You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mp...@apache.org on 2015/12/14 20:47:52 UTC

ambari git commit: AMBARI-14341. Enforce granular role-based access control for ldap-sync functions. (mpapirkovskyy)

Repository: ambari
Updated Branches:
  refs/heads/trunk e6fde3080 -> 155ae8554


AMBARI-14341. Enforce granular role-based access control for ldap-sync functions. (mpapirkovskyy)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/155ae855
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/155ae855
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/155ae855

Branch: refs/heads/trunk
Commit: 155ae8554cd9f62cbc9933a3f7e17fb70f936cc9
Parents: e6fde30
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Fri Dec 11 15:02:18 2015 +0200
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Mon Dec 14 21:47:18 2015 +0200

----------------------------------------------------------------------
 .../internal/LdapSyncEventResourceProvider.java | 29 ++++++++++++++++++--
 .../LdapSyncEventResourceProviderTest.java      | 10 +++++++
 2 files changed, 36 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/155ae855/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
index 52f7c94..3d18a27 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProvider.java
@@ -33,6 +33,10 @@ import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.orm.entities.LdapSyncEventEntity;
 import org.apache.ambari.server.orm.entities.LdapSyncSpecEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.security.ldap.LdapBatchDto;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -40,6 +44,7 @@ import org.slf4j.LoggerFactory;
 import javax.naming.OperationNotSupportedException;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedList;
@@ -157,13 +162,19 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
    */
   public LdapSyncEventResourceProvider(AmbariManagementController managementController) {
     super(propertyIds, keyPropertyIds, managementController);
+
+    EnumSet<RoleAuthorization> roleAuthorizations =
+        EnumSet.of(RoleAuthorization.AMBARI_MANAGE_GROUPS, RoleAuthorization.AMBARI_MANAGE_USERS);
+
+    setRequiredCreateAuthorizations(roleAuthorizations);
+    setRequiredDeleteAuthorizations(roleAuthorizations);
   }
 
 
   // ----- ResourceProvider --------------------------------------------------
 
   @Override
-  public RequestStatus createResources(Request event)
+  public RequestStatus createResourcesAuthorized(Request event)
       throws SystemException, UnsupportedPropertyException,
       ResourceAlreadyExistsException, NoSuchParentResourceException {
     Set<LdapSyncEventEntity> newEvents = new HashSet<LdapSyncEventEntity>();
@@ -208,7 +219,7 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
   }
 
   @Override
-  public RequestStatus deleteResources(Predicate predicate)
+  public RequestStatus deleteResourcesAuthorized(Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
     modifyResources(getDeleteCommand(predicate));
     notifyDelete(Resource.Type.ViewInstance, predicate);
@@ -344,10 +355,22 @@ public class LdapSyncEventResourceProvider extends AbstractControllerResourcePro
   private Command<LdapSyncEventEntity> getCreateCommand(final Map<String, Object> properties) {
     return new Command<LdapSyncEventEntity>() {
       @Override
-      public LdapSyncEventEntity invoke() throws AmbariException {
+      public LdapSyncEventEntity invoke() throws AmbariException, AuthorizationException {
 
         LdapSyncEventEntity eventEntity = toEntity(properties);
 
+        for (LdapSyncSpecEntity ldapSyncSpecEntity : eventEntity.getSpecs()) {
+          if (ldapSyncSpecEntity.getPrincipalType() == LdapSyncSpecEntity.PrincipalType.USERS) {
+            if (!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_USERS)) {
+              throw new AuthorizationException("The uthenticated user is not authorized to syng LDAP users");
+            }
+          } else {
+            if (!AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_GROUPS)) {
+              throw new AuthorizationException("The uthenticated user is not authorized to syng LDAP groups");
+            }
+          }
+        }
+
         events.put(eventEntity.getId(), eventEntity);
 
         return eventEntity;

http://git-wip-us.apache.org/repos/asf/ambari/blob/155ae855/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
index 523753d..8a12c13 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/LdapSyncEventResourceProviderTest.java
@@ -22,8 +22,11 @@ import org.apache.ambari.server.controller.AmbariManagementController;
 import org.apache.ambari.server.controller.spi.Request;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.junit.Assert;
+import org.junit.BeforeClass;
 import org.junit.Test;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -37,6 +40,13 @@ import static org.easymock.EasyMock.createNiceMock;
  * LdapSyncEventResourceProvider tests.
  */
 public class LdapSyncEventResourceProviderTest {
+
+  @BeforeClass
+  public static void setupAuthentication() {
+    // Set authenticated user so that authorization checks will pass
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+  }
+
   @Test
   public void testCreateResources() throws Exception {
     AmbariManagementController amc = createMock(AmbariManagementController.class);