You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/10/19 15:45:58 UTC

[jira] [Created] (AMBARI-18635) Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals

Robert Levas created AMBARI-18635:
-------------------------------------

             Summary: Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals
                 Key: AMBARI-18635
                 URL: https://issues.apache.org/jira/browse/AMBARI-18635
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.4.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.5.0


Authorizations given to roles, should use generic role-based principals rather than hard-coded resource types.  

Access to views can be assigned to all users with a given role.  The implementation for this lead to the creation of hard-coded principals that represent the current set of roles. This is not dynamic enough for possibly future enhancements where new roles may be created by administrators. 

This needs to be changed such that rather that using the hard-coded pseudo-role-principals, the dynamically generated role-principals are to be used.

The hard-coded pseudo-role-principals have the following {{adminprincipaltype}} values as opposed to "ROLE":

* ALL.CLUSTER.ADMINISTRATOR
* ALL.CLUSTER.OPERATOR
* ALL.SERVICE.ADMINISTRATOR
* ALL.SERVICE.OPERATOR
* ALL.CLUSTER.USER

These should be removed along with the associated {{adminprincipal}} records. 

Also, the FE should be updated to set permissions using the dynamic role-principals.

Finally, code should be cleaned up to remove unneeded code in 
* org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
* org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
* org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
* org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
* org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
* org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
* ...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)