You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/10/20 13:48:58 UTC

[jira] [Updated] (AMBARI-18635) Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals

     [ https://issues.apache.org/jira/browse/AMBARI-18635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-18635:
----------------------------------
    Fix Version/s:     (was: 2.5.0)
                   2.4.2

> Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-18635
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18635
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>             Fix For: 2.4.2
>
>         Attachments: AMBARI-18635_branch-2.4_01.patch, AMBARI-18635_branch-2.5_01.patch
>
>
> Authorizations given to roles, should use generic role-based principals rather than hard-coded resource types.  
> Access to views can be assigned to all users with a given role.  The implementation for this lead to the creation of hard-coded principals that represent the current set of roles. This is not dynamic enough for possibly future enhancements where new roles may be created by administrators. 
> This needs to be changed such that rather that using the hard-coded pseudo-role-principals, the dynamically generated role-principals are to be used.
> The hard-coded pseudo-role-principals have the following {{adminprincipaltype}} values as opposed to "ROLE":
> * ALL.CLUSTER.ADMINISTRATOR
> * ALL.CLUSTER.OPERATOR
> * ALL.SERVICE.ADMINISTRATOR
> * ALL.SERVICE.OPERATOR
> * ALL.CLUSTER.USER
> These should be removed along with the associated {{adminprincipal}} records. 
> Also, the FE should be updated to set permissions using the dynamic role-principals.
> Finally, code should be cleaned up to remove unneeded code in 
> * org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
> * org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
> * org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
> * org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
> * org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
> * org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
> * ...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)