You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2017/06/15 15:06:17 UTC
[3/8] ambari git commit: AMBARI-21147. Update Database Access Layer
to Support New Database Schema for Improved User Account Management (rlevas)
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 9cdde8f..35eb255 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -22,16 +22,15 @@ import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import javax.inject.Inject;
import javax.persistence.EntityManager;
import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.hooks.HookContextFactory;
import org.apache.ambari.server.hooks.HookService;
import org.apache.ambari.server.orm.dao.GroupDAO;
@@ -41,7 +40,7 @@ import org.apache.ambari.server.orm.dao.PrincipalDAO;
import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.ResourceDAO;
-import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
+import org.apache.ambari.server.orm.dao.UserAuthenticationDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.MemberEntity;
@@ -50,17 +49,16 @@ import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.UserAuthenticationEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.security.ldap.LdapBatchDto;
import org.apache.ambari.server.security.ldap.LdapUserGroupMemberDto;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;
+import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import com.google.inject.persist.Transactional;
@@ -74,31 +72,37 @@ public class Users {
private static final Logger LOG = LoggerFactory.getLogger(Users.class);
@Inject
- Provider<EntityManager> entityManagerProvider;
- @Inject
- protected UserDAO userDAO;
- @Inject
- protected GroupDAO groupDAO;
+ private Provider<EntityManager> entityManagerProvider;
+
@Inject
- protected MemberDAO memberDAO;
+ private UserDAO userDAO;
+
@Inject
- protected PrincipalDAO principalDAO;
+ private UserAuthenticationDAO userAuthenticationDAO;
+
@Inject
- protected PermissionDAO permissionDAO;
+ private GroupDAO groupDAO;
+
@Inject
- protected PrivilegeDAO privilegeDAO;
+ private MemberDAO memberDAO;
+
@Inject
- protected ResourceDAO resourceDAO;
+ private PrincipalDAO principalDAO;
+
@Inject
- protected ResourceTypeDAO resourceTypeDAO;
+ private PermissionDAO permissionDAO;
+
@Inject
- protected PrincipalTypeDAO principalTypeDAO;
+ private PrivilegeDAO privilegeDAO;
+
@Inject
- protected PasswordEncoder passwordEncoder;
+ private ResourceDAO resourceDAO;
+
@Inject
- protected Configuration configuration;
+ private PrincipalTypeDAO principalTypeDAO;
+
@Inject
- private AmbariLdapAuthenticationProvider ldapAuthenticationProvider;
+ private PasswordEncoder passwordEncoder;
@Inject
private Provider<HookService> hookServiceProvider;
@@ -117,52 +121,38 @@ public class Users {
return users;
}
- /**
- * This method works incorrectly, userName is not unique if users have different types
- *
- * @return One user. Priority is LOCAL -> LDAP -> JWT -> PAM
- */
- @Deprecated
- public User getAnyUser(String userName) {
- UserEntity userEntity = userDAO.findSingleUserByName(userName);
- return (null == userEntity) ? null : new User(userEntity);
+ public List<UserEntity> getAllUserEntities() {
+ return userDAO.findAll();
+ }
+
+ public UserEntity getUserEntity(String userName) {
+ return (userName == null) ? null : userDAO.findUserByName(userName);
+ }
+
+ public UserEntity getUserEntity(Integer userId) {
+ return (userId == null) ? null : userDAO.findByPK(userId);
}
- public User getUser(String userName, UserType userType) {
- UserEntity userEntity = userDAO.findUserByNameAndType(userName, userType);
+ public User getUser(UserEntity userEntity) {
return (null == userEntity) ? null : new User(userEntity);
}
public User getUser(Integer userId) {
- UserEntity userEntity = userDAO.findByPK(userId);
- return (null == userEntity) ? null : new User(userEntity);
+ return getUser(getUserEntity(userId));
+ }
+
+ public User getUser(String userName) {
+ return getUser(getUserEntity(userName));
}
/**
- * Retrieves User then userName is unique in users DB. Will return null if there no user with provided userName or
- * there are some users with provided userName but with different types.
- *
- * <p>User names in the future will likely be unique hence the deprecation.</p>
+ * Modifies password of local user
*
- * @param userName
- * @return User if userName is unique in DB, null otherwise
+ * @throws AmbariException
*/
- @Deprecated
- public User getUserIfUnique(String userName) {
- List<UserEntity> userEntities = new ArrayList<>();
- UserEntity userEntity = userDAO.findUserByNameAndType(userName, UserType.LOCAL);
- if (userEntity != null) {
- userEntities.add(userEntity);
- }
- userEntity = userDAO.findUserByNameAndType(userName, UserType.LDAP);
- if (userEntity != null) {
- userEntities.add(userEntity);
- }
- userEntity = userDAO.findUserByNameAndType(userName, UserType.JWT);
- if (userEntity != null) {
- userEntities.add(userEntity);
- }
- return (userEntities.isEmpty() || userEntities.size() > 1) ? null : new User(userEntities.get(0));
+ public synchronized void modifyPassword(String userName, String currentUserPassword, String newPassword) throws AmbariException, AuthorizationException {
+ UserEntity userEntity = userDAO.findUserByName(userName);
+ modifyPassword(userEntity, currentUserPassword, newPassword);
}
/**
@@ -170,59 +160,58 @@ public class Users {
*
* @throws AmbariException
*/
- public synchronized void modifyPassword(String userName, String currentUserPassword, String newPassword) throws AmbariException {
+ public synchronized void modifyPassword(UserEntity userEntity, String currentUserPassword, String newPassword) throws AmbariException, AuthorizationException {
- SecurityContext securityContext = SecurityContextHolder.getContext();
- String currentUserName = securityContext.getAuthentication().getName();
- if (currentUserName == null) {
+ String authenticatedUserName = AuthorizationHelper.getAuthenticatedName();
+ if (authenticatedUserName == null) {
throw new AmbariException("Authentication required. Please sign in.");
}
- UserEntity currentUserEntity = userDAO.findLocalUserByName(currentUserName);
-
- //Authenticate LDAP user
- boolean isLdapUser = false;
- if (currentUserEntity == null) {
- currentUserEntity = userDAO.findLdapUserByName(currentUserName);
- try {
- ldapAuthenticationProvider.authenticate(
- new UsernamePasswordAuthenticationToken(currentUserName, currentUserPassword));
- isLdapUser = true;
- } catch (InvalidUsernamePasswordCombinationException ex) {
- throw new AmbariException(ex.getMessage());
- }
- }
-
- boolean isCurrentUserAdmin = false;
- for (PrivilegeEntity privilegeEntity : currentUserEntity.getPrincipal().getPrivileges()) {
- if (privilegeEntity.getPermission().getPermissionName().equals(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION_NAME)) {
- isCurrentUserAdmin = true;
- break;
+ if (userEntity != null) {
+ /* **************************************************
+ * Ensure that the authenticated user can change the password for the subject user. at least one
+ * of the following must be true
+ * * The authenticate user is requesting to change his/her own password
+ * * The authenticated user has permissions to manage users
+ * ************************************************** */
+ boolean isSelf = userEntity.getUserName().equalsIgnoreCase(authenticatedUserName);
+ if (!isSelf && !AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_USERS)) {
+ throw new AuthorizationException("You are not authorized perform this operation");
}
- }
- UserEntity userEntity = userDAO.findLocalUserByName(userName);
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+ UserAuthenticationEntity localAuthenticationEntity = null;
- if ((userEntity != null) && (currentUserEntity != null)) {
- if (!isCurrentUserAdmin && !userName.equals(currentUserName)) {
- throw new AmbariException("You can't change password of another user");
+ // Find the authentication entity for the local authentication type - only one should exist, if one exists at all.
+ for (UserAuthenticationEntity authenticationEntity : authenticationEntities) {
+ if (authenticationEntity.getAuthenticationType() == UserAuthenticationType.LOCAL) {
+ localAuthenticationEntity = authenticationEntity;
+ break;
+ }
}
- if ((isLdapUser && isCurrentUserAdmin) || (StringUtils.isNotEmpty(currentUserPassword) &&
- passwordEncoder.matches(currentUserPassword, currentUserEntity.getUserPassword()))) {
- userEntity.setUserPassword(passwordEncoder.encode(newPassword));
- userDAO.merge(userEntity);
- } else {
+ if (localAuthenticationEntity == null) {
+ // The user account does not have a local authentication record. Therefore there is no local
+ // password to change...
+ throw new AmbariException("An Ambari-specific password is not set for this user. The user's password cannot be changed at this time.");
+ } else if (isSelf &&
+ (StringUtils.isEmpty(currentUserPassword) || !passwordEncoder.matches(currentUserPassword, localAuthenticationEntity.getAuthenticationKey()))) {
+ // The authenticated user is the same user as subject user and the correct current password
+ // was not supplied.
throw new AmbariException("Wrong current password provided");
}
- } else {
- userEntity = userDAO.findLdapUserByName(userName);
- if (userEntity != null) {
- throw new AmbariException("Password of LDAP user cannot be modified");
- } else {
- throw new AmbariException("User " + userName + " not found");
+ // TODO: validate the new password...
+ if (StringUtils.isEmpty(newPassword)) {
+ throw new AmbariException("The new password does not meet the Ambari password requirements");
}
+
+ // If we get here the authenticated user is authorized to change the password for the subject
+ // user and the correct current password was supplied (if required).
+ localAuthenticationEntity.setAuthenticationKey(passwordEncoder.encode(newPassword));
+ userAuthenticationDAO.merge(localAuthenticationEntity);
+ } else {
+ throw new AmbariException("User not found");
}
}
@@ -230,32 +219,28 @@ public class Users {
* Enables/disables user.
*
* @param userName user name
+ * @param active true if active; false if not active
* @throws AmbariException if user does not exist
*/
public synchronized void setUserActive(String userName, boolean active) throws AmbariException {
UserEntity userEntity = userDAO.findUserByName(userName);
if (userEntity != null) {
- userEntity.setActive(active);
- userDAO.merge(userEntity);
+ setUserActive(userEntity, active);
} else {
throw new AmbariException("User " + userName + " doesn't exist");
}
}
/**
- * Converts user to LDAP user.
+ * Enables/disables user.
*
- * @param userName user name
+ * @param userEntity the user
+ * @param active true if active; false if not active
* @throws AmbariException if user does not exist
*/
- public synchronized void setUserLdap(String userName) throws AmbariException {
- UserEntity userEntity = userDAO.findUserByName(userName);
- if (userEntity != null) {
- userEntity.setLdapUser(true);
- userDAO.merge(userEntity);
- } else {
- throw new AmbariException("User " + userName + " doesn't exist");
- }
+ public synchronized void setUserActive(UserEntity userEntity, boolean active) throws AmbariException {
+ userEntity.setActive(active);
+ userDAO.merge(userEntity);
}
/**
@@ -275,40 +260,45 @@ public class Users {
}
/**
- * Creates new local user with provided userName and password.
+ * Creates new, active, user with provided userName, local username, and display name.
*
- * @param userName user name
- * @param password password
+ * @param userName user name
+ * @param localUserName the local username to use; if <code>null</code> or empty, userName will be used
+ * @param displayName the name to display for presentation; if <code>null</code> or empty, userName will be used
+ * @return the new UserEntity
* @throws AmbariException if user already exists
*/
- public void createUser(String userName, String password) throws AmbariException {
- createUser(userName, password, UserType.LOCAL, true, false);
+ public UserEntity createUser(String userName, String localUserName, String displayName) throws AmbariException {
+ return createUser(userName, localUserName, displayName, true);
}
/**
- * Creates new user with provided userName and password.
+ * Creates new, user with provided userName, local username, and display name.
*
- * @param userName user name
- * @param password password
- * @param userType user type
- * @param active is user active
- * @param admin is user admin
+ * @param userName user name
+ * @param localUserName the local username to use; if <code>null</code> or empty, userName will be used
+ * @param displayName the name to display for presentation; if <code>null</code> or empty, userName will be used
+ * @param active is user active
+ * @return the new UserEntity
* @throws AmbariException if user already exists
*/
- public synchronized void createUser(String userName, String password, UserType userType, Boolean active, Boolean
- admin) throws AmbariException {
- // if user type is not provided, assume LOCAL since the default
- // value of user_type in the users table is LOCAL
- if (userType == null) {
- throw new AmbariException("UserType not specified.");
- }
-
- User existingUser = getAnyUser(userName);
- if (existingUser != null) {
- throw new AmbariException("User " + existingUser.getUserName() + " already exists with type "
- + existingUser.getUserType());
+ @Transactional
+ public synchronized UserEntity createUser(String userName, String localUserName, String displayName, Boolean active) throws AmbariException {
+
+ String validatedUserName = UserName.fromString(userName).toString();
+ String validatedDisplayName = (StringUtils.isEmpty(displayName))
+ ? validatedUserName
+ : UserName.fromString(displayName).toString();
+ String validatedLocalUserName = (StringUtils.isEmpty(localUserName))
+ ? validatedUserName
+ : UserName.fromString(localUserName).toString();
+
+ // Ensure that the user does not already exist
+ if (userDAO.findUserByName(validatedUserName) != null) {
+ throw new AmbariException("User already exists");
}
+ // Create the PrincipalEntity - needed for assigning privileges/roles
PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findById(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
if (principalTypeEntity == null) {
principalTypeEntity = new PrincipalTypeEntity();
@@ -320,42 +310,62 @@ public class Users {
principalEntity.setPrincipalType(principalTypeEntity);
principalDAO.create(principalEntity);
+ // Create the new UserEntity Record
UserEntity userEntity = new UserEntity();
- userEntity.setUserName(UserName.fromString(userName));
- if (userType == UserType.LOCAL) {
- //passwords should be stored for local users only
- userEntity.setUserPassword(passwordEncoder.encode(password));
- }
+ userEntity.setUserName(validatedUserName);
+ userEntity.setDisplayName(validatedDisplayName);
+ userEntity.setLocalUsername(validatedLocalUserName);
+
userEntity.setPrincipal(principalEntity);
if (active != null) {
userEntity.setActive(active);
}
- userEntity.setUserType(userType);
- if (userType == UserType.LDAP) {
- userEntity.setLdapUser(true);
- }
-
userDAO.create(userEntity);
- if (admin != null && admin) {
- grantAdminPrivilege(userEntity.getUserId());
- }
-
// execute user initialization hook if required ()
- hookServiceProvider.get().execute(hookContextFactory.createUserHookContext(userName));
+ hookServiceProvider.get().execute(hookContextFactory.createUserHookContext(validatedUserName));
+
+ return userEntity;
}
+
+ /**
+ * Removes a user from the Ambari database.
+ * <p>
+ * It is expected that the assoicated user authencation records are removed by this operation
+ * as well.
+ *
+ * @param user the user to remove
+ * @throws AmbariException
+ */
+ @Transactional
public synchronized void removeUser(User user) throws AmbariException {
UserEntity userEntity = userDAO.findByPK(user.getUserId());
if (userEntity != null) {
+ removeUser(userEntity);
+ } else {
+ throw new AmbariException("User " + user + " doesn't exist");
+ }
+ }
+
+ /**
+ * Removes a user from the Ambari database.
+ * <p>
+ * It is expected that the assoicated user authencation records are removed by this operation
+ * as well.
+ *
+ * @param userEntity the user to remove
+ * @throws AmbariException
+ */
+ @Transactional
+ public synchronized void removeUser(UserEntity userEntity) throws AmbariException {
+ if (userEntity != null) {
if (!isUserCanBeRemoved(userEntity)) {
throw new AmbariException("Could not remove user " + userEntity.getUserName() +
". System should have at least one administrator.");
}
userDAO.remove(userEntity);
- } else {
- throw new AmbariException("User " + user + " doesn't exist");
}
}
@@ -410,7 +420,7 @@ public class Users {
* Creates new group with provided name & type
*/
@Transactional
- public synchronized void createGroup(String groupName, GroupType groupType) {
+ public synchronized GroupEntity createGroup(String groupName, GroupType groupType) {
// create an admin principal to represent this group
PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findById(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE);
if (principalTypeEntity == null) {
@@ -429,6 +439,7 @@ public class Users {
groupEntity.setGroupType(groupType);
groupDAO.create(groupEntity);
+ return groupEntity;
}
/**
@@ -476,30 +487,66 @@ public class Users {
}
/**
- * Grants AMBARI.ADMINISTRATOR privilege to provided user.
+ * Test the user for Ambari Admistrator privileges.
+ *
+ * @param userEntity the user to test
+ * @return true if the user has Ambari Administrator privileges; otherwise false
+ */
+ public synchronized boolean hasAdminPrivilege(UserEntity userEntity) {
+ PrincipalEntity principalEntity = userEntity.getPrincipal();
+ if (principalEntity != null) {
+ Set<PrivilegeEntity> roles = principalEntity.getPrivileges();
+ if (roles != null) {
+ PermissionEntity adminPermission = permissionDAO.findAmbariAdminPermission();
+ Integer adminPermissionId = (adminPermission == null) ? null : adminPermission.getId();
+
+ if (adminPermissionId != null) {
+ for (PrivilegeEntity privilegeEntity : roles) {
+ PermissionEntity rolePermission = privilegeEntity.getPermission();
+ if ((rolePermission != null) && (adminPermissionId.equals(rolePermission.getId()))) {
+ return true;
+ }
+ }
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Grants Ambari Administrator privilege to provided user.
*
* @param userId user id
*/
public synchronized void grantAdminPrivilege(Integer userId) {
- final UserEntity user = userDAO.findByPK(userId);
+ grantAdminPrivilege(userDAO.findByPK(userId));
+ }
+
+ /**
+ * Grants Ambari Administrator privilege to provided user.
+ *
+ * @param userEntity the user
+ */
+ public synchronized void grantAdminPrivilege(UserEntity userEntity) {
final PrivilegeEntity adminPrivilege = new PrivilegeEntity();
adminPrivilege.setPermission(permissionDAO.findAmbariAdminPermission());
- adminPrivilege.setPrincipal(user.getPrincipal());
+ adminPrivilege.setPrincipal(userEntity.getPrincipal());
adminPrivilege.setResource(resourceDAO.findAmbariResource());
- if (!user.getPrincipal().getPrivileges().contains(adminPrivilege)) {
+ if (!userEntity.getPrincipal().getPrivileges().contains(adminPrivilege)) {
privilegeDAO.create(adminPrivilege);
- user.getPrincipal().getPrivileges().add(adminPrivilege);
- principalDAO.merge(user.getPrincipal()); //explicit merge for Derby support
- userDAO.merge(user);
+ userEntity.getPrincipal().getPrivileges().add(adminPrivilege);
+ principalDAO.merge(userEntity.getPrincipal()); //explicit merge for Derby support
+ userDAO.merge(userEntity);
}
}
/**
* Grants privilege to provided group.
*
- * @param groupId group id
- * @param resourceId resource id
- * @param resourceType resource type
+ * @param groupId group id
+ * @param resourceId resource id
+ * @param resourceType resource type
* @param permissionName permission name
*/
public synchronized void grantPrivilegeToGroup(Integer groupId, Long resourceId, ResourceType resourceType, String permissionName) {
@@ -508,7 +555,7 @@ public class Users {
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
resourceTypeEntity.setId(resourceType.getId());
resourceTypeEntity.setName(resourceType.name());
- privilege.setPermission(permissionDAO.findPermissionByNameAndType(permissionName,resourceTypeEntity));
+ privilege.setPermission(permissionDAO.findPermissionByNameAndType(permissionName, resourceTypeEntity));
privilege.setPrincipal(group.getPrincipal());
privilege.setResource(resourceDAO.findById(resourceId));
if (!group.getPrincipal().getPrivileges().contains(privilege)) {
@@ -521,17 +568,25 @@ public class Users {
}
/**
- * Revokes AMBARI.ADMINISTRATOR privilege from provided user.
+ * Revokes Ambari Administrator privileges from provided user.
*
* @param userId user id
*/
public synchronized void revokeAdminPrivilege(Integer userId) {
- final UserEntity user = userDAO.findByPK(userId);
- for (PrivilegeEntity privilege : user.getPrincipal().getPrivileges()) {
+ revokeAdminPrivilege(userDAO.findByPK(userId));
+ }
+
+ /**
+ * Revokes Ambari Administrator privileges from provided user.
+ *
+ * @param userEntity the user
+ */
+ public synchronized void revokeAdminPrivilege(UserEntity userEntity) {
+ for (PrivilegeEntity privilege : userEntity.getPrincipal().getPrivileges()) {
if (privilege.getPermission().getPermissionName().equals(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION_NAME)) {
- user.getPrincipal().getPrivileges().remove(privilege);
- principalDAO.merge(user.getPrincipal()); //explicit merge for Derby support
- userDAO.merge(user);
+ userEntity.getPrincipal().getPrivileges().remove(privilege);
+ principalDAO.merge(userEntity.getPrincipal()); //explicit merge for Derby support
+ userDAO.merge(userEntity);
privilegeDAO.remove(privilege);
break;
}
@@ -552,9 +607,22 @@ public class Users {
throw new AmbariException("User " + userName + " doesn't exist");
}
- if (isUserInGroup(userEntity, groupEntity)) {
- throw new AmbariException("User " + userName + " is already present in group " + groupName);
- } else {
+ addMemberToGroup(groupEntity, userEntity);
+ }
+
+ @Transactional
+ public synchronized void addMemberToGroup(GroupEntity groupEntity, UserEntity userEntity)
+ throws AmbariException {
+
+ if (groupEntity == null) {
+ throw new NullPointerException();
+ }
+
+ if (userEntity == null) {
+ throw new NullPointerException();
+ }
+
+ if (!isUserInGroup(userEntity, groupEntity)) {
final MemberEntity memberEntity = new MemberEntity();
memberEntity.setGroup(groupEntity);
memberEntity.setUser(userEntity);
@@ -580,6 +648,13 @@ public class Users {
throw new AmbariException("User " + userName + " doesn't exist");
}
+ removeMemberFromGroup(groupEntity, userEntity);
+ }
+
+ @Transactional
+ public synchronized void removeMemberFromGroup(GroupEntity groupEntity, UserEntity userEntity)
+ throws AmbariException {
+
if (isUserInGroup(userEntity, groupEntity)) {
MemberEntity memberEntity = null;
for (MemberEntity entity : userEntity.getMemberEntities()) {
@@ -593,10 +668,7 @@ public class Users {
userDAO.merge(userEntity);
groupDAO.merge(groupEntity);
memberDAO.remove(memberEntity);
- } else {
- throw new AmbariException("User " + userName + " is not present in group " + groupName);
}
-
}
/**
@@ -632,6 +704,9 @@ public class Users {
*
* @param batchInfo DTO with batch information
*/
+ // TODO: ************
+ // TODO: This is to be revisited for AMBARI-21222 (Update LDAP sync process to work with improved user management facility)
+ // TODO: ************
public void processLdapSync(LdapBatchDto batchInfo) {
final Map<String, UserEntity> allUsers = new HashMap<>();
final Map<String, GroupEntity> allGroups = new HashMap<>();
@@ -646,21 +721,38 @@ public class Users {
allGroups.put(groupEntity.getGroupName(), groupEntity);
}
- final PrincipalTypeEntity userPrincipalType = principalTypeDAO
- .ensurePrincipalTypeCreated(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
final PrincipalTypeEntity groupPrincipalType = principalTypeDAO
.ensurePrincipalTypeCreated(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE);
- // remove users
+ /* *****
+ * Remove users
+ * First remove the relevant LDAP entries for this user.
+ * If no more user authentication items exists for the user, then remove the user.
+ * ***** */
final Set<UserEntity> usersToRemove = new HashSet<>();
+ final Set<UserAuthenticationEntity> authenticationEntitiesToRemove = new HashSet<>();
for (String userName : batchInfo.getUsersToBeRemoved()) {
UserEntity userEntity = userDAO.findUserByName(userName);
- if (userEntity == null) {
- continue;
+ if (userEntity != null) {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+ Iterator<UserAuthenticationEntity> iterator = authenticationEntities.iterator();
+ while (iterator.hasNext()) {
+ UserAuthenticationEntity authenticationEntity = iterator.next();
+
+ if (authenticationEntity.getAuthenticationType() == UserAuthenticationType.LDAP) {
+ // TODO: Determine if this is the _relevant_ LDAP authentication entry - for now there will only be one..
+ authenticationEntitiesToRemove.add(authenticationEntity);
+ iterator.remove();
+ }
+ }
+
+ if (authenticationEntities.isEmpty()) {
+ allUsers.remove(userEntity.getUserName());
+ usersToRemove.add(userEntity);
+ }
}
- allUsers.remove(userEntity.getUserName());
- usersToRemove.add(userEntity);
}
+ userAuthenticationDAO.remove(authenticationEntitiesToRemove);
userDAO.remove(usersToRemove);
// remove groups
@@ -672,21 +764,46 @@ public class Users {
}
groupDAO.remove(groupsToRemove);
- // update users
- final Set<UserEntity> usersToBecomeLdap = new HashSet<>();
+ /* *****
+ * Update users
+ * ***** */
+ final Set<UserEntity> userEntitiesToUpdate = new HashSet<>();
for (String userName : batchInfo.getUsersToBecomeLdap()) {
- UserEntity userEntity = userDAO.findLocalUserByName(userName);
- if (userEntity == null) {
- userEntity = userDAO.findLdapUserByName(userName);
- if (userEntity == null) {
- continue;
+ // Ensure the username is all lowercase
+ userName = userName.toLowerCase();
+
+ UserEntity userEntity = userDAO.findUserByName(userName);
+ if (userEntity != null) {
+ LOG.trace("Enabling LDAP authentication for the user account with the username {}.", userName);
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+ boolean createNew = true;
+
+ for (UserAuthenticationEntity authenticationEntity : authenticationEntities) {
+ if (authenticationEntity.getAuthenticationType() == UserAuthenticationType.LDAP) {
+ // TODO: check for the relevant LDAP entry... for now there will be only one.
+ LOG.debug("Found existing LDAP authentication record for the user account with the username {}.", userName);
+ createNew = false;
+ break;
+ }
+ }
+
+ if (createNew) {
+ LOG.debug("Creating new LDAP authentication record for the user account with the username {}.", userName);
+
+ UserAuthenticationEntity authenticationEntity = new UserAuthenticationEntity();
+ authenticationEntity.setUser(userEntity);
+ authenticationEntity.setAuthenticationType(UserAuthenticationType.LDAP);
+ authenticationEntity.setAuthenticationKey("DN to be set");
+ authenticationEntities.add(authenticationEntity);
+
+ userEntity.setAuthenticationEntities(authenticationEntities);
+ userEntitiesToUpdate.add(userEntity);
}
+ } else {
+ LOG.warn("Failed to find user account for {} while enabling LDAP authentication for the user.", userName);
}
- userEntity.setLdapUser(true);
- allUsers.put(userEntity.getUserName(), userEntity);
- usersToBecomeLdap.add(userEntity);
}
- userDAO.merge(usersToBecomeLdap);
+ userDAO.merge(userEntitiesToUpdate);
// update groups
final Set<GroupEntity> groupsToBecomeLdap = new HashSet<>();
@@ -701,21 +818,25 @@ public class Users {
// prepare create principals
final List<PrincipalEntity> principalsToCreate = new ArrayList<>();
- // prepare create users
- final Set<UserEntity> usersToCreate = new HashSet<>();
+ // Create users
for (String userName : batchInfo.getUsersToBeCreated()) {
- final PrincipalEntity principalEntity = new PrincipalEntity();
- principalEntity.setPrincipalType(userPrincipalType);
- principalsToCreate.add(principalEntity);
+ UserEntity userEntity;
- final UserEntity userEntity = new UserEntity();
- userEntity.setUserName(UserName.fromString(userName));
- userEntity.setUserPassword("");
- userEntity.setPrincipal(principalEntity);
- userEntity.setLdapUser(true);
+ try {
+ userEntity = createUser(userName, userName, userName, true);
+ } catch (AmbariException e) {
+ LOG.error(String.format("Failed to create new user: %s", userName), e);
+ userEntity = null;
+ }
- allUsers.put(userEntity.getUserName(), userEntity);
- usersToCreate.add(userEntity);
+ if (userEntity != null) {
+ UserAuthenticationEntity authenticationEntity = new UserAuthenticationEntity();
+ authenticationEntity.setUser(userEntity);
+ authenticationEntity.setAuthenticationType(UserAuthenticationType.LDAP);
+ authenticationEntity.setAuthenticationKey("DN to be set");
+ userEntity.setAuthenticationEntities(Collections.singletonList(authenticationEntity));
+ userDAO.merge(userEntity);
+ }
}
// prepare create groups
@@ -734,9 +855,8 @@ public class Users {
groupsToCreate.add(groupEntity);
}
- // create users and groups
+ // create groups
principalDAO.create(principalsToCreate);
- userDAO.create(usersToCreate);
groupDAO.create(groupsToCreate);
// create membership
@@ -766,12 +886,6 @@ public class Users {
// clear cached entities
entityManagerProvider.get().getEntityManagerFactory().getCache().evictAll();
-
- if (!usersToCreate.isEmpty()) {
- // entry point in the hook logic
- hookServiceProvider.get().execute(hookContextFactory.createBatchUserHookContext(getUsersToGroupMap(usersToCreate)));
- }
-
}
/**
@@ -900,11 +1014,29 @@ public class Users {
* granted View User access on that File View instance.
*
* @param userName the username for the relevant user
- * @param userType the user type for the relevant user
* @return the users collection of implicit and explicit granted authorities
*/
- public Collection<AmbariGrantedAuthority> getUserAuthorities(String userName, UserType userType) {
- UserEntity userEntity = userDAO.findUserByNameAndType(userName, userType);
+ public Collection<AmbariGrantedAuthority> getUserAuthorities(String userName) {
+ return getUserAuthorities(getUserEntity(userName));
+ }
+
+ /**
+ * Gets the explicit and implicit authorities for the given user.
+ * <p>
+ * The explicit authorities are the authorities that have be explicitly set by assigning roles to
+ * a user. For example the Cluster Operator role on a given cluster gives that the ability to
+ * start and stop services in that cluster, among other privileges for that particular cluster.
+ * <p>
+ * The implicit authorities are the authorities that have been given to the roles themselves which
+ * in turn are granted to the users that have been assigned those roles. For example if the
+ * Cluster User role for a given cluster has been given View User access on a specified File View
+ * instance, then all users who have the Cluster User role for that cluster will implicitly be
+ * granted View User access on that File View instance.
+ *
+ * @param userEntity the relevant user
+ * @return the users collection of implicit and explicit granted authorities
+ */
+ public Collection<AmbariGrantedAuthority> getUserAuthorities(UserEntity userEntity) {
if (userEntity == null) {
return Collections.emptyList();
}
@@ -964,4 +1096,175 @@ public class Users {
return implicitPrivileges;
}
+ /**
+ * TODO: This is to be revisited for AMBARI-21217 (Update JWT Authentication process to work with improved user management facility)
+ * Adds the ability for a user to authenticate using a JWT token.
+ * <p>
+ * The key for this authentication mechanism is the username expected to be in the JWT token.
+ *
+ * @param userEntity the user
+ * @param key the relevant key
+ * @throws AmbariException
+ */
+ public void addJWTAuthentication(UserEntity userEntity, String key) throws AmbariException {
+ addAuthentication(userEntity, UserAuthenticationType.JWT, key, new Validator() {
+ public void validate(UserEntity userEntity, String key) throws AmbariException {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ // Ensure only one UserAuthenticationEntity exists for JWT for the user...
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if ((entity.getAuthenticationType() == UserAuthenticationType.JWT) &&
+ ((key == null) ? (entity.getAuthenticationKey() == null) : key.equals(entity.getAuthenticationKey()))) {
+ throw new AmbariException("The authentication type already exists for this user");
+ }
+ }
+ }
+ });
+ }
+
+ /**
+ * TODO: This is to be revisited for AMBARI-21223 (Update Kerberos Authentication process to work with improved user management facility)
+ * Adds the ability for a user to authenticate using a Kerberos token.
+ *
+ * @param userEntity the user
+ * @param principalName the user's principal name
+ * @throws AmbariException
+ */
+ public void addKerberosAuthentication(UserEntity userEntity, String principalName) throws AmbariException {
+ addAuthentication(userEntity, UserAuthenticationType.KERBEROS, principalName, new Validator() {
+ public void validate(UserEntity userEntity, String key) throws AmbariException {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ // Ensure only one UserAuthenticationEntity exists for LOCAL for the user...
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if ((entity.getAuthenticationType() == UserAuthenticationType.KERBEROS) &&
+ ((key == null) ? (entity.getAuthenticationKey() == null) : key.equals(entity.getAuthenticationKey()))) {
+ throw new AmbariException("The authentication type already exists for this user");
+ }
+ }
+ }
+ });
+ }
+
+ /**
+ * TODO: This is to be revisited for AMBARI-21220 (Update Local Authentication process to work with improved user management facility)
+ * Adds the ability for a user to authenticate using a password stored in Ambari's database
+ * <p>
+ * The supplied plaintext password will be encoded before storing.
+ *
+ * @param userEntity the user
+ * @param password the user's plaintext password
+ * @throws AmbariException
+ */
+ public void addLocalAuthentication(UserEntity userEntity, String password) throws AmbariException {
+
+ // Encode the password..
+ String encodedPassword = passwordEncoder.encode(password);
+
+ addAuthentication(userEntity, UserAuthenticationType.LOCAL, encodedPassword, new Validator() {
+ public void validate(UserEntity userEntity, String key) throws AmbariException {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ // Ensure only one UserAuthenticationEntity exists for LOCAL for the user...
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if (entity.getAuthenticationType() == UserAuthenticationType.LOCAL) {
+ throw new AmbariException("The authentication type already exists for this user");
+ }
+ }
+ }
+ });
+ }
+
+ /**
+ * TODO: This is to be revisited for AMBARI-21221 (Update Pam Authentication process to work with improved user management facility)
+ * Adds the ability for a user to authenticate using Pam
+ *
+ * @param userEntity the user
+ * @param userName the user's os-level username
+ * @throws AmbariException
+ */
+ public void addPamAuthentication(UserEntity userEntity, String userName) throws AmbariException {
+ addAuthentication(userEntity, UserAuthenticationType.PAM, userName, new Validator() {
+ public void validate(UserEntity userEntity, String key) throws AmbariException {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ // Ensure only one UserAuthenticationEntity exists for PAM for the user...
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if (entity.getAuthenticationType() == UserAuthenticationType.PAM) {
+ throw new AmbariException("The authentication type already exists for this user");
+ }
+ }
+ }
+ });
+ }
+
+ /**
+ * TODO: This is to be revisited for AMBARI-21219 (Update LDAP Authentication process to work with improved user management facility)
+ * Adds the ability for a user to authenticate using a remote LDAP server
+ *
+ * @param userEntity the user
+ * @param dn the user's distinguished name
+ * @throws AmbariException
+ */
+ public void addLdapAuthentication(UserEntity userEntity, String dn) throws AmbariException {
+ addAuthentication(userEntity, UserAuthenticationType.LDAP, dn, new Validator() {
+ public void validate(UserEntity userEntity, String key) throws AmbariException {
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ // Ensure only one UserAuthenticationEntity exists for PAM for the user...
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if ((entity.getAuthenticationType() == UserAuthenticationType.LDAP) &&
+ ((key == null) ? (entity.getAuthenticationKey() == null) : key.equalsIgnoreCase(entity.getAuthenticationKey()))) {
+ throw new AmbariException("The authentication type already exists for this user");
+ }
+ }
+ }
+ });
+ }
+
+ /**
+ * Worker to add a user authentication methods for a user.
+ *
+ * @param userEntity the user
+ * @param type the authentication type
+ * @param key the authentication type specific metadata
+ * @param validator the authentication type specific validator
+ * @throws AmbariException
+ */
+ private void addAuthentication(UserEntity userEntity, UserAuthenticationType type, String key, Validator validator) throws AmbariException {
+
+ if (userEntity == null) {
+ throw new AmbariException("Missing user");
+ }
+
+ validator.validate(userEntity, key);
+
+ List<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+
+ UserAuthenticationEntity authenticationEntity = new UserAuthenticationEntity();
+ authenticationEntity.setUser(userEntity);
+ authenticationEntity.setAuthenticationType(type);
+ authenticationEntity.setAuthenticationKey(key);
+ authenticationEntities.add(authenticationEntity);
+
+ userEntity.setAuthenticationEntities(authenticationEntities);
+ userDAO.merge(userEntity);
+ }
+
+ /**
+ * Validator is an interface to be implemented by authentication type specific validators to ensure
+ * new user authentication records meet the specific requirements for the relative authentication
+ * type.
+ */
+ private interface Validator {
+ /**
+ * Valudate the authentication type specific key meets the requirments for the relative user
+ * authentication type.
+ *
+ * @param userEntity the user
+ * @param key the key (or metadata)
+ * @throws AmbariException
+ */
+ void validate(UserEntity userEntity, String key) throws AmbariException;
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/AmbariInternalAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/AmbariInternalAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/AmbariInternalAuthenticationProvider.java
index 383e8fa..c57bdf1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/AmbariInternalAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/AmbariInternalAuthenticationProvider.java
@@ -40,7 +40,7 @@ public class AmbariInternalAuthenticationProvider implements AuthenticationProvi
if (internalTokenStorage.isValidInternalToken(token.getCredentials())) {
token.setAuthenticated(true);
} else {
- throw new InvalidUsernamePasswordCombinationException();
+ throw new InvalidUsernamePasswordCombinationException(null);
}
return token;
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/AuthenticationJwtUserNotFoundException.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/AuthenticationJwtUserNotFoundException.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/AuthenticationJwtUserNotFoundException.java
deleted file mode 100644
index f18af10..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/AuthenticationJwtUserNotFoundException.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authorization.jwt;
-
-import org.springframework.security.core.AuthenticationException;
-
-/**
- * AuthenticationJwtUserNotFoundException is an AuthenticationException implementation to be thrown
- * when the user specified in a JTW token is not found in the Ambari user database.
- */
-public class AuthenticationJwtUserNotFoundException extends AuthenticationException {
- private final String username;
-
- public AuthenticationJwtUserNotFoundException(String username, String message) {
- super(message);
- this.username = username;
- }
-
- public AuthenticationJwtUserNotFoundException(String username, String message, Throwable throwable) {
- super(message, throwable);
- this.username = username;
- }
-
- public String getUsername() {
- return username;
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
index e27afdb..3c3a446 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
@@ -33,11 +33,14 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.entities.UserAuthenticationEntity;
+import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.security.authentication.AmbariAuthenticationFilter;
+import org.apache.ambari.server.security.authentication.UserNotFoundException;
import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.UserAuthenticationType;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
@@ -116,6 +119,9 @@ public class JwtAuthenticationFilter implements AmbariAuthenticationFilter {
}
+ // TODO: ************
+ // TODO: This is to be revisited for AMBARI-21217 (Update JWT Authentication process to work with improved user management facility)
+ // TODO: ************
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
@@ -138,27 +144,50 @@ public class JwtAuthenticationFilter implements AmbariAuthenticationFilter {
if (valid) {
String userName = jwtToken.getJWTClaimsSet().getSubject();
- User user = users.getUser(userName, UserType.JWT);
- //fixme temporary solution for LDAP username conflicts, auth ldap users via JWT
- if (user == null) {
- user = users.getUser(userName, UserType.LDAP);
- }
+ UserEntity userEntity = users.getUserEntity(userName);
- if (user == null) {
- //TODO this is temporary check for conflicts, until /users API will change to use user_id instead of name as PK
- User existingUser = users.getUser(userName, UserType.LOCAL);
- if (existingUser != null) {
- LOG.error("Access for JWT user [{}] restricted. Detected conflict with local user ", userName);
+ if (userEntity == null) {
+ //TODO we temporary expect that LDAP is configured to same server as JWT source
+ throw new UserNotFoundException(userName, "Cannot find user from JWT. Please, ensure LDAP is configured and users are synced.");
+ } else {
+ // Check to see if the user is allowed to authenticate using JWT or LDAP
+ Collection<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
+ boolean hasJWT = false;
+ boolean hasLDAP = false;
+
+ if (authenticationEntities != null) {
+ for (UserAuthenticationEntity entity : authenticationEntities) {
+ if (entity.getAuthenticationType() == UserAuthenticationType.JWT) {
+ // TODO: possibly check the authentication key to see if it is relevant
+ hasJWT = true;
+ break;
+ } else if (entity.getAuthenticationType() == UserAuthenticationType.LDAP) {
+ hasLDAP = true;
+ }
+ }
}
- //TODO we temporary expect that LDAP is configured to same server as JWT source
- throw new AuthenticationJwtUserNotFoundException(userName, "Cannot find user from JWT. Please, ensure LDAP is configured and users are synced.");
+ if(!hasJWT) {
+ if (hasLDAP) {
+ // TODO: Determine if LDAP users can authenticate using JWT
+ try {
+ users.addJWTAuthentication(userEntity, userName);
+ } catch (AmbariException e) {
+ LOG.error(String.format("Failed to add the JWT authentication method for %s: %s", userName, e.getLocalizedMessage()), e);
+ }
+ hasJWT = true;
+ }
+ }
+
+ if (!hasJWT) {
+ throw new UserNotFoundException(userName, "User is not authorized to authenticate from JWT. Please, ensure LDAP is configured and users are synced.");
+ }
}
- Collection<AmbariGrantedAuthority> userAuthorities =
- users.getUserAuthorities(user.getUserName(), user.getUserType());
+ // If we made it this far, the user was found and is authorized to authenticate via JWT
+ Collection<AmbariGrantedAuthority> userAuthorities = users.getUserAuthorities(userEntity);
- JwtAuthentication authentication = new JwtAuthentication(serializedJWT, user, userAuthorities);
+ JwtAuthentication authentication = new JwtAuthentication(serializedJWT, users.getUser(userEntity), userAuthorities);
authentication.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -221,11 +250,7 @@ public class JwtAuthenticationFilter implements AmbariAuthenticationFilter {
}
//always try to authenticate in case of anonymous user
- if (existingAuth instanceof AnonymousAuthenticationToken) {
- return true;
- }
-
- return false;
+ return (existingAuth instanceof AnonymousAuthenticationToken);
}
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
index f413c69..4e4b1b6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog240.java
@@ -429,9 +429,10 @@ public class UpgradeCatalog240 extends AbstractUpgradeCatalog {
String createdUserName = requestScheduleEntity.getCreateUser();
if (createdUserName != null) {
- User user = users.getUserIfUnique(createdUserName);
+ // NOTE: This class is expected to go away in Ambari 3.0.0. Apache JIRA not available.
+ User user = users.getUser(createdUserName);
- if (user != null && StringUtils.equals(user.getUserName(), createdUserName)) {
+ if (user != null && StringUtils.equalsIgnoreCase(user.getUserName(), createdUserName)) {
requestScheduleEntity.setAuthenticatedUserId(user.getUserId());
requestScheduleDAO.merge(requestScheduleEntity);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/main/resources/META-INF/persistence.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/META-INF/persistence.xml b/ambari-server/src/main/resources/META-INF/persistence.xml
index e4045ef..fa8e8ab 100644
--- a/ambari-server/src/main/resources/META-INF/persistence.xml
+++ b/ambari-server/src/main/resources/META-INF/persistence.xml
@@ -74,6 +74,7 @@
<class>org.apache.ambari.server.orm.entities.UpgradeItemEntity</class>
<class>org.apache.ambari.server.orm.entities.UpgradeHistoryEntity</class>
<class>org.apache.ambari.server.orm.entities.UserEntity</class>
+ <class>org.apache.ambari.server.orm.entities.UserAuthenticationEntity</class>
<class>org.apache.ambari.server.orm.entities.WidgetEntity</class>
<class>org.apache.ambari.server.orm.entities.ViewEntity</class>
<class>org.apache.ambari.server.orm.entities.ViewEntityEntity</class>
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 1b8de79..2b78f79 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -44,7 +44,7 @@ import org.apache.ambari.server.configuration.Configuration.DatabaseType;
import org.apache.ambari.server.controller.metrics.ThreadPoolEnabledPropertyProvider;
import org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosAuthenticationProperties;
import org.apache.ambari.server.security.authorization.LdapServerProperties;
-import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.UserAuthenticationType;
import org.apache.ambari.server.state.services.MetricsRetrievalService;
import org.apache.ambari.server.utils.StageUtils;
import org.apache.commons.io.FileUtils;
@@ -905,7 +905,7 @@ public class ConfigurationTest {
Assert.assertEquals(keytabFile.getAbsolutePath(), kerberosAuthenticationProperties.getSpnegoKeytabFilePath());
Assert.assertEquals("spnego/principal@REALM", kerberosAuthenticationProperties.getSpnegoPrincipalName());
Assert.assertEquals("DEFAULT", kerberosAuthenticationProperties.getAuthToLocalRules());
- Assert.assertEquals(Arrays.asList(UserType.LDAP, UserType.LOCAL), kerberosAuthenticationProperties.getOrderedUserTypes());
+ Assert.assertEquals(Arrays.asList(UserAuthenticationType.LDAP, UserAuthenticationType.LOCAL), kerberosAuthenticationProperties.getOrderedUserTypes());
}
/**
@@ -930,7 +930,7 @@ public class ConfigurationTest {
Assert.assertEquals(keytabFile.getAbsolutePath(), kerberosAuthenticationProperties.getSpnegoKeytabFilePath());
Assert.assertEquals("HTTP/" + StageUtils.getHostName(), kerberosAuthenticationProperties.getSpnegoPrincipalName());
Assert.assertEquals("DEFAULT", kerberosAuthenticationProperties.getAuthToLocalRules());
- Assert.assertEquals(Collections.singletonList(UserType.LDAP), kerberosAuthenticationProperties.getOrderedUserTypes());
+ Assert.assertEquals(Collections.singletonList(UserAuthenticationType.LDAP), kerberosAuthenticationProperties.getOrderedUserTypes());
}
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
index 3215e72..c8eb6d6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
@@ -4547,80 +4547,7 @@ public class AmbariManagementControllerTest {
assertEquals("", response.getRequestContext());
}
- private void createUser(String userName) throws Exception {
- UserRequest request = new UserRequest(userName);
- request.setPassword("password");
- controller.createUsers(new HashSet<>(Collections.singleton(request)));
- }
-
- @Test
- public void testCreateAndGetUsers() throws Exception {
- createUser("user1");
-
- Set<UserResponse> r =
- controller.getUsers(Collections.singleton(new UserRequest("user1")));
-
- Assert.assertEquals(1, r.size());
- UserResponse resp = r.iterator().next();
- Assert.assertEquals("user1", resp.getUsername());
- }
-
- @Test
- public void testGetUsers() throws Exception {
- String user1 = getUniqueName();
- String user2 = getUniqueName();
- String user3 = getUniqueName();
- List<String> users = Arrays.asList(user1, user2, user3);
-
- for (String user : users) {
- createUser(user);
- }
-
- UserRequest request = new UserRequest(null);
-
- Set<UserResponse> responses = controller.getUsers(Collections.singleton(request));
-
- // other tests are making user requests, so let's make sure we have the 3 just made
- List<String> contained = new ArrayList<>();
- for (UserResponse ur : responses) {
- if (users.contains(ur.getUsername())) {
- contained.add(ur.getUsername());
- }
- }
-
- Assert.assertEquals(3, contained.size());
- }
-
- @SuppressWarnings("serial")
- @Test
- public void testUpdateUsers() throws Exception {
- String user1 = getUniqueName();
- createUser(user1);
-
- UserRequest request = new UserRequest(user1);
-
- controller.updateUsers(Collections.singleton(request));
- }
-
- @SuppressWarnings("serial")
- @Ignore
- @Test
- public void testDeleteUsers() throws Exception {
- String user1 = getUniqueName();
- createUser(user1);
-
- UserRequest request = new UserRequest(user1);
- controller.updateUsers(Collections.singleton(request));
-
- request = new UserRequest(user1);
- controller.deleteUsers(Collections.singleton(request));
-
- Set<UserResponse> responses = controller.getUsers(
- Collections.singleton(new UserRequest(null)));
-
- Assert.assertEquals(0, responses.size());
- }
@Test
public void testUpdateConfigForRunningService() throws Exception {
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
deleted file mode 100644
index 547bba5..0000000
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.controller.internal;
-
-import org.apache.ambari.server.orm.dao.MemberDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.security.authorization.Users;
-import org.easymock.EasyMockSupport;
-
-class AbstractPrivilegeResourceProviderTest extends EasyMockSupport {
-
- static class TestUsers extends Users {
-
- void setPrivilegeDAO(PrivilegeDAO privilegeDAO) {
- this.privilegeDAO = privilegeDAO;
- }
-
- public void setMemberDAO(MemberDAO memberDAO) {
- this.memberDAO = memberDAO;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
index 4dc06b9..487c02a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
@@ -64,7 +64,6 @@ import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
import org.apache.ambari.server.scheduler.ExecutionScheduler;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
-import org.apache.ambari.server.security.authorization.UserType;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.encryption.CredentialStoreService;
import org.apache.ambari.server.security.encryption.CredentialStoreServiceImpl;
@@ -172,7 +171,7 @@ public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
UserEntity userEntity = createMockUserEntity(requestedUsername);
UserDAO userDAO = injector.getInstance(UserDAO.class);
- expect(userDAO.findSingleUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).atLeastOnce();
WidgetLayoutDAO widgetLayoutDAO = injector.getInstance(WidgetLayoutDAO.class);
expect(widgetLayoutDAO.findById(1L)).andReturn(createMockWidgetLayout(1L, requestedUsername)).atLeastOnce();
@@ -368,7 +367,6 @@ public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
UserEntity userEntity = createMock(UserEntity.class);
expect(userEntity.getUserId()).andReturn(username.hashCode()).anyTimes();
expect(userEntity.getUserName()).andReturn(username).anyTimes();
- expect(userEntity.getUserType()).andReturn(UserType.LOCAL).anyTimes();
expect(userEntity.getActiveWidgetLayouts()).andReturn("[{\"id\":\"1\"},{\"id\":\"2\"}]").anyTimes();
return userEntity;
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
index 36f6a1e..ea981e2 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
@@ -27,6 +27,8 @@ import java.util.LinkedList;
import java.util.List;
import java.util.Set;
+import javax.persistence.EntityManager;
+
import org.apache.ambari.server.controller.GroupPrivilegeResponse;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -34,6 +36,9 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.hooks.HookContextFactory;
+import org.apache.ambari.server.hooks.HookService;
+import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
@@ -52,16 +57,22 @@ import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
import junit.framework.Assert;
/**
* GroupPrivilegeResourceProvider tests.
*/
-public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
+public class GroupPrivilegeResourceProviderTest extends EasyMockSupport{
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -79,7 +90,7 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
public void testGetResources_NonAdministrator() throws Exception {
getResourcesTest(TestAuthenticationFactory.createClusterAdministrator("user1", 2L), "Group1");
}
-
+
@Test(expected = SystemException.class)
public void testUpdateResources() throws Exception {
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("user1", 2L));
@@ -230,7 +241,7 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
expect(groupEntity.getGroupName()).andReturn("group1").atLeastOnce();
ClusterDAO clusterDAO = createMock(ClusterDAO.class);
-
+
ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
@@ -328,8 +339,31 @@ public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourc
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
+ final Injector injector = Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
+ bind(HookService.class).toInstance(createMock(HookService.class));
+ bind(HookContextFactory.class).toInstance(createMock(HookContextFactory.class));
+
+ bind(GroupDAO.class).toInstance(groupDAO);
+ bind(ClusterDAO.class).toInstance(clusterDAO);
+ bind(ViewInstanceDAO.class).toInstance(viewInstanceDAO);
+ bind(GroupEntity.class).toInstance(groupEntity);
+ bind(PrincipalEntity.class).toInstance(principalEntity);
+ bind(PrivilegeEntity.class).toInstance(privilegeEntity);
+ bind(PermissionEntity.class).toInstance(permissionEntity);
+ bind(PrincipalTypeEntity.class).toInstance(principalTypeEntity);
+ bind(ResourceEntity.class).toInstance(resourceEntity);
+ bind(ResourceTypeEntity.class).toInstance(resourceTypeEntity);
+ bind(PrivilegeDAO.class).toInstance(privilegeDAO);
+ }
+ }
+ );
+
+ final Users users = injector.getInstance(Users.class);
List<PrincipalEntity> groupPrincipals = new LinkedList<>();
groupPrincipals.add(principalEntity);
http://git-wip-us.apache.org/repos/asf/ambari/blob/f76c87a6/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index 9ccbc11..499354f 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -28,6 +28,8 @@ import java.util.LinkedList;
import java.util.List;
import java.util.Set;
+import javax.persistence.EntityManager;
+
import org.apache.ambari.server.controller.UserPrivilegeResponse;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
@@ -35,6 +37,9 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.hooks.HookContextFactory;
+import org.apache.ambari.server.hooks.HookService;
+import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.ClusterDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.MemberDAO;
@@ -56,16 +61,22 @@ import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
import junit.framework.Assert;
/**
* UserPrivilegeResourceProvider tests.
*/
-public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
+public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
@Test(expected = SystemException.class)
public void testCreateResources() throws Exception {
@@ -334,45 +345,56 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
public void testToResource_SpecificVIEW_WithClusterInheritedPermission() throws Exception {
SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L));
- PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
+ Injector injector = createInjector();
+
+ final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
+ final UserDAO userDAO = injector.getInstance(UserDAO.class);
+ final GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ final ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ final ViewInstanceDAO viewInstanceDAO = injector.getInstance(ViewInstanceDAO.class);
+ final PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ final MemberDAO memberDAO = injector.getInstance(MemberDAO.class);
+
+
+ final PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
expect(rolePrincipalTypeEntity.getName()).andReturn("ROLE").atLeastOnce();
- PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
+ final PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
expect(rolePrincipalEntity.getPrincipalType()).andReturn(rolePrincipalTypeEntity).atLeastOnce();
- PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+ final PermissionEntity permissionEntity = createMock(PermissionEntity.class);
expect(permissionEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").atLeastOnce();
expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").atLeastOnce();
- PrincipalTypeEntity principalTypeEntity = createMock(PrincipalTypeEntity.class);
+ final PrincipalTypeEntity principalTypeEntity = createMock(PrincipalTypeEntity.class);
expect(principalTypeEntity.getName()).andReturn("USER").atLeastOnce();
- PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
+ final PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
- ViewEntity viewEntity = createMock(ViewEntity.class);
+ final ViewEntity viewEntity = createMock(ViewEntity.class);
expect(viewEntity.getCommonName()).andReturn("TestView").atLeastOnce();
expect(viewEntity.getVersion()).andReturn("1.2.3.4").atLeastOnce();
- ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
+ final ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
expect(resourceTypeEntity.getName()).andReturn("TestView{1.2.3.4}").atLeastOnce();
- ResourceEntity resourceEntity = createMock(ResourceEntity.class);
+ final ResourceEntity resourceEntity = createMock(ResourceEntity.class);
expect(resourceEntity.getId()).andReturn(1L).anyTimes();
expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
+ final ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).atLeastOnce();
expect(viewInstanceEntity.getName()).andReturn("Test View").atLeastOnce();
- PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+ final PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
expect(explicitPrivilegeEntity.getId()).andReturn(1).atLeastOnce();
expect(explicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
expect(explicitPrivilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
expect(explicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
- PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+ final PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
expect(implicitPrivilegeEntity.getId()).andReturn(2).atLeastOnce();
expect(implicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
expect(implicitPrivilegeEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
@@ -382,23 +404,13 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
expect(userEntity.getUserName()).andReturn("jdoe").atLeastOnce();
expect(userEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
- ClusterDAO clusterDAO = createMock(ClusterDAO.class);
- GroupDAO groupDAO = createMock(GroupDAO.class);
-
- ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
- final UserDAO userDAO = createNiceMock(UserDAO.class);
- expect(userDAO.findLocalUserByName("jdoe")).andReturn(userEntity).anyTimes();
+ expect(userDAO.findUserByName("jdoe")).andReturn(userEntity).anyTimes();
expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
expect(userDAO.findAll()).andReturn(Collections.<UserEntity>emptyList()).anyTimes();
- final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
- final MemberDAO memberDAO = createMock(MemberDAO.class);
-
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
- users.setMemberDAO(memberDAO);
+ final Users users = injector.getInstance(Users.class);
List<PrincipalEntity> rolePrincipals = new LinkedList<>();
rolePrincipals.add(rolePrincipalEntity);
@@ -422,9 +434,9 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
final Set<String> propertyIds = new HashSet<>();
propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);
final Predicate predicate = new PredicateBuilder()
- .property(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID)
- .equals("jdoe")
- .toPredicate();
+ .property(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID)
+ .equals("jdoe")
+ .toPredicate();
TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L);
Request request = PropertyHelper.getReadRequest(propertyIds);
@@ -443,11 +455,16 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
// @SuppressWarnings("serial")
private void getResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+ Injector injector = createInjector();
+
final UserPrivilegeResourceProvider resourceProvider = new UserPrivilegeResourceProvider();
- final UserDAO userDAO = createNiceMock(UserDAO.class);
- final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
- final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
- final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
+ final UserDAO userDAO = injector.getInstance(UserDAO.class);
+ final GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
+ final ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
+ final ViewInstanceDAO viewInstanceDAO = injector.getInstance(ViewInstanceDAO.class);
+ final PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+ final MemberDAO memberDAO = injector.getInstance(MemberDAO.class);
+
final UserEntity userEntity = createNiceMock(UserEntity.class);
final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
@@ -455,12 +472,8 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
- final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
- final MemberDAO memberDAO = createMock(MemberDAO.class);
- final TestUsers users = new TestUsers();
- users.setPrivilegeDAO(privilegeDAO);
- users.setMemberDAO(memberDAO);
+ final Users users = injector.getInstance(Users.class);
List<PrincipalEntity> userPrincipals = new LinkedList<>();
userPrincipals.add(principalEntity);
@@ -471,7 +484,7 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
expect(memberDAO.findAllMembersByUser(userEntity)).
andReturn(Collections.<MemberEntity>emptyList())
.atLeastOnce();
- expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
+ expect(userDAO.findUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
expect(userDAO.findAll()).andReturn(Collections.<UserEntity>emptyList()).anyTimes();
expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
@@ -518,4 +531,24 @@ public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResource
verifyAll();
}
+ private Injector createInjector() {
+ return Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+ bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+ bind(PasswordEncoder.class).toInstance(createNiceMock(PasswordEncoder.class));
+ bind(HookService.class).toInstance(createMock(HookService.class));
+ bind(HookContextFactory.class).toInstance(createMock(HookContextFactory.class));
+
+ bind(UserDAO.class).toInstance(createNiceMock(UserDAO.class));
+ bind(GroupDAO.class).toInstance(createNiceMock(GroupDAO.class));
+ bind(ClusterDAO.class).toInstance(createNiceMock(ClusterDAO.class));
+ bind(ViewInstanceDAO.class).toInstance(createNiceMock(ViewInstanceDAO.class));
+ bind(PrivilegeDAO.class).toInstance(createMock(PrivilegeDAO.class));
+ bind(MemberDAO.class).toInstance(createMock(MemberDAO.class));
+ }
+ });
+ }
+
}