You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Keta Patel (JIRA)" <ji...@apache.org> on 2017/05/08 16:52:04 UTC
[jira] [Commented] (AMBARI-20769) Recommission fails for Cluster
Operators, Service Adminstrators and Service Operators
[ https://issues.apache.org/jira/browse/AMBARI-20769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16001078#comment-16001078 ]
Keta Patel commented on AMBARI-20769:
-------------------------------------
Hello Robert,
I kindly request you to please share your input on this issue of Recommission of nodes.
I have the following question about the authorization granted to CLUSTER.ADMINISTRATOR and CLUSTER.USER in the class AmbariAuthorizationFilter (ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java).
The URI used in the recommission request is "/api/v1/clusters/<cluster name>/requests".
Please refer to the image attached as "AMBARI-20769-codeSnippet.png". The 2 red boxes show why the Ambari Admins and users with Cluster Administrator roles are authorized to Recommission nodes.
For all the other roles, the response returned is "403. You do not have permissions to access this resource.". Please refer to the screenshot of the code attached as "AMBARI-20769-codeSnippet-for-error.png".
As per the services that various roles are authorized to perform, CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR and SERVICE.OPERATOR are must also be allowed to perform recommission.
1. Then why does the code allow only CLUSTER.ADMINISTRATOR and CLUSTER.USER roles? Why is CLUSTER.OPERATOR not included in the list to access API_CLUSTERS_ALL_PATTERN uri?
2. How should we handle the accessibility for SERVICE.ADMINISTRATOR and SERVICE.OPERATOR roles? Will it be correct to check for these roles under the API_CLUSTERS_ALL_PATTERN uri umbrella?
Kindly please share your thoughts on my investigation.
Thank you,
Keta
> Recommission fails for Cluster Operators, Service Adminstrators and Service Operators
> -------------------------------------------------------------------------------------
>
> Key: AMBARI-20769
> URL: https://issues.apache.org/jira/browse/AMBARI-20769
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: trunk, 2.5.0
> Reporter: Keta Patel
> Assignee: Keta Patel
> Attachments: AMBARI-20769-codeSnippet-for-error.png, AMBARI-20769-codeSnippet.png
>
>
> Steps to reproduce:
> 1. Create 4 local users assign one to each of the following roles:
> - Cluster Administrator
> - Cluster Operator
> - Service Administrator
> - Service Operator
> 2. Logout and login back as one of the above created users.
> 3. Decommission a node, the operation is successful with the Background Operation pop-up showing the decommissioning operation being performed.
> 4. Recommission that node. Only the Ambari Admin and Cluster Administrator is able to successfully perform this step. For the rest of the roles mentioned in step-1, you will see the following behavior:
> - The background operation pop-up shows up with "0 Operations" in progress.
> - The background operation pop-up disappears and you see the login page momentarily.
> - The main Dashboard is seen immediately after that and the node is still in the "Decommissioned" state.
> Desired Behavior:
> All the roles mentioned in step-1 must be able to successfully recommission the nodes.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)