You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/11/20 14:37:03 UTC
[1/2] ambari git commit: AMBARI-13947. Create base infrastructure to
allow for granular role based access control (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 45fe1f071 -> aec920c39
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/TestOrmImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/TestOrmImpl.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/TestOrmImpl.java
index 27f6897..ce1c7e6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/TestOrmImpl.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/TestOrmImpl.java
@@ -46,6 +46,7 @@ import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
import org.apache.ambari.server.orm.entities.StageEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -89,11 +90,11 @@ public class TestOrmImpl extends Assert {
ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
@@ -292,11 +293,11 @@ public class TestOrmImpl extends Assert {
final StackEntity stackEntity = stackDAO.find("HDP", "2.2.0");
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ConfigGroupDAOTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ConfigGroupDAOTest.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ConfigGroupDAOTest.java
index 53af8a5..33e2636 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ConfigGroupDAOTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ConfigGroupDAOTest.java
@@ -39,6 +39,7 @@ import org.apache.ambari.server.orm.entities.HostEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.host.HostFactory;
import org.junit.After;
import org.junit.Before;
@@ -90,11 +91,11 @@ public class ConfigGroupDAOTest {
ConfigGroupEntity configGroupEntity = new ConfigGroupEntity();
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/HostVersionDAOTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/HostVersionDAOTest.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/HostVersionDAOTest.java
index 7642603..e8e5d20 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/HostVersionDAOTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/HostVersionDAOTest.java
@@ -27,6 +27,7 @@ import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
import org.apache.ambari.server.orm.OrmTestHelper;
import org.apache.ambari.server.orm.entities.*;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.RepositoryVersionState;
import org.apache.ambari.server.state.StackId;
import org.junit.After;
@@ -88,8 +89,8 @@ public class HostVersionDAOTest {
// Create the cluster
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestDAOTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestDAOTest.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestDAOTest.java
index edc1428..384ef31 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestDAOTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestDAOTest.java
@@ -40,6 +40,7 @@ import org.apache.ambari.server.orm.entities.RequestEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StageEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -143,8 +144,8 @@ public class RequestDAOTest {
String hostName = "test_host1";
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
ResourceEntity resourceEntity = new ResourceEntity();
resourceEntity.setResourceType(resourceTypeEntity);
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestScheduleDAOTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestScheduleDAOTest.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestScheduleDAOTest.java
index 75b937c..997a8c3 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestScheduleDAOTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/RequestScheduleDAOTest.java
@@ -32,6 +32,7 @@ import org.apache.ambari.server.orm.entities.RequestScheduleEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.scheduler.BatchRequest;
import org.junit.After;
import org.junit.Before;
@@ -77,11 +78,11 @@ public class RequestScheduleDAOTest {
RequestScheduleEntity scheduleEntity = new RequestScheduleEntity();
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ServiceConfigDAOTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ServiceConfigDAOTest.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ServiceConfigDAOTest.java
index 7873abb..78461dc 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ServiceConfigDAOTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/dao/ServiceConfigDAOTest.java
@@ -39,6 +39,7 @@ import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.ServiceConfigEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.StackId;
import org.apache.ambari.server.state.cluster.ClusterImpl;
import org.junit.After;
@@ -88,11 +89,11 @@ public class ServiceConfigDAOTest {
throws Exception {
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
@@ -621,11 +622,11 @@ public class ServiceConfigDAOTest {
ConfigGroupEntity configGroupEntity = new ConfigGroupEntity();
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
index c094934..bd1d12b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,9 +18,14 @@
package org.apache.ambari.server.security.authorization;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
@@ -30,11 +35,13 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
import org.junit.Assert;
import org.junit.Test;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
public class AuthorizationHelperTest {
@@ -103,12 +110,179 @@ public class AuthorizationHelperTest {
public void testAuthName() throws Exception {
String user = AuthorizationHelper.getAuthenticatedName();
Assert.assertNull(user);
-
- Authentication auth = new UsernamePasswordAuthenticationToken("admin",null);
+
+ Authentication auth = new UsernamePasswordAuthenticationToken("admin", null);
SecurityContextHolder.getContext().setAuthentication(auth);
user = AuthorizationHelper.getAuthenticatedName();
Assert.assertEquals("admin", user);
-
+
+ }
+
+ @Test
+ public void testIsAuthorized() {
+ RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
+ readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
+
+ RoleAuthorizationEntity privilegedRoleAuthorizationEntity = new RoleAuthorizationEntity();
+ privilegedRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS.getId());
+
+ RoleAuthorizationEntity administratorRoleAuthorizationEntity = new RoleAuthorizationEntity();
+ administratorRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.AMBARI_MANAGE_USERS.getId());
+
+ ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
+ clusterResourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
+
+ ResourceEntity clusterResourceEntity = new ResourceEntity();
+ clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
+ clusterResourceEntity.setId(1L);
+
+ ResourceEntity cluster2ResourceEntity = new ResourceEntity();
+ cluster2ResourceEntity.setResourceType(clusterResourceTypeEntity);
+ cluster2ResourceEntity.setId(2L);
+
+ PermissionEntity readOnlyPermissionEntity = new PermissionEntity();
+ readOnlyPermissionEntity.setAuthorizations(Collections.singleton(readOnlyRoleAuthorizationEntity));
+
+ PermissionEntity privilegedPermissionEntity = new PermissionEntity();
+ privilegedPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
+ privilegedRoleAuthorizationEntity));
+
+ PermissionEntity administratorPermissionEntity = new PermissionEntity();
+ administratorPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
+ privilegedRoleAuthorizationEntity,
+ administratorRoleAuthorizationEntity));
+
+ PrivilegeEntity readOnlyPrivilegeEntity = new PrivilegeEntity();
+ readOnlyPrivilegeEntity.setPermission(readOnlyPermissionEntity);
+ readOnlyPrivilegeEntity.setResource(clusterResourceEntity);
+
+ PrivilegeEntity readOnly2PrivilegeEntity = new PrivilegeEntity();
+ readOnly2PrivilegeEntity.setPermission(readOnlyPermissionEntity);
+ readOnly2PrivilegeEntity.setResource(cluster2ResourceEntity);
+
+ PrivilegeEntity privilegedPrivilegeEntity = new PrivilegeEntity();
+ privilegedPrivilegeEntity.setPermission(privilegedPermissionEntity);
+ privilegedPrivilegeEntity.setResource(clusterResourceEntity);
+
+ PrivilegeEntity privileged2PrivilegeEntity = new PrivilegeEntity();
+ privileged2PrivilegeEntity.setPermission(privilegedPermissionEntity);
+ privileged2PrivilegeEntity.setResource(cluster2ResourceEntity);
+
+ PrivilegeEntity administratorPrivilegeEntity = new PrivilegeEntity();
+ administratorPrivilegeEntity.setPermission(administratorPermissionEntity);
+ administratorPrivilegeEntity.setResource(clusterResourceEntity);
+
+ GrantedAuthority readOnlyAuthority = new AmbariGrantedAuthority(readOnlyPrivilegeEntity);
+ GrantedAuthority readOnly2Authority = new AmbariGrantedAuthority(readOnly2PrivilegeEntity);
+ GrantedAuthority privilegedAuthority = new AmbariGrantedAuthority(privilegedPrivilegeEntity);
+ GrantedAuthority privileged2Authority = new AmbariGrantedAuthority(privileged2PrivilegeEntity);
+ GrantedAuthority administratorAuthority = new AmbariGrantedAuthority(administratorPrivilegeEntity);
+
+ Authentication noAccessUser = new TestAuthentication(Collections.<AmbariGrantedAuthority>emptyList());
+ Authentication readOnlyUser = new TestAuthentication(Collections.singleton(readOnlyAuthority));
+ Authentication privilegedUser = new TestAuthentication(Arrays.asList(readOnlyAuthority, privilegedAuthority));
+ Authentication privileged2User = new TestAuthentication(Arrays.asList(readOnly2Authority, privileged2Authority));
+ Authentication administratorUser = new TestAuthentication(Collections.singleton(administratorAuthority));
+
+ SecurityContext context = SecurityContextHolder.getContext();
+
+ // No user (explicit)...
+ assertFalse(AuthorizationHelper.isAuthorized(null, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+
+ // No user (from context)
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+
+ // Explicit user tests...
+ assertFalse(AuthorizationHelper.isAuthorized(noAccessUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(noAccessUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(noAccessUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ assertTrue(AuthorizationHelper.isAuthorized(readOnlyUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(readOnlyUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(readOnlyUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ assertTrue(AuthorizationHelper.isAuthorized(privilegedUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertTrue(AuthorizationHelper.isAuthorized(privilegedUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(privilegedUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ assertFalse(AuthorizationHelper.isAuthorized(privileged2User, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(privileged2User, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(privileged2User, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ assertTrue(AuthorizationHelper.isAuthorized(administratorUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertTrue(AuthorizationHelper.isAuthorized(administratorUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertTrue(AuthorizationHelper.isAuthorized(administratorUser, ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ // Context user tests...
+ context.setAuthentication(noAccessUser);
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+
+ context.setAuthentication(readOnlyUser);
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ context.setAuthentication(privilegedUser);
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ context.setAuthentication(privileged2User);
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertFalse(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+
+ context.setAuthentication(administratorUser);
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_VIEW_METRICS)));
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS)));
+ assertTrue(AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, 1L, EnumSet.of(RoleAuthorization.AMBARI_MANAGE_USERS)));
+ }
+
+ private class TestAuthentication implements Authentication {
+ private final Collection<? extends GrantedAuthority> grantedAuthorities;
+
+ public TestAuthentication(Collection<? extends GrantedAuthority> grantedAuthorities) {
+ this.grantedAuthorities = grantedAuthorities;
+ }
+
+
+ @Override
+ public Collection<? extends GrantedAuthority> getAuthorities() {
+ return grantedAuthorities;
+ }
+
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
+
+ @Override
+ public Object getDetails() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return null;
+ }
+
+ @Override
+ public boolean isAuthenticated() {
+ return true;
+ }
+
+ @Override
+ public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+
+ }
+
+ @Override
+ public String getName() {
+ return null;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
index a2a94ed..ad8cce1 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
@@ -99,8 +99,8 @@ public class TestUsers {
// create admin permission
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.AMBARI_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.AMBARI_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.AMBARI.getId());
+ resourceTypeEntity.setName(ResourceType.AMBARI.name());
resourceTypeDAO.create(resourceTypeEntity);
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/state/cluster/ClusterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/state/cluster/ClusterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/state/cluster/ClusterTest.java
index b2e2d68..fd578be 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/state/cluster/ClusterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/state/cluster/ClusterTest.java
@@ -75,6 +75,7 @@ import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.ServiceDesiredStateEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.AgentVersion;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
@@ -213,11 +214,11 @@ public class ClusterTest {
String clusterName = "c1";
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalogHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalogHelper.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalogHelper.java
index 19c0c7f..4c48972 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalogHelper.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalogHelper.java
@@ -35,6 +35,7 @@ import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.ServiceComponentDesiredStateEntity;
import org.apache.ambari.server.orm.entities.ServiceDesiredStateEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.HostComponentAdminState;
import org.apache.ambari.server.state.State;
@@ -60,11 +61,11 @@ public class UpgradeCatalogHelper {
ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
[2/2] ambari git commit: AMBARI-13947. Create base infrastructure to
allow for granular role based access control (rlevas)
Posted by rl...@apache.org.
AMBARI-13947. Create base infrastructure to allow for granular role based access control (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/aec920c3
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/aec920c3
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/aec920c3
Branch: refs/heads/trunk
Commit: aec920c390718b0ace19a9055656ea69fc01175d
Parents: 45fe1f0
Author: Robert Levas <rl...@hortonworks.com>
Authored: Fri Nov 20 08:35:50 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Fri Nov 20 08:36:55 2015 -0500
----------------------------------------------------------------------
.../ambari/server/api/query/QueryImpl.java | 4 +
.../server/controller/KerberosHelperImpl.java | 4 +
.../AbstractAuthorizedResourceProvider.java | 524 +++++++++++++++++++
.../AbstractControllerResourceProvider.java | 2 +-
.../AmbariPrivilegeResourceProvider.java | 35 +-
.../internal/UserPrivilegeResourceProvider.java | 19 +-
.../internal/ViewPrivilegeResourceProvider.java | 4 +-
.../server/orm/entities/ResourceTypeEntity.java | 14 -
.../authorization/AuthorizationException.java | 53 ++
.../authorization/AuthorizationHelper.java | 161 +++++-
.../security/authorization/ResourceType.java | 54 ++
.../authorization/RoleAuthorization.java | 112 ++++
.../internal/InternalAuthenticationToken.java | 32 +-
.../server/state/cluster/ClustersImpl.java | 7 +-
.../server/upgrade/UpgradeCatalog170.java | 3 +-
.../server/agent/TestHeartbeatHandler.java | 5 +-
...hYarnCapacitySchedulerReleaseConfigTest.java | 2 +-
.../AmbariPrivilegeResourceProviderTest.java | 13 +-
...ClusterStackVersionResourceProviderTest.java | 13 +-
.../UserPrivilegeResourceProviderTest.java | 3 +-
.../apache/ambari/server/orm/OrmTestHelper.java | 9 +-
.../apache/ambari/server/orm/TestOrmImpl.java | 13 +-
.../server/orm/dao/ConfigGroupDAOTest.java | 7 +-
.../server/orm/dao/HostVersionDAOTest.java | 5 +-
.../ambari/server/orm/dao/RequestDAOTest.java | 5 +-
.../server/orm/dao/RequestScheduleDAOTest.java | 7 +-
.../server/orm/dao/ServiceConfigDAOTest.java | 13 +-
.../authorization/AuthorizationHelperTest.java | 186 ++++++-
.../security/authorization/TestUsers.java | 4 +-
.../server/state/cluster/ClusterTest.java | 7 +-
.../server/upgrade/UpgradeCatalogHelper.java | 7 +-
31 files changed, 1216 insertions(+), 111 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/api/query/QueryImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/query/QueryImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/api/query/QueryImpl.java
index cb22ddd..36ed189 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/query/QueryImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/query/QueryImpl.java
@@ -58,6 +58,7 @@ import org.apache.ambari.server.controller.spi.TemporalInfo;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PredicateHelper;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -467,6 +468,9 @@ public class QueryImpl implements Query, ResourceInstance {
resourceSet.addAll(queryResources);
} catch (NoSuchResourceException e) {
// do nothing ...
+ } catch (AuthorizationException e) {
+ // do nothing, since the user does not have access to the data ...
+ LOG.debug("User does not have authorization to get {} resources. The data will not be added to the response.", resourceType.name());
}
subResource.queryResults.put(resource,
new QueryResult(request, queryPredicate, subResourcePredicate, map, new QueryResponseImpl(resourceSet)));
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
index d162eec..ec322b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
@@ -59,6 +59,7 @@ import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.ClusterControllerHelper;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.metadata.RoleCommandOrder;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.SecurePasswordHelper;
import org.apache.ambari.server.security.credential.Credential;
import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
@@ -562,6 +563,9 @@ public class KerberosHelperImpl implements KerberosHelper {
Set<Resource> response = null;
try {
response = artifactProvider.getResources(request, predicate);
+ } catch (AuthorizationException e) {
+ e.printStackTrace();
+ throw new AmbariException(e.getMessage(), e);
} catch (SystemException e) {
e.printStackTrace();
throw new AmbariException("An unknown error occurred while trying to obtain the cluster kerberos descriptor", e);
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractAuthorizedResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractAuthorizedResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractAuthorizedResourceProvider.java
new file mode 100644
index 0000000..0837a5d
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractAuthorizedResourceProvider.java
@@ -0,0 +1,524 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
+import org.apache.ambari.server.controller.spi.NoSuchResourceException;
+import org.apache.ambari.server.controller.spi.Predicate;
+import org.apache.ambari.server.controller.spi.PropertyProvider;
+import org.apache.ambari.server.controller.spi.Request;
+import org.apache.ambari.server.controller.spi.RequestStatus;
+import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
+import org.apache.ambari.server.controller.spi.SystemException;
+import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.springframework.security.core.Authentication;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * AbstractAuthorizedResourceProvider helps to provide an authorization layer for a resource provider.
+ * <p/>
+ * Resource providers that need to perform authorization checks should extend ths abstract class and
+ * then override the <code>*ResourcesAuthorized</code> methods and set the <code>required*Authorizations</code>
+ * properties. For more sophisticated authorization checks, the <code>isAuthorizedTo*Resources</code>
+ * methods may be overwritten.
+ * <p/>
+ * Additionally, the {@link AuthorizationHelper#isAuthorized(ResourceType, Long, Set)} or
+ * {@link AuthorizationHelper#verifyAuthorization(ResourceType, Long, Set)} methods may be called
+ * within the logic of the resource provider implementation to provide checks on particular resources.
+ *
+ * @see AuthorizationHelper
+ */
+public abstract class AbstractAuthorizedResourceProvider extends AbstractResourceProvider {
+
+ /**
+ * The set of authorizations for which one is needed to the grant access to <b>create</b> resources
+ * or a particular resource.
+ */
+ private Set<RoleAuthorization> requiredCreateAuthorizations = Collections.emptySet();
+
+ /**
+ * The set of authorizations for which one is needed to the grant access to <b>get</b> resources
+ * or a particular resource.
+ */
+ private Set<RoleAuthorization> requiredGetAuthorizations = Collections.emptySet();
+
+ /**
+ * The set of authorizations for which one is needed to the grant access to <b>update</b> resources
+ * or a particular resource.
+ */
+ private Set<RoleAuthorization> requiredUpdateAuthorizations = Collections.emptySet();
+
+ /**
+ * The set of authorizations for which one is needed to the grant access to <b>delete</b> resources
+ * or a particular resource.
+ */
+ private Set<RoleAuthorization> requiredDeleteAuthorizations = Collections.emptySet();
+
+ /**
+ * Constructor
+ *
+ * @param propertyIds the property ids
+ * @param keyPropertyIds the key property ids
+ */
+ protected AbstractAuthorizedResourceProvider(Set<String> propertyIds, Map<Resource.Type, String> keyPropertyIds) {
+ super(propertyIds, keyPropertyIds);
+ }
+
+ /**
+ * Gets the authorizations for which one is needed to the grant access to <b>create</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @return a set of authorizations
+ */
+ public Set<RoleAuthorization> getRequiredCreateAuthorizations() {
+ return requiredCreateAuthorizations;
+ }
+
+ /**
+ * Sets the authorizations for which one is needed to the grant access to <b>create</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @param requiredCreateAuthorizations a set of authorizations
+ */
+ public void setRequiredCreateAuthorizations(Set<RoleAuthorization> requiredCreateAuthorizations) {
+ this.requiredCreateAuthorizations = createUnmodifiableSet(requiredCreateAuthorizations);
+ }
+
+ /**
+ * Gets the authorizations for which one is needed to the grant access to <b>get</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @return a set of authorizations
+ */
+ public Set<RoleAuthorization> getRequiredGetAuthorizations() {
+ return requiredGetAuthorizations;
+ }
+
+ /**
+ * Sets the authorizations for which one is needed to the grant access to <b>get</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @param requiredGetAuthorizations a set of authorizations
+ */
+ public void setRequiredGetAuthorizations(Set<RoleAuthorization> requiredGetAuthorizations) {
+ this.requiredGetAuthorizations = createUnmodifiableSet(requiredGetAuthorizations);
+ }
+
+ /**
+ * Gets the authorizations for which one is needed to the grant access to <b>update</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @return a set of authorizations
+ */
+ public Set<RoleAuthorization> getRequiredUpdateAuthorizations() {
+ return requiredUpdateAuthorizations;
+ }
+
+ /**
+ * Sets the authorizations for which one is needed to the grant access to <b>update</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @param requiredUpdateAuthorizations a set of authorizations
+ */
+ public void setRequiredUpdateAuthorizations(Set<RoleAuthorization> requiredUpdateAuthorizations) {
+ this.requiredUpdateAuthorizations = createUnmodifiableSet(requiredUpdateAuthorizations);
+ }
+
+ /**
+ * Gets the authorizations for which one is needed to the grant access to <b>delete</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @return a set of authorizations
+ */
+ public Set<RoleAuthorization> getRequiredDeleteAuthorizations() {
+ return requiredDeleteAuthorizations;
+ }
+
+ /**
+ * Sets the authorizations for which one is needed to the grant access to <b>delete</b> resources
+ * or a particular resource.
+ * <p/>
+ * A null or empty set indicates no authorization check needs to be performed.
+ *
+ * @param requiredDeleteAuthorizations a set of authorizations
+ */
+ public void setRequiredDeleteAuthorizations(Set<RoleAuthorization> requiredDeleteAuthorizations) {
+ this.requiredDeleteAuthorizations = createUnmodifiableSet(requiredDeleteAuthorizations);
+ }
+
+ // ----- ResourceProvider --------------------------------------------------
+
+ /**
+ * Create the resources defined by the properties in the given request object.
+ * <p/>
+ * This implementation attempts to authorize the authenticated user before performing the requested
+ * operation. If authorization fails, an AuthorizationException will be thrown.
+ * <p/>
+ * This method may be overwritten by implementing classes to avoid performing authorization checks
+ * to create resources.
+ *
+ * @param request the request object which defines the set of properties
+ * for the resources to be created
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws ResourceAlreadyExistsException attempted to create a resource which already exists
+ * @throws NoSuchParentResourceException a parent resource of the resource to create doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ */
+ @Override
+ public RequestStatus createResources(Request request)
+ throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException {
+ Authentication authentication = AuthorizationHelper.getAuthentication();
+
+ if (authentication == null || !authentication.isAuthenticated()) {
+ throw new AuthorizationException("Authentication data is not available, authorization to perform the requested operation is not granted");
+ } else if (!isAuthorizedToCreateResources(authentication, request)) {
+ throw new AuthorizationException("The authenticated user does not have the appropriate authorizations to create the requested resource(s)");
+ }
+
+ return createResourcesAuthorized(request);
+ }
+
+ /**
+ * Get a set of {@link Resource resources} based on the given request and predicate
+ * information.
+ * </p>
+ * Note that it is not required for this resource provider to completely filter
+ * the set of resources based on the given predicate. It may not be possible
+ * since some of the properties involved may be provided by another
+ * {@link PropertyProvider provider}. This partial filtering is allowed because
+ * the predicate will always be applied by the calling cluster controller. The
+ * predicate is made available at this level so that some pre-filtering can be done
+ * as an optimization.
+ * </p>
+ * A simple implementation of a resource provider may choose to just return all of
+ * the resources of a given type and allow the calling cluster controller to filter
+ * based on the predicate.
+ * <p/>
+ * This implementation attempts to authorize the authenticated user before performing the requested
+ * operation. If authorization fails, an AuthorizationException will be thrown.
+ * <p/>
+ * This method may be overwritten by implementing classes to avoid performing authorization checks
+ * to get resources.
+ *
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to filter which
+ * resources are returned
+ * @return a set of resources based on the given request and predicate information
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the requested resource instance doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the requested resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ */
+ @Override
+ public Set<Resource> getResources(Request request, Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ Authentication authentication = AuthorizationHelper.getAuthentication();
+
+ if (authentication == null || !authentication.isAuthenticated()) {
+ throw new AuthorizationException("Authentication data is not available, authorization to perform the requested operation is not granted");
+ } else if (!isAuthorizedToGetResources(authentication, request, predicate)) {
+ throw new AuthorizationException("The authenticated user does not have the appropriate authorizations to get the requested resource(s)");
+ }
+
+ return getResourcesAuthorized(request, predicate);
+ }
+
+ /**
+ * Update the resources selected by the given predicate with the properties
+ * from the given request object.
+ * <p/>
+ * This implementation attempts to authorize the authenticated user before performing the requested
+ * operation. If authorization fails, an AuthorizationException will be thrown.
+ * <p/>
+ * This method may be overwritten by implementing classes to avoid performing authorization checks
+ * to update resources.
+ *
+ * @param request the request object which defines the set of properties
+ * for the resources to be updated
+ * @param predicate the predicate object which can be used to filter which
+ * resources are updated
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the resource instance to be updated doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ */
+ @Override
+ public RequestStatus updateResources(Request request, Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ Authentication authentication = AuthorizationHelper.getAuthentication();
+
+ if (authentication == null || !authentication.isAuthenticated()) {
+ throw new AuthorizationException("Authentication data is not available, authorization to perform the requested operation is not granted");
+ } else if (!isAuthorizedToUpdateResources(authentication, request, predicate)) {
+ throw new AuthorizationException("The authenticated user does not have the appropriate authorizations to update the requested resource(s)");
+ }
+
+ return updateResourcesAuthorized(request, predicate);
+ }
+
+ /**
+ * Delete the resources selected by the given predicate.
+ * <p/>
+ * This implementation attempts to authorize the authenticated user before performing the requested
+ * operation. If authorization fails, an AuthorizationException will be thrown.
+ * <p/>
+ * This method may be overwritten by implementing classes to avoid performing authorization checks
+ * to delete resources.
+ *
+ * @param predicate the predicate object which can be used to filter which
+ * resources are deleted
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the resource instance to be deleted doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ */
+ @Override
+ public RequestStatus deleteResources(Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ Authentication authentication = AuthorizationHelper.getAuthentication();
+
+ if (authentication == null || !authentication.isAuthenticated()) {
+ throw new AuthorizationException("Authentication data is not available, authorization to perform the requested operation is not granted");
+ } else if (!isAuthorizedToDeleteResources(authentication, predicate)) {
+ throw new AuthorizationException("The authenticated user does not have the appropriate authorizations to delete the requested resource(s)");
+ }
+
+ return deleteResourcesAuthorized(predicate);
+ }
+
+ // ----- ResourceProvider (end) --------------------------------------------
+
+ /**
+ * Create the resources defined by the properties in the given request object if authorization was
+ * granted to the authenticated user.
+ * <p/>
+ * This method must be overwritten if {@link #createResources(Request)} is not overwritten.
+ *
+ * @param request the request object which defines the set of properties for the resources to be created
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws ResourceAlreadyExistsException attempted to create a resource which already exists
+ * @throws NoSuchParentResourceException a parent resource of the resource to create doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ * @see #createResources(Request)
+ */
+ protected RequestStatus createResourcesAuthorized(Request request)
+ throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException {
+ throw new UnsupportedOperationException("If createResources is not overwritten, then createResourcesAuthorized must be overwritten");
+ }
+
+ /**
+ * Tests authorization to create resources.
+ * <p/>
+ * Implementations should override this method to perform a more sophisticated authorization routine.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param request the request object which defines the set of properties for the resources to be created
+ * @return true if authorized; otherwise false
+ * @throws SystemException if an internal system exception occurred
+ */
+ protected boolean isAuthorizedToCreateResources(Authentication authentication, Request request)
+ throws SystemException {
+ return AuthorizationHelper.isAuthorized(authentication, getResourceType(request, null),
+ getResourceId(request, null), requiredCreateAuthorizations);
+ }
+
+ /**
+ * Get a set of {@link Resource resources} based on the given request and predicate
+ * information if the authenticated user is authorized to do so.
+ * <p/>
+ * This method must be overwritten if {@link #getResources(Request, Predicate)} is not overwritten.
+ *
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to filter which resources are returned
+ * @return a set of resources based on the given request and predicate information
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the requested resource instance doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the requested resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ * @see #getResources(Request, Predicate)
+ */
+ protected Set<Resource> getResourcesAuthorized(Request request, Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ throw new UnsupportedOperationException("If getResources is not overwritten, then getResourcesAuthorized must be overwritten");
+ }
+
+ /**
+ * Tests authorization to get resources.
+ * <p/>
+ * Implementations should override this method to perform a more sophisticated authorization routine.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to filter which resources are returned
+ * @return true if authorized; otherwise false
+ * @throws SystemException if an internal system exception occurred
+ */
+ protected boolean isAuthorizedToGetResources(Authentication authentication, Request request, Predicate predicate)
+ throws SystemException {
+ return AuthorizationHelper.isAuthorized(authentication, getResourceType(request, predicate),
+ getResourceId(request, predicate), requiredGetAuthorizations);
+ }
+
+ /**
+ * Update the resources selected by the given predicate with the properties from the given request
+ * object if the authenticated user is authorized to do so.
+ * <p/>
+ * This method must be overwritten if {@link #updateResources(Request, Predicate)} is not overwritten.
+ *
+ * @param request the request object which defines the set of properties for the resources to be updated
+ * @param predicate the predicate object which can be used to filter which resources are updated
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the resource instance to be updated doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ * @see #updateResources(Request, Predicate)
+ */
+ protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ throw new UnsupportedOperationException("If updateResources is not overwritten, then updateResourcesAuthorized must be overwritten");
+ }
+
+ /**
+ * Tests authorization to update resources
+ * <p/>
+ * Implementations should override this method to perform a more sophisticated authorization routine.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to filter which resources are returned
+ * @return true if authorized; otherwise false
+ * @throws SystemException if an internal system exception occurred
+ */
+ protected boolean isAuthorizedToUpdateResources(Authentication authentication, Request request, Predicate predicate)
+ throws SystemException {
+ return AuthorizationHelper.isAuthorized(authentication, getResourceType(request, predicate),
+ getResourceId(request, predicate), requiredUpdateAuthorizations);
+ }
+
+ /**
+ * Delete the resources selected by the given predicate if the authenticated user is authorized
+ * to do so.
+ * <p/>
+ * This method must be overwritten if {@link #deleteResources(Predicate)} is not overwritten.
+ *
+ * @param predicate the predicate object which can be used to filter which resources are deleted
+ * @return the request status
+ * @throws SystemException an internal system exception occurred
+ * @throws UnsupportedPropertyException the request contains unsupported property ids
+ * @throws NoSuchResourceException the resource instance to be deleted doesn't exist
+ * @throws NoSuchParentResourceException a parent resource of the resource doesn't exist
+ * @throws AuthorizationException if the authenticated user is not authorized to perform this operation
+ * @see #deleteResources(Predicate)
+ */
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
+ throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
+ throw new UnsupportedOperationException("If deleteResources is not overwritten, then deleteResourcesAuthorized must be overwritten");
+ }
+
+ /**
+ * Tests authorization to delete resources.
+ * <p/>
+ * Implementations should override this method to perform a more sophisticated authorization routine.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param predicate the predicate object which can be used to filter which resources are deleted
+ * @return true if authorized; otherwise false
+ * @throws SystemException if an internal system exception occurred
+ */
+ protected boolean isAuthorizedToDeleteResources(Authentication authentication, Predicate predicate)
+ throws SystemException {
+ return AuthorizationHelper.isAuthorized(authentication, getResourceType(null, predicate),
+ getResourceId(null, predicate), requiredDeleteAuthorizations);
+ }
+
+ /**
+ * Gets the ResourceType that is effected by the relevant request and predicate.
+ * <p/>
+ * Implementations should override this method return the proper ResourceType.
+ *
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to indicate the filter
+ * @return a ResourceType
+ */
+ protected ResourceType getResourceType(Request request, Predicate predicate) {
+ return ResourceType.CLUSTER;
+ }
+
+ /**
+ * Gets the identifier, relative to the the effected ResourceType that is effected by the relevant
+ * request and predicate.
+ * <p/>
+ * Implementations should override this method return the proper resource id.
+ *
+ * @param request the request object which defines the desired set of properties
+ * @param predicate the predicate object which can be used to indicate the filter
+ * @return a resource id; or null to indicate any or all resources of the relevant type
+ */
+ protected Long getResourceId(Request request, Predicate predicate) {
+ return null;
+ }
+
+ /**
+ * Safely create an unmodifiable set of RoleAuthorizations
+ *
+ * @param set the set to copy
+ * @return an unmodifiable set of RoleAuthorizations
+ */
+ private Set<RoleAuthorization> createUnmodifiableSet(Set<RoleAuthorization> set) {
+ return (set == null)
+ ? Collections.<RoleAuthorization>emptySet()
+ : Collections.unmodifiableSet(new HashSet<RoleAuthorization>(set));
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
index d2e7be7..60b6901 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
@@ -30,7 +30,7 @@ import org.apache.ambari.server.controller.utilities.ClusterControllerHelper;
/**
* Abstract resource provider implementation that maps to an Ambari management controller.
*/
-public abstract class AbstractControllerResourceProvider extends AbstractResourceProvider {
+public abstract class AbstractControllerResourceProvider extends AbstractAuthorizedResourceProvider {
private static ResourceProviderFactory resourceProviderFactory;
/**
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index 66d20b3..9c1a888 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -28,6 +28,7 @@ import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.view.ViewRegistry;
import java.util.HashMap;
@@ -144,25 +145,23 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
if (resource != null) {
ResourceEntity resourceEntity = privilegeEntity.getResource();
ResourceTypeEntity type = resourceEntity.getResourceType();
+ String typeName = type.getName();
String privilegeType;
- switch (type.getId()) {
- case ResourceTypeEntity.CLUSTER_RESOURCE_TYPE:
- ClusterEntity clusterEntity = (ClusterEntity) resourceEntities.get(resourceEntity.getId());
- privilegeType = ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME;
- setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
- break;
- case ResourceTypeEntity.AMBARI_RESOURCE_TYPE:
- privilegeType = ResourceTypeEntity.AMBARI_RESOURCE_TYPE_NAME;
- break;
- default:
- privilegeType = ResourceTypeEntity.VIEW_RESOURCE_TYPE_NAME;
- ViewInstanceEntity viewInstanceEntity = (ViewInstanceEntity) resourceEntities.get(resourceEntity.getId());
- ViewEntity viewEntity = viewInstanceEntity.getViewEntity();
-
- setResourceProperty(resource, PRIVILEGE_VIEW_NAME_PROPERTY_ID, viewEntity.getCommonName(), requestedIds);
- setResourceProperty(resource, PRIVILEGE_VIEW_VERSION_PROPERTY_ID, viewEntity.getVersion(), requestedIds);
- setResourceProperty(resource, PRIVILEGE_INSTANCE_NAME_PROPERTY_ID, viewInstanceEntity.getName(), requestedIds);
- break;
+
+ if (ResourceType.CLUSTER.name().equalsIgnoreCase(typeName)) {
+ ClusterEntity clusterEntity = (ClusterEntity) resourceEntities.get(resourceEntity.getId());
+ privilegeType = ResourceType.CLUSTER.name();
+ setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
+ } else if (ResourceType.AMBARI.name().equalsIgnoreCase(typeName)) {
+ privilegeType = ResourceType.AMBARI.name();
+ } else {
+ privilegeType = ResourceType.VIEW.name();
+ ViewInstanceEntity viewInstanceEntity = (ViewInstanceEntity) resourceEntities.get(resourceEntity.getId());
+ ViewEntity viewEntity = viewInstanceEntity.getViewEntity();
+
+ setResourceProperty(resource, PRIVILEGE_VIEW_NAME_PROPERTY_ID, viewEntity.getCommonName(), requestedIds);
+ setResourceProperty(resource, PRIVILEGE_VIEW_VERSION_PROPERTY_ID, viewEntity.getVersion(), requestedIds);
+ setResourceProperty(resource, PRIVILEGE_INSTANCE_NAME_PROPERTY_ID, viewInstanceEntity.getName(), requestedIds);
}
setResourceProperty(resource, PRIVILEGE_TYPE_PROPERTY_ID, privilegeType, requestedIds);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index 5e0e4bd..aabd14f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -38,10 +38,10 @@ import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.authorization.UserType;
/**
@@ -192,24 +192,21 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
}
String privilegeType;
- switch (privilegeEntity.getResource().getResourceType().getId()) {
- case ResourceTypeEntity.CLUSTER_RESOURCE_TYPE:
+ String typeName = privilegeEntity.getResource().getResourceType().getName();
+ if (ResourceType.CLUSTER.name().equalsIgnoreCase(typeName)) {
final ClusterEntity clusterEntity = clusterDAO.findByResourceId(privilegeEntity.getResource().getId());
- privilegeType = ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME;
+ privilegeType = ResourceType.CLUSTER.name();
setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);
- break;
- case ResourceTypeEntity.AMBARI_RESOURCE_TYPE:
- privilegeType = ResourceTypeEntity.AMBARI_RESOURCE_TYPE_NAME;
- break;
- default:
- privilegeType = ResourceTypeEntity.VIEW_RESOURCE_TYPE_NAME;
+ } else if (ResourceType.AMBARI.name().equalsIgnoreCase(typeName)) {
+ privilegeType = ResourceType.AMBARI.name();
+ } else {
+ privilegeType = ResourceType.VIEW.name();
final ViewInstanceEntity viewInstanceEntity = viewInstanceDAO.findByResourceId(privilegeEntity.getResource().getId());
final ViewEntity viewEntity = viewInstanceEntity.getViewEntity();
setResourceProperty(resource, PRIVILEGE_VIEW_NAME_PROPERTY_ID, viewEntity.getCommonName(), requestedIds);
setResourceProperty(resource, PRIVILEGE_VIEW_VERSION_PROPERTY_ID, viewEntity.getVersion(), requestedIds);
setResourceProperty(resource, PRIVILEGE_INSTANCE_NAME_PROPERTY_ID, viewInstanceEntity.getName(), requestedIds);
- break;
}
setResourceProperty(resource, PRIVILEGE_TYPE_PROPERTY_ID, privilegeType, requestedIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index 408a747..a1a9c46 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -30,10 +30,10 @@ import org.apache.ambari.server.orm.entities.GroupEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
-import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.view.ViewRegistry;
/**
@@ -176,7 +176,7 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
@Override
protected boolean checkResourceTypes(PrivilegeEntity entity) throws AmbariException {
return super.checkResourceTypes(entity) ||
- entity.getPermission().getResourceType().getId().equals(ResourceTypeEntity.VIEW_RESOURCE_TYPE);
+ entity.getPermission().getResourceType().getId().equals(ResourceType.VIEW.getId());
}
@Override
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ResourceTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ResourceTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ResourceTypeEntity.java
index 3c434ea..71b40cc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ResourceTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ResourceTypeEntity.java
@@ -33,20 +33,6 @@ import javax.persistence.*;
public class ResourceTypeEntity {
/**
- * Admin resource type id constants.
- */
- public static final int AMBARI_RESOURCE_TYPE = 1;
- public static final int CLUSTER_RESOURCE_TYPE = 2;
- public static final int VIEW_RESOURCE_TYPE = 3;
-
- /**
- * Admin resource type name constants.
- */
- public static final String AMBARI_RESOURCE_TYPE_NAME = "AMBARI";
- public static final String CLUSTER_RESOURCE_TYPE_NAME = "CLUSTER";
- public static final String VIEW_RESOURCE_TYPE_NAME = "VIEW";
-
- /**
* The type id.
*/
@Id
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationException.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationException.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationException.java
new file mode 100644
index 0000000..5b4311f
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationException.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.controller.spi.SystemException;
+
+/**
+ * AuthorizationException indicates that the authenticated user is not authorized to perform some
+ * operation.
+ */
+public class AuthorizationException extends SystemException {
+ /**
+ * Constructor, sets a default message about failure to be authorized.
+ */
+ public AuthorizationException() {
+ this("The authenticated user is not authorized to perform the requested operation");
+ }
+
+ /**
+ * Constructor.
+ *
+ * @param msg message
+ */
+ public AuthorizationException(String msg) {
+ super(msg);
+ }
+
+ /**
+ * Constructor.
+ *
+ * @param msg message
+ * @param throwable root exception
+ */
+ public AuthorizationException(String msg, Throwable throwable) {
+ super(msg, throwable);
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index 9feaf93..fdb4876 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -1,4 +1,4 @@
-/**
+/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -18,7 +18,12 @@
package org.apache.ambari.server.security.authorization;
import com.google.inject.Singleton;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
@@ -31,6 +36,7 @@ import java.util.*;
* Provides utility methods for authentication functionality
*/
public class AuthorizationHelper {
+ private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
/**
* Converts collection of RoleEntities to collection of GrantedAuthorities
@@ -47,23 +53,170 @@ public class AuthorizationHelper {
/**
* Gets the name of the logged in user. Thread-safe due to use of thread-local.
+ *
* @return the name of the logged in user, or <code>null</code> if none set.
*/
public static String getAuthenticatedName() {
return getAuthenticatedName(null);
}
-
+
/**
* Gets the name of the logged-in user, if any. Thread-safe due to use of
* thread-local.
+ *
* @param defaultUsername the value if there is no logged-in user
* @return the name of the logged-in user, or the default
*/
public static String getAuthenticatedName(String defaultUsername) {
SecurityContext securityContext = SecurityContextHolder.getContext();
-
+
Authentication auth = securityContext.getAuthentication();
-
+
return (null == auth) ? defaultUsername : auth.getName();
}
+
+ /**
+ * Determines if the authenticated user (from application's security context) is authorized to
+ * perform an operation on the the specific resource by matching the authenticated user's
+ * authorizations with one from the provided set of authorizations.
+ *
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorizations a set of requirements for which one match will allow authorization
+ * @return true if authorized; otherwise false
+ * @see #isAuthorized(Authentication, ResourceType, Long, Set)
+ */
+ public static boolean isAuthorized(ResourceType resourceType, Long resourceId, Set<RoleAuthorization> requiredAuthorizations) {
+ return isAuthorized(getAuthentication(), resourceType, resourceId, requiredAuthorizations);
+ }
+
+ /**
+ * Determines if the specified authenticated user is authorized to perform an operation on the
+ * the specific resource by matching the authenticated user's authorizations with one from the
+ * provided set of authorizations.
+ * <p/>
+ * The specified resource type is a high-level resource such as {@link ResourceType#AMBARI Ambari},
+ * a {@link ResourceType#CLUSTER cluster}, or a {@link ResourceType#VIEW view}.
+ * <p/>
+ * The specified resource id is the identifier of the relevant resource of the given resource type.
+ * If the resource is {@link ResourceType#AMBARI Ambari}, the identifier should be <code>null</code>,
+ * else for a {@link ResourceType#CLUSTER cluster} or a {@link ResourceType#VIEW view} the resource
+ * id should be a valid resource id or <code>null</code> to indicate any resource of the given type.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorizations a set of requirements for which one match will allow authorization
+ * @return true if authorized; otherwize false
+ */
+ public static boolean isAuthorized(Authentication authentication, ResourceType resourceType,
+ Long resourceId, Set<RoleAuthorization> requiredAuthorizations) {
+ if ((requiredAuthorizations == null) || requiredAuthorizations.isEmpty()) {
+ return true;
+ } else if (authentication == null) {
+ return false;
+ } else {
+ // Iterate through the set of required authorizations to see if at least one match is found.
+ // If the user has at least one authorization that exists in the set of required authorizations,
+ // that user is authorized to perform the operation.
+ for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
+ AmbariGrantedAuthority ambariGrantedAuthority = (AmbariGrantedAuthority) grantedAuthority;
+ PrivilegeEntity privilegeEntity = ambariGrantedAuthority.getPrivilegeEntity();
+ ResourceEntity privilegeResource = privilegeEntity.getResource();
+ ResourceType privilegeResourceType = ResourceType.valueOf(privilegeResource.getResourceType().getName());
+ boolean resourceOK;
+
+ if (resourceType == null) {
+ resourceOK = true;
+ } else if (ResourceType.AMBARI == privilegeResourceType) {
+ // This resource type indicates administrative access
+ resourceOK = true;
+ } else if (resourceType == privilegeResourceType) {
+ resourceOK = (resourceId == null) || resourceId.equals(privilegeResource.getId());
+ } else {
+ // This is not an expected resource type, so skip this authority
+ resourceOK = false;
+ }
+
+ // The the authority is for the relevant resource, see if one of the authorizations matches
+ // one of the required authorizations...
+ if (resourceOK) {
+ PermissionEntity permission = privilegeEntity.getPermission();
+ Collection<RoleAuthorizationEntity> userAuthorizations = (permission == null)
+ ? null
+ : permission.getAuthorizations();
+
+ if (userAuthorizations != null) {
+ for (RoleAuthorizationEntity userAuthorization : userAuthorizations) {
+ try {
+ if (requiredAuthorizations.contains(RoleAuthorization.translate(userAuthorization.getAuthorizationId()))) {
+ return true;
+ }
+ } catch (IllegalArgumentException e) {
+ LOG.warn("Invalid authorization name, '{}'... ignoring.", userAuthorization.getAuthorizationId());
+ }
+ }
+ }
+ }
+ }
+
+ return false;
+ }
+ }
+
+ /**
+ * Determines if the authenticated user (from application's security context) is authorized to
+ * perform an operation on the the specific resource by matching the authenticated user's
+ * authorizations with one from the provided set of authorizations.
+ * <p/>
+ * If not authorized, an {@link AuthorizationException} will be thrown.
+ *
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorizations a set of requirements for which one match will allow authorization
+ * @throws AuthorizationException if authorization is not granted
+ * @see #isAuthorized(ResourceType, Long, Set)
+ */
+ public static void verifyAuthorization(ResourceType resourceType,
+ Long resourceId,
+ Set<RoleAuthorization> requiredAuthorizations)
+ throws AuthorizationException {
+ if (!isAuthorized(resourceType, resourceId, requiredAuthorizations)) {
+ throw new AuthorizationException();
+ }
+ }
+
+ /**
+ * Determines if the specified authenticated user is authorized to perform an operation on the
+ * the specific resource by matching the authenticated user's authorizations with one from the
+ * provided set of authorizations.
+ * <p/>
+ * If not authorized, an {@link AuthorizationException} will be thrown.
+ *
+ * @param authentication the authenticated user and associated access privileges
+ * @param resourceType a resource type being acted upon
+ * @param resourceId the resource id (relative to the resource type) being acted upon
+ * @param requiredAuthorizations a set of requirements for which one match will allow authorization
+ * @throws AuthorizationException if authorization is not granted
+ * @see #isAuthorized(Authentication, ResourceType, Long, Set)
+ */
+ public static void verifyAuthorization(Authentication authentication,
+ ResourceType resourceType,
+ Long resourceId,
+ Set<RoleAuthorization> requiredAuthorizations)
+ throws AuthorizationException {
+ if (!isAuthorized(authentication, resourceType, resourceId, requiredAuthorizations)) {
+ throw new AuthorizationException();
+ }
+ }
+
+ /**
+ * Retrieves the authenticated user and authorization details from the application's security context.
+ *
+ * @return the authenticated user and associated access privileges; or null if not available
+ */
+ public static Authentication getAuthentication() {
+ SecurityContext context = SecurityContextHolder.getContext();
+ return (context == null) ? null : context.getAuthentication();
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ResourceType.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ResourceType.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ResourceType.java
new file mode 100644
index 0000000..bd107ea
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ResourceType.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+/**
+ * ResourceType is an enumeration of resources one which authorization tests may be performed.
+ * <p/>
+ * This data matches the <i>generic</i> values from the <code>adminresourcetype</code> table in the Ambari
+ * database. The enum name represents the <code>adminresourcetype.resource_type_name</code> value
+ * and the internal value represents the <code>adminresourcetype.</code> value
+ */
+public enum ResourceType {
+ AMBARI(1),
+ CLUSTER(2),
+ VIEW(3);
+
+ private final int id;
+
+ /**
+ * Constructor
+ *
+ * @param id the ID value for this ResourceType
+ */
+ private ResourceType(int id) {
+ this.id = id;
+ }
+
+ /**
+ * Get's ID value for this ResourceType.
+ * <p/>
+ * This value represents the <code>adminresourcetype.resource_type_id</code> value for the resource type.
+ *
+ * @return an integer
+ */
+ public int getId() {
+ return id;
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
new file mode 100644
index 0000000..75beec5
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+import java.util.EnumSet;
+import java.util.Set;
+
+/**
+ * RoleAuthorization is an enumeration of granular authorizations that can be applied to resources
+ * like clusters and views.
+ * <p/>
+ * This data matches the <code>roleauthorization</code> table in the Ambari database. The value field
+ * of each item represents the <code>roleauthorization.authorization_id</code> value.
+ */
+public enum RoleAuthorization {
+ AMBARI_ADD_DELETE_CLUSTERS("AMBARI.ADD_DELETE_CLUSTERS"),
+ AMBARI_ASSIGN_ROLES("AMBARI.ASSIGN_ROLES"),
+ AMBARI_EDIT_STACK_REPOS("AMBARI.EDIT_STACK_REPOS"),
+ AMBARI_MANAGE_GROUPS("AMBARI.MANAGE_GROUPS"),
+ AMBARI_MANAGE_STACK_VERSIONS("AMBARI.MANAGE_STACK_VERSIONS"),
+ AMBARI_MANAGE_USERS("AMBARI.MANAGE_USERS"),
+ AMBARI_MANAGE_VIEWS("AMBARI.MANAGE_VIEWS"),
+ AMBARI_RENAME_CLUSTER("AMBARI.RENAME_CLUSTER"),
+ AMBARI_SET_SERVICE_USERS_GROUPS("AMBARI.SET_SERVICE_USERS_GROUPS"),
+ CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"),
+ CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"),
+ CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"),
+ CLUSTER_VIEW_ALERTS("CLUSTER.VIEW_ALERTS"),
+ CLUSTER_VIEW_CONFIGS("CLUSTER.VIEW_CONFIGS"),
+ CLUSTER_VIEW_METRICS("CLUSTER.VIEW_METRICS"),
+ CLUSTER_VIEW_STACK_DETAILS("CLUSTER.VIEW_STACK_DETAILS"),
+ CLUSTER_VIEW_STATUS_INFO("CLUSTER.VIEW_STATUS_INFO"),
+ HOST_ADD_DELETE_COMPONENTS("HOST.ADD_DELETE_COMPONENTS"),
+ HOST_ADD_DELETE_HOSTS("HOST.ADD_DELETE_HOSTS"),
+ HOST_TOGGLE_MAINTENANCE("HOST.TOGGLE_MAINTENANCE"),
+ HOST_VIEW_CONFIGS("HOST.VIEW_CONFIGS"),
+ HOST_VIEW_METRICS("HOST.VIEW_METRICS"),
+ HOST_VIEW_STATUS_INFO("HOST.VIEW_STATUS_INFO"),
+ SERVICE_ADD_DELETE_SERVICES("SERVICE.ADD_DELETE_SERVICES"),
+ SERVICE_COMPARE_CONFIGS("SERVICE.COMPARE_CONFIGS"),
+ SERVICE_DECOMMISSION_RECOMMISSION("SERVICE.DECOMMISSION_RECOMMISSION"),
+ SERVICE_ENABLE_HA("SERVICE.ENABLE_HA"),
+ SERVICE_MANAGE_CONFIG_GROUPS("SERVICE.MANAGE_CONFIG_GROUPS"),
+ SERVICE_MODIFY_CONFIGS("SERVICE.MODIFY_CONFIGS"),
+ SERVICE_MOVE("SERVICE.MOVE"),
+ SERVICE_RUN_CUSTOM_COMMAND("SERVICE.RUN_CUSTOM_COMMAND"),
+ SERVICE_RUN_SERVICE_CHECK("SERVICE.RUN_SERVICE_CHECK"),
+ SERVICE_START_STOP("SERVICE.START_STOP"),
+ SERVICE_TOGGLE_ALERTS("SERVICE.TOGGLE_ALERTS"),
+ SERVICE_TOGGLE_MAINTENANCE("SERVICE.TOGGLE_MAINTENANCE"),
+ SERVICE_VIEW_ALERTS("SERVICE.VIEW_ALERTS"),
+ SERVICE_VIEW_CONFIGS("SERVICE.VIEW_CONFIGS"),
+ SERVICE_VIEW_METRICS("SERVICE.VIEW_METRICS"),
+ SERVICE_VIEW_STATUS_INFO("SERVICE.VIEW_STATUS_INFO"),
+ VIEW_USE("VIEW.USE");
+
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER = EnumSet.of(CLUSTER_VIEW_STATUS_INFO, CLUSTER_VIEW_ALERTS, CLUSTER_VIEW_CONFIGS, CLUSTER_VIEW_METRICS, CLUSTER_VIEW_STACK_DETAILS);
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_UPDATE_CLUSTER = EnumSet.of(CLUSTER_TOGGLE_ALERTS, CLUSTER_TOGGLE_KERBEROS, CLUSTER_UPGRADE_DOWNGRADE_STACK);
+
+ private final String id;
+
+ /**
+ * Constructor
+ *
+ * @param id the ID value for this RoleAuthorization
+ */
+ RoleAuthorization(String id) {
+ this.id = id;
+ }
+
+ /**
+ * Get's the ID value for this RoleAuthorization
+ * <p/>
+ * This value represents the <code>roleauthorization.authorization_id</code> value from the Ambari database
+ *
+ * @return an string
+ */
+ public String getId() {
+ return id;
+ }
+
+ public static RoleAuthorization translate(String authenticationId) {
+ if (authenticationId == null) {
+ return null;
+ } else {
+ authenticationId = authenticationId.trim();
+
+ if (authenticationId.isEmpty()) {
+ return null;
+ } else {
+ return RoleAuthorization.valueOf(authenticationId.replace(".", "_").toUpperCase());
+ }
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/InternalAuthenticationToken.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/InternalAuthenticationToken.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/InternalAuthenticationToken.java
index 6d7a573..c83a132 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/InternalAuthenticationToken.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/internal/InternalAuthenticationToken.java
@@ -18,13 +18,18 @@
package org.apache.ambari.server.security.authorization.internal;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.List;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
@@ -48,23 +53,44 @@ public class InternalAuthenticationToken implements Authentication {
private boolean authenticated = false;
+ /**
+ * Sets up a privilege entity to be one that an administrative user would have.
+ */
private static void createAdminPrivilegeEntity(PrivilegeEntity entity) {
PermissionEntity pe = new PermissionEntity();
pe.setId(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION);
pe.setPermissionName(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION_NAME);
-
+ pe.setAuthorizations(createAdminAuthorizations());
entity.setPermission(pe);
ResourceEntity resource = new ResourceEntity();
resource.setId(1L);
ResourceTypeEntity rte = new ResourceTypeEntity();
- rte.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- rte.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ rte.setId(ResourceType.AMBARI.getId());
+ rte.setName(ResourceType.AMBARI.name());
resource.setResourceType(rte);
entity.setResource(resource);
}
+ /**
+ * Creates the collection of RoleAuthorizationEntity objects that an administrative user would have.
+ *
+ * @return a collection of RoleAuthorizationEntity objects
+ */
+ private static Collection<RoleAuthorizationEntity> createAdminAuthorizations() {
+ List<RoleAuthorizationEntity> authorizations = new ArrayList<RoleAuthorizationEntity>();
+
+ for (RoleAuthorization roleAuthorization : RoleAuthorization.values()) {
+ RoleAuthorizationEntity re = new RoleAuthorizationEntity();
+ re.setAuthorizationId(roleAuthorization.getId());
+ re.setAuthorizationName(roleAuthorization.name());
+ authorizations.add(re);
+ }
+
+ return authorizations;
+ }
+
public InternalAuthenticationToken(String tokenString) {
this.token = tokenString;
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java
index 310de34..15730f4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java
@@ -52,6 +52,7 @@ import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
import org.apache.ambari.server.state.AgentVersion;
@@ -218,11 +219,11 @@ public class ClustersImpl implements Clusters {
}
// create an admin resource to represent this cluster
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java
index 01b69db..3d00c29 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java
@@ -70,6 +70,7 @@ import org.apache.ambari.server.orm.entities.StackEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Config;
@@ -1322,7 +1323,7 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
userDAO.merge(user);
}
- final ResourceTypeEntity clusterResourceType = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ final ResourceTypeEntity clusterResourceType = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
for (ClusterEntity cluster: clusterDAO.findAll()) {
final ResourceEntity resourceEntity = new ResourceEntity();
resourceEntity.setResourceType(clusterResourceType);
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java b/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
index 53277d1..d3945dc 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/agent/TestHeartbeatHandler.java
@@ -93,6 +93,7 @@ import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileWriter;
import org.apache.ambari.server.serveraction.kerberos.KerberosIdentityDataFileWriterFactory;
import org.apache.ambari.server.serveraction.kerberos.KerberosServerAction;
@@ -2314,8 +2315,8 @@ public class TestHeartbeatHandler {
// Create the cluster
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
index 3a6ad91..e93a479 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
@@ -57,7 +57,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
private AmbariMetaInfo ambariMetaInfo;
private Clusters clusters;
private ConfigHelper configHelper;
-
+
@Before
public void setup() throws Exception {
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
index 4c35d53..bca167c 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
@@ -62,6 +62,7 @@ import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
import org.apache.ambari.server.security.SecurityHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.view.ViewInstanceHandlerList;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.ViewRegistryTest;
@@ -129,7 +130,8 @@ public class AmbariPrivilegeResourceProviderTest {
expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
expect(resourceEntity.getId()).andReturn(1L).anyTimes();
expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- expect(resourceTypeEntity.getId()).andReturn(1).anyTimes();
+ expect(resourceTypeEntity.getId()).andReturn(ResourceType.AMBARI.getId()).anyTimes();
+ expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name()).anyTimes();
expect(principalEntity.getId()).andReturn(1L).anyTimes();
expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
expect(userEntity.getUserName()).andReturn("joe").anyTimes();
@@ -177,7 +179,8 @@ public class AmbariPrivilegeResourceProviderTest {
expect(ambariPrivilegeEntity.getPrincipal()).andReturn(ambariPrincipalEntity).anyTimes();
expect(ambariPrivilegeEntity.getPermission()).andReturn(ambariPermissionEntity).anyTimes();
expect(ambariResourceEntity.getResourceType()).andReturn(ambariResourceTypeEntity).anyTimes();
- expect(ambariResourceTypeEntity.getId()).andReturn(1).anyTimes();
+ expect(ambariResourceTypeEntity.getId()).andReturn(ResourceType.AMBARI.getId()).anyTimes();
+ expect(ambariResourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name()).anyTimes();
expect(ambariPrincipalEntity.getId()).andReturn(1L).anyTimes();
expect(ambariUserEntity.getPrincipal()).andReturn(ambariPrincipalEntity).anyTimes();
expect(ambariUserEntity.getUserName()).andReturn("joe").anyTimes();
@@ -200,7 +203,8 @@ public class AmbariPrivilegeResourceProviderTest {
expect(viewPrivilegeEntity.getPermission()).andReturn(viewPermissionEntity).anyTimes();
expect(viewPrivilegeEntity.getId()).andReturn(33).anyTimes();
expect(viewResourceEntity.getResourceType()).andReturn(viewResourceTypeEntity).anyTimes();
- expect(viewResourceTypeEntity.getId()).andReturn(3).anyTimes();
+ expect(viewResourceTypeEntity.getId()).andReturn(ResourceType.VIEW.getId()).anyTimes();
+ expect(viewResourceTypeEntity.getName()).andReturn(ResourceType.VIEW.name()).anyTimes();
expect(viewPrincipalEntity.getId()).andReturn(5L).anyTimes();
expect(viewEntity.getInstances()).andReturn(Arrays.asList(viewInstanceEntity)).anyTimes();
expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).anyTimes();
@@ -230,7 +234,8 @@ public class AmbariPrivilegeResourceProviderTest {
expect(clusterPrivilegeEntity.getId()).andReturn(32).anyTimes();
expect(clusterResourceEntity.getId()).andReturn(7L).anyTimes();
expect(clusterResourceEntity.getResourceType()).andReturn(clusterResourceTypeEntity).anyTimes();
- expect(clusterResourceTypeEntity.getId()).andReturn(2).anyTimes();
+ expect(clusterResourceTypeEntity.getId()).andReturn(ResourceType.CLUSTER.getId()).anyTimes();
+ expect(clusterResourceTypeEntity.getName()).andReturn(ResourceType.CLUSTER.name()).anyTimes();
expect(clusterPrincipalEntity.getId()).andReturn(8L).anyTimes();
expect(clusterUserEntity.getPrincipal()).andReturn(clusterPrincipalEntity).anyTimes();
expect(clusterUserEntity.getUserName()).andReturn("jeff").anyTimes();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
index 06ae045..98dfd2e 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
@@ -75,6 +75,7 @@ import org.apache.ambari.server.orm.entities.RepositoryVersionEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.serveraction.upgrades.FinalizeUpgradeAction;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
@@ -360,11 +361,11 @@ public class ClusterStackVersionResourceProviderTest {
StackEntity stackEntity = stackDAO.find(stackId.getStackName(), stackId.getStackVersion());
Assert.assertNotNull(stackEntity);
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
ResourceEntity resourceEntity = new ResourceEntity();
@@ -506,11 +507,11 @@ public class ClusterStackVersionResourceProviderTest {
StackEntity stackEntity = stackDAO.find(stackId.getStackName(), stackId.getStackVersion());
Assert.assertNotNull(stackEntity);
- ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
+ ResourceTypeEntity resourceTypeEntity = resourceTypeDAO.findById(ResourceType.CLUSTER.getId());
if (resourceTypeEntity == null) {
resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
}
ResourceEntity resourceEntity = new ResourceEntity();
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index 8e424f7..da85502 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -42,6 +42,7 @@ import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.easymock.EasyMock;
import org.junit.Test;
@@ -88,7 +89,7 @@ public class UserPrivilegeResourceProviderTest {
EasyMock.expect(userEntity.getUserName()).andReturn("user").anyTimes();
EasyMock.expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
EasyMock.expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
- EasyMock.expect(resourceTypeEntity.getId()).andReturn(ResourceTypeEntity.AMBARI_RESOURCE_TYPE);
+ EasyMock.expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
EasyMock.replay(userDAO, userEntity, principalEntity, privilegeEntity, permissionEntity, principalTypeEntity, resourceEntity, resourceTypeEntity);
http://git-wip-us.apache.org/repos/asf/ambari/blob/aec920c3/ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java
index c5bb6e6..71b89c3 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java
@@ -71,6 +71,7 @@ import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.StackEntity;
import org.apache.ambari.server.orm.entities.StageEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Host;
@@ -143,8 +144,8 @@ public class OrmTestHelper {
StackEntity stackEntity = stackDAO.find("HDP", "2.2.0");
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
ResourceEntity resourceEntity = new ResourceEntity();
resourceEntity.setResourceType(resourceTypeEntity);
@@ -325,8 +326,8 @@ public class OrmTestHelper {
ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
- resourceTypeEntity.setId(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE);
- resourceTypeEntity.setName(ResourceTypeEntity.CLUSTER_RESOURCE_TYPE_NAME);
+ resourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ resourceTypeEntity.setName(ResourceType.CLUSTER.name());
resourceTypeEntity = resourceTypeDAO.merge(resourceTypeEntity);
ResourceEntity resourceEntity = new ResourceEntity();