You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mp...@apache.org on 2015/12/14 20:47:52 UTC
ambari git commit: AMBARI-14341. Enforce granular role-based access
control for ldap-sync functions. (mpapirkovskyy)
Repository: ambari
Updated Branches:
refs/heads/trunk e6fde3080 -> 155ae8554
AMBARI-14341. Enforce granular role-based access control for ldap-sync functions. (mpapirkovskyy)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/155ae855
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/155ae855
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/155ae855
Branch: refs/heads/trunk
Commit: 155ae8554cd9f62cbc9933a3f7e17fb70f936cc9
Parents: e6fde30
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Fri Dec 11 15:02:18 2015 +0200
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Mon Dec 14 21:47:18 2015 +0200
----------------------------------------------------------------------
.../internal/LdapSyncEventResourceProvider.java | 29 ++++++++++++++++++--
.../LdapSyncEventResourceProviderTest.java | 10 +++++++
2 files changed, 36 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/155ae855/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
index 52f7c94..3d18a27 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
@@ -33,6 +33,10 @@ import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.entities.LdapSyncEventEntity;
import org.apache.ambari.server.orm.entities.LdapSyncSpecEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.ldap.LdapBatchDto;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -40,6 +44,7 @@ import org.slf4j.LoggerFactory;
import javax.naming.OperationNotSupportedException;
import java.util.Arrays;
import java.util.Collections;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
@@ -157,13 +162,19 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
*/
public LdapSyncEventResourceProvider(AmbariManagementController managementController) {
super(propertyIds, keyPropertyIds, managementController);
+
+ EnumSet<RoleAuthorization> roleAuthorizations =
+ EnumSet.of(RoleAuthorization.AMBARI_MANAGE_GROUPS, RoleAuthorization.AMBARI_MANAGE_USERS);
+
+ setRequiredCreateAuthorizations(roleAuthorizations);
+ setRequiredDeleteAuthorizations(roleAuthorizations);
}
// ----- ResourceProvider --------------------------------------------------
@Override
- public RequestStatus createResources(Request event)
+ public RequestStatus createResourcesAuthorized(Request event)
throws SystemException, UnsupportedPropertyException,
ResourceAlreadyExistsException, NoSuchParentResourceException {
Set<LdapSyncEventEntity> newEvents = new HashSet<LdapSyncEventEntity>();
@@ -208,7 +219,7 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ public RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
modifyResources(getDeleteCommand(predicate));
notifyDelete(Resource.Type.ViewInstance, predicate);
@@ -344,10 +355,22 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
private Command<LdapSyncEventEntity> getCreateCommand(final Map<String, Object> properties) {
return new Command<LdapSyncEventEntity>() {
@Override
- public LdapSyncEventEntity invoke() throws AmbariException {
+ public LdapSyncEventEntity invoke() throws AmbariException, AuthorizationException {
LdapSyncEventEntity eventEntity = toEntity(properties);
+ for (LdapSyncSpecEntity ldapSyncSpecEntity : eventEntity.getSpecs()) {
+ if (ldapSyncSpecEntity.getPrincipalType() == LdapSyncSpecEntity.PrincipalType.USERS) {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_USERS)) {
+ throw new AuthorizationException("The uthenticated user is not authorized to syng LDAP users");
+ }
+ } else {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_GROUPS)) {
+ throw new AuthorizationException("The uthenticated user is not authorized to syng LDAP groups");
+ }
+ }
+ }
+
events.put(eventEntity.getId(), eventEntity);
return eventEntity;
http://git-wip-us.apache.org/repos/asf/ambari/blob/155ae855/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
index 523753d..8a12c13 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
@@ -22,8 +22,11 @@ import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.junit.Assert;
+import org.junit.BeforeClass;
import org.junit.Test;
+import org.springframework.security.core.context.SecurityContextHolder;
import java.util.HashMap;
import java.util.HashSet;
@@ -37,6 +40,13 @@ import static org.easymock.EasyMock.createNiceMock;
* LdapSyncEventResourceProvider tests.
*/
public class LdapSyncEventResourceProviderTest {
+
+ @BeforeClass
+ public static void setupAuthentication() {
+ // Set authenticated user so that authorization checks will pass
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+ }
+
@Test
public void testCreateResources() throws Exception {
AmbariManagementController amc = createMock(AmbariManagementController.class);