(API_CLUSTER_ALERT_ALL_PATTERN) ||
requestURI.matches(API_CLUSTERS_PATTERN) ||
requestURI.matches(API_STACK_VERSIONS_PATTERN) ||
requestURI.matches(API_VIEWS_ALL_PATTERN) ||
requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) ||
requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) ||
+ requestURI.matches(API_CLUSTER_HOSTS_ALL_PATTERN) ||
requestURI.matches(API_HOSTS_ALL_PATTERN) ||
- requestURI.matches(API_HOSTS_ALL) ||
+ requestURI.matches(API_ALERT_TARGETS_ALL_PATTERN) ||
requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
index 795db77..6d74f97 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
@@ -41,6 +41,7 @@ public enum RoleAuthorization {
CLUSTER_MANAGE_CREDENTIALS("CLUSTER.MANAGE_CREDENTIALS"),
CLUSTER_MODIFY_CONFIGS("CLUSTER.MODIFY_CONFIGS"),
CLUSTER_MANAGE_CONFIG_GROUPS("CLUSTER.MANAGE_CONFIG_GROUPS"),
+ CLUSTER_MANAGE_ALERTS("CLUSTER.MANAGE_ALERTS"),
CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"),
CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"),
CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"),
@@ -60,6 +61,7 @@ public enum RoleAuthorization {
SERVICE_DECOMMISSION_RECOMMISSION("SERVICE.DECOMMISSION_RECOMMISSION"),
SERVICE_ENABLE_HA("SERVICE.ENABLE_HA"),
SERVICE_MANAGE_CONFIG_GROUPS("SERVICE.MANAGE_CONFIG_GROUPS"),
+ SERVICE_MANAGE_ALERTS("SERVICE.MANAGE_ALERTS"),
SERVICE_MODIFY_CONFIGS("SERVICE.MODIFY_CONFIGS"),
SERVICE_MOVE("SERVICE.MOVE"),
SERVICE_RUN_CUSTOM_COMMAND("SERVICE.RUN_CUSTOM_COMMAND"),
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
index 57eafa6..38b3c6b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
@@ -170,7 +170,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_STATUS_INFO'", "'View status information'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_CONFIGS'", "'View configurations'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.COMPARE_CONFIGS'", "'Compare configurations'"}, false);
- dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service-level alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.START_STOP'", "'Start/Stop/Restart Service'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.DECOMMISSION_RECOMMISSION'", "'Decommission/recommission'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_SERVICE_CHECK'", "'Run service checks'"}, false);
@@ -178,9 +178,10 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_CUSTOM_COMMAND'", "'Perform service-specific tasks'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MODIFY_CONFIGS'", "'Modify configurations'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_CONFIG_GROUPS'", "'Manage configuration groups'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_ALERTS'", "'Manage service-level alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MOVE'", "'Move to another host'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ENABLE_HA'", "'Enable HA'"}, false);
- dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service-level alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ADD_DELETE_SERVICES'", "'Add Service to cluster'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_METRICS'", "'View metrics'"}, false);
@@ -194,10 +195,11 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STATUS_INFO'", "'View status information'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
- dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View cluster-level alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_CREDENTIALS'", "'Manage external credentials'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MODIFY_CONFIGS'", "'Modify cluster configurations'"}, false);
- dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_ALERTS'", "'Manage cluster-level alerts'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable cluster-level alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
@@ -274,6 +276,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
map.put("SERVICE.MODIFY_CONFIGS", serviceAdministratorAndUp);
map.put("SERVICE.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
map.put("CLUSTER.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
+ map.put("SERVICE.MANAGE_ALERTS", serviceAdministratorAndUp);
map.put("SERVICE.MOVE", serviceAdministratorAndUp);
map.put("SERVICE.ENABLE_HA", serviceAdministratorAndUp);
map.put("SERVICE.TOGGLE_ALERTS", serviceAdministratorAndUp);
@@ -291,6 +294,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
map.put("CLUSTER.MANAGE_CREDENTIALS", clusterAdministratorAndUp);
map.put("CLUSTER.MODIFY_CONFIGS", clusterAdministratorAndUp);
+ map.put("CLUSTER.MANAGE_ALERTS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 4a980ec..f40a8fd 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1024,7 +1024,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
- SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+ SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' UNION ALL
SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
@@ -1032,9 +1032,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+ SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' UNION ALL
SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
- SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+ SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' UNION ALL
SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
@@ -1046,11 +1047,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
- SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+ SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' UNION ALL
- SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+ SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' UNION ALL
+ SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
@@ -1118,6 +1120,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
@@ -1145,6 +1148,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
@@ -1174,7 +1178,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
- SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
@@ -1193,6 +1197,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1211,7 +1216,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
- SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
@@ -1230,6 +1235,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/66e1595c/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 60bbd30..4305a4c 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1016,7 +1016,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' FROM dual UNION ALL
SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' FROM dual UNION ALL
- SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' FROM dual UNION ALL
+ SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' FROM dual UNION ALL
SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' FROM dual UNION ALL
SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' FROM dual UNION ALL
SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' FROM dual UNION ALL
@@ -1024,9 +1024,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' FROM dual UNION ALL
SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' FROM dual UNION ALL
SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' FROM dual UNION ALL
+ SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' from dual UNION ALL
SELECT 'SERVICE.MOVE', 'Move to another host' FROM dual UNION ALL
SELECT 'SERVICE.ENABLE_HA', 'Enable HA' FROM dual UNION ALL
- SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' FROM dual UNION ALL
+ SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' FROM dual UNION ALL
SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' FROM dual UNION ALL
SELECT 'HOST.VIEW_METRICS', 'View metrics' FROM dual UNION ALL
SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
@@ -1038,11 +1039,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL
- SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL
+ SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' FROM dual UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' from dual UNION ALL
SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' from dual UNION ALL
SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' from dual UNION ALL
- SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL
+ SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' from dual UNION ALL
+ SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' FROM dual UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL
SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' FROM dual UNION ALL
@@ -1110,6 +1112,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
@@ -1137,6 +1140,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
@@ -1167,6 +1171,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
@@ -1185,6 +1190,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1204,6 +1210,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
@@ -1222,6 +1229,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL