You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/10/19 15:45:58 UTC
[jira] [Created] (AMBARI-18635) Authorizations given to roles,
should use generic role-based principals rather than hard-coded
pseudo-role-based principals
Robert Levas created AMBARI-18635:
-------------------------------------
Summary: Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals
Key: AMBARI-18635
URL: https://issues.apache.org/jira/browse/AMBARI-18635
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.4.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.5.0
Authorizations given to roles, should use generic role-based principals rather than hard-coded resource types.
Access to views can be assigned to all users with a given role. The implementation for this lead to the creation of hard-coded principals that represent the current set of roles. This is not dynamic enough for possibly future enhancements where new roles may be created by administrators.
This needs to be changed such that rather that using the hard-coded pseudo-role-principals, the dynamically generated role-principals are to be used.
The hard-coded pseudo-role-principals have the following {{adminprincipaltype}} values as opposed to "ROLE":
* ALL.CLUSTER.ADMINISTRATOR
* ALL.CLUSTER.OPERATOR
* ALL.SERVICE.ADMINISTRATOR
* ALL.SERVICE.OPERATOR
* ALL.CLUSTER.USER
These should be removed along with the associated {{adminprincipal}} records.
Also, the FE should be updated to set permissions using the dynamic role-principals.
Finally, code should be cleaned up to remove unneeded code in
* org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
* org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
* org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
* org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
* org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
* org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
* ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)