You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/09 18:51:46 UTC
[1/3] ambari git commit: AMBARI-14192. Enforce granular role-based
access control for service functions (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk c17f410a1 -> f08db5c99
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ServiceResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ServiceResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ServiceResourceProviderTest.java
index fc0c1cc..f067f49 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ServiceResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ServiceResourceProviderTest.java
@@ -37,6 +37,8 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.metadata.RoleCommandOrder;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosMissingAdminCredentialsException;
import org.apache.ambari.server.state.Cluster;
@@ -50,8 +52,12 @@ import org.apache.ambari.server.state.ServiceFactory;
import org.apache.ambari.server.state.StackId;
import org.apache.ambari.server.state.State;
import org.easymock.Capture;
+import org.easymock.EasyMock;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
import java.lang.reflect.Field;
import java.util.Collection;
@@ -74,6 +80,7 @@ import static org.easymock.EasyMock.eq;
import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.expectLastCall;
import static org.easymock.EasyMock.isNull;
+import static org.easymock.EasyMock.newCapture;
import static org.easymock.EasyMock.replay;
import static org.easymock.EasyMock.reset;
import static org.easymock.EasyMock.verify;
@@ -82,9 +89,27 @@ import static org.easymock.EasyMock.verify;
* ServiceResourceProvider tests.
*/
public class ServiceResourceProviderTest {
+ @Before
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
@Test
- public void testCreateResources() throws Exception{
+ public void testCreateResourcesAsAdministrator() throws Exception{
+ testCreateResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesAsClusterAdministrator() throws Exception{
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesAsServiceAdministrator() throws Exception{
+ testCreateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception{
AmbariManagementController managementController = createNiceMock(AmbariManagementController.class);
Clusters clusters = createNiceMock(Clusters.class);
Cluster cluster = createNiceMock(Cluster.class);
@@ -93,7 +118,7 @@ public class ServiceResourceProviderTest {
ServiceFactory serviceFactory = createNiceMock(ServiceFactory.class);
AmbariMetaInfo ambariMetaInfo = createNiceMock(AmbariMetaInfo.class);
- expect(managementController.getClusters()).andReturn(clusters);
+ expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo);
expect(managementController.getServiceFactory()).andReturn(serviceFactory);
@@ -103,12 +128,15 @@ public class ServiceResourceProviderTest {
expect(cluster.getService("Service100")).andReturn(null);
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(ambariMetaInfo.isValidService( (String) anyObject(), (String) anyObject(), (String) anyObject())).andReturn(true);
// replay
replay(managementController, clusters, cluster, service, ambariMetaInfo, stackId, serviceFactory);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = getServiceProvider(managementController);
// add the property map to a set for the request. add more maps for multiple creates
@@ -134,7 +162,21 @@ public class ServiceResourceProviderTest {
}
@Test
- public void testGetResources() throws Exception{
+ public void testGetResourcesAsAdministrator() throws Exception{
+ testGetResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsClusterAdministrator() throws Exception{
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsServiceAdministrator() throws Exception{
+ testGetResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testGetResources(Authentication authentication) throws Exception{
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Clusters clusters = createNiceMock(Clusters.class);
Cluster cluster = createNiceMock(Cluster.class);
@@ -164,7 +206,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getServiceFactory()).andReturn(serviceFactory).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
@@ -207,6 +249,8 @@ public class ServiceResourceProviderTest {
serviceResponse0, serviceResponse1, serviceResponse2, serviceResponse3, serviceResponse4,
ambariMetaInfo, stackId, serviceFactory);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = getServiceProvider(managementController);
Set<String> propertyIds = new HashSet<String>();
@@ -281,7 +325,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getServiceFactory()).andReturn(serviceFactory).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
@@ -302,6 +346,8 @@ public class ServiceResourceProviderTest {
replay(managementController, clusters, cluster, service0, serviceResponse0,
ambariMetaInfo, stackId, serviceFactory, kerberosHeper);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
// set kerberos helper on provider
Class<?> c = provider.getClass();
@@ -309,11 +355,6 @@ public class ServiceResourceProviderTest {
f.setAccessible(true);
f.set(provider, kerberosHeper);
- Set<String> propertyIds = new HashSet<String>();
-
- propertyIds.add(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID);
- propertyIds.add(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID);
-
// create the request
Predicate predicate = new PredicateBuilder().property(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID).equals("Cluster100").and().
property(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID).equals("KERBEROS").toPredicate();
@@ -353,7 +394,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getServiceFactory()).andReturn(serviceFactory).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
@@ -375,6 +416,8 @@ public class ServiceResourceProviderTest {
replay(managementController, clusters, cluster, service0, serviceResponse0,
ambariMetaInfo, stackId, serviceFactory, kerberosHelper);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
// set kerberos helper on provider
Class<?> c = provider.getClass();
@@ -382,11 +425,6 @@ public class ServiceResourceProviderTest {
f.setAccessible(true);
f.set(provider, kerberosHelper);
- Set<String> propertyIds = new HashSet<String>();
-
- propertyIds.add(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID);
- propertyIds.add(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID);
-
// create the request
Predicate predicate = new PredicateBuilder().property(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID).equals("Cluster100").and().
property(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID).equals("KERBEROS").toPredicate();
@@ -424,7 +462,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getServiceFactory()).andReturn(serviceFactory).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
@@ -446,6 +484,8 @@ public class ServiceResourceProviderTest {
replay(managementController, clusters, cluster, service0, serviceResponse0,
ambariMetaInfo, stackId, serviceFactory, kerberosHeper);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
// set kerberos helper on provider
Class<?> c = provider.getClass();
@@ -453,11 +493,6 @@ public class ServiceResourceProviderTest {
f.setAccessible(true);
f.set(provider, kerberosHeper);
- Set<String> propertyIds = new HashSet<String>();
-
- propertyIds.add(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID);
- propertyIds.add(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID);
-
// create the request
Predicate predicate = new PredicateBuilder().property(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID).equals("Cluster100").and().
property(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID).equals("KERBEROS").toPredicate();
@@ -519,6 +554,8 @@ public class ServiceResourceProviderTest {
replay(managementController, clusters, cluster, service0, serviceResponse0,
ambariMetaInfo, stackId, serviceFactory, kerberosHeper);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
// set kerberos helper on provider
Class<?> c = provider.getClass();
@@ -526,11 +563,6 @@ public class ServiceResourceProviderTest {
f.setAccessible(true);
f.set(provider, kerberosHeper);
- Set<String> propertyIds = new HashSet<String>();
-
- propertyIds.add(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID);
- propertyIds.add(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID);
-
// create the request
Predicate predicate = new PredicateBuilder().property(ServiceResourceProvider.SERVICE_CLUSTER_NAME_PROPERTY_ID).equals("Cluster100").and().
property(ServiceResourceProvider.SERVICE_SERVICE_NAME_PROPERTY_ID).equals("KERBEROS").toPredicate();
@@ -550,9 +582,22 @@ public class ServiceResourceProviderTest {
ambariMetaInfo, stackId, serviceFactory, kerberosHeper);
}
+ @Test
+ public void testUpdateResourcesAsAdministrator() throws Exception{
+ testUpdateResources(TestAuthenticationFactory.createAdministrator());
+ }
@Test
- public void testUpdateResources() throws Exception{
+ public void testUpdateResourcesAsClusterAdministrator() throws Exception{
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testUpdateResourcesAsServiceAdministrator() throws Exception{
+ testUpdateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception{
MaintenanceStateHelper maintenanceStateHelper = createNiceMock(MaintenanceStateHelper.class);
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Clusters clusters = createNiceMock(Clusters.class);
@@ -574,18 +619,19 @@ public class ServiceResourceProviderTest {
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(cluster.getService("Service102")).andReturn(service0);
expect(service0.getDesiredState()).andReturn(State.INSTALLED).anyTimes();
expect(service0.getServiceComponents()).andReturn(Collections.<String, ServiceComponent>emptyMap()).anyTimes();
- Capture<Map<String, String>> requestPropertiesCapture = new Capture<Map<String, String>>();
- Capture<Map<State, List<Service>>> changedServicesCapture = new Capture<Map<State, List<Service>>>();
- Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = new Capture<Map<State, List<ServiceComponent>>>();
- Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = new Capture<Map<String, Map<State, List<ServiceComponentHost>>>>();
- Capture<Map<String, String>> requestParametersCapture = new Capture<Map<String, String>>();
- Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = new Capture<Collection<ServiceComponentHost>>();
- Capture<Cluster> clusterCapture = new Capture<Cluster>();
+ Capture<Map<String, String>> requestPropertiesCapture = newCapture();
+ Capture<Map<State, List<Service>>> changedServicesCapture = newCapture();
+ Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = newCapture();
+ Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = newCapture();
+ Capture<Map<String, String>> requestParametersCapture = newCapture();
+ Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = newCapture();
+ Capture<Cluster> clusterCapture = newCapture();
expect(managementController.addStages((RequestStageContainer) isNull(), capture(clusterCapture), capture(requestPropertiesCapture),
capture(requestParametersCapture), capture(changedServicesCapture), capture(changedCompsCapture),
@@ -605,6 +651,8 @@ public class ServiceResourceProviderTest {
replay(managementController, clusters, cluster, rco, maintenanceStateHelper,
service0, serviceFactory, ambariMetaInfo, requestStages, requestStatusResponse);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ServiceResourceProvider provider = getServiceProvider(managementController, maintenanceStateHelper);
// add the property map to a set for the request.
@@ -626,7 +674,21 @@ public class ServiceResourceProviderTest {
}
@Test
- public void testReconfigureClientsFlag() throws Exception {
+ public void testReconfigureClientsFlagAsAdministrator() throws Exception {
+ testReconfigureClientsFlag(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testReconfigureClientsFlagAsClusterAdministrator() throws Exception {
+ testReconfigureClientsFlag(TestAuthenticationFactory.createAdministrator("clusterAdmin"));
+ }
+
+ @Test
+ public void testReconfigureClientsFlagAsServiceAdministrator() throws Exception {
+ testReconfigureClientsFlag(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testReconfigureClientsFlag(Authentication authentication) throws Exception {
MaintenanceStateHelper maintenanceStateHelper = createNiceMock(MaintenanceStateHelper.class);
AmbariManagementController managementController1 = createMock(AmbariManagementController.class);
AmbariManagementController managementController2 = createMock
@@ -648,9 +710,9 @@ public class ServiceResourceProviderTest {
mapRequestProps.put("context", "Called from a test");
// set expectations
- expect(managementController1.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController1.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
- expect(managementController2.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).
+ expect(managementController2.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).
andReturn(Collections.<ServiceComponentHostResponse>emptySet()).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
@@ -661,6 +723,7 @@ public class ServiceResourceProviderTest {
expect(managementController2.getClusters()).andReturn(clusters).anyTimes();
expect(managementController2.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(cluster.getService("Service102")).andReturn(service0).anyTimes();
expect(service0.convertToResponse()).andReturn(serviceResponse0).anyTimes();
@@ -670,13 +733,13 @@ public class ServiceResourceProviderTest {
expect(serviceResponse0.getClusterName()).andReturn("Cluster100").anyTimes();
expect(serviceResponse0.getServiceName()).andReturn("Service102").anyTimes();
- Capture<Map<String, String>> requestPropertiesCapture = new Capture<Map<String, String>>();
- Capture<Map<State, List<Service>>> changedServicesCapture = new Capture<Map<State, List<Service>>>();
- Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = new Capture<Map<State, List<ServiceComponent>>>();
- Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = new Capture<Map<String, Map<State, List<ServiceComponentHost>>>>();
- Capture<Map<String, String>> requestParametersCapture = new Capture<Map<String, String>>();
- Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = new Capture<Collection<ServiceComponentHost>>();
- Capture<Cluster> clusterCapture = new Capture<Cluster>();
+ Capture<Map<String, String>> requestPropertiesCapture = newCapture();
+ Capture<Map<State, List<Service>>> changedServicesCapture = newCapture();
+ Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = newCapture();
+ Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = newCapture();
+ Capture<Map<String, String>> requestParametersCapture = newCapture();
+ Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = newCapture();
+ Capture<Cluster> clusterCapture = newCapture();
expect(managementController1.addStages((RequestStageContainer) isNull(), capture(clusterCapture), capture(requestPropertiesCapture),
capture(requestParametersCapture), capture(changedServicesCapture), capture(changedCompsCapture),
@@ -708,6 +771,8 @@ public class ServiceResourceProviderTest {
replay(managementController1, response1, managementController2, requestStages1, requestStages2, response2,
clusters, cluster, service0, serviceResponse0, ambariMetaInfo, rco, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ServiceResourceProvider provider1 = getServiceProvider(managementController1, maintenanceStateHelper);
ServiceResourceProvider provider2 = getServiceProvider(managementController2, maintenanceStateHelper);
@@ -743,7 +808,21 @@ public class ServiceResourceProviderTest {
}
@Test
- public void testDeleteResources() throws Exception{
+ public void testDeleteResourcesAsAdministrator() throws Exception{
+ testDeleteResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testDeleteResourcesAsClusterAdministrator() throws Exception{
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesAsServiceAdministrator() throws Exception{
+ testDeleteResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testDeleteResources(Authentication authentication) throws Exception{
AmbariManagementController managementController = createMock(AmbariManagementController.class);
Clusters clusters = createNiceMock(Clusters.class);
Cluster cluster = createNiceMock(Cluster.class);
@@ -754,6 +833,7 @@ public class ServiceResourceProviderTest {
// set expectations
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(cluster.getService(serviceName)).andReturn(service).anyTimes();
expect(service.getDesiredState()).andReturn(State.INSTALLED).anyTimes();
expect(service.getName()).andReturn(serviceName).anyTimes();
@@ -764,6 +844,8 @@ public class ServiceResourceProviderTest {
// replay
replay(managementController, clusters, cluster, service);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = getServiceProvider(managementController);
AbstractResourceProviderTest.TestObserver observer = new AbstractResourceProviderTest.TestObserver();
@@ -799,6 +881,7 @@ public class ServiceResourceProviderTest {
// set expectations
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(cluster.getService(serviceName)).andReturn(service).anyTimes();
expect(service.getDesiredState()).andReturn(State.STARTED).anyTimes();
expect(service.getName()).andReturn(serviceName).anyTimes();
@@ -809,6 +892,8 @@ public class ServiceResourceProviderTest {
// replay
replay(managementController, clusters, cluster, service);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
AbstractResourceProviderTest.TestObserver observer = new AbstractResourceProviderTest.TestObserver();
@@ -859,6 +944,8 @@ public class ServiceResourceProviderTest {
// replay
replay(managementController, clusters, cluster, service, sc);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
AbstractResourceProviderTest.TestObserver observer = new AbstractResourceProviderTest.TestObserver();
@@ -900,7 +987,7 @@ public class ServiceResourceProviderTest {
Component = component;
DesiredState = desiredState;
}
- };
+ }
//
// Set up three components in INSTALLED state, so that the service can be deleted, no matter what state the service is in
@@ -936,6 +1023,8 @@ public class ServiceResourceProviderTest {
// replay
replay(managementController, clusters, cluster, service, component1.Component, component2.Component, component3.Component);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
ResourceProvider provider = getServiceProvider(managementController);
AbstractResourceProviderTest.TestObserver observer = new AbstractResourceProviderTest.TestObserver();
@@ -1026,7 +1115,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1077,7 +1166,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1126,7 +1215,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1175,7 +1264,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1221,7 +1310,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1268,7 +1357,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1316,7 +1405,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1370,7 +1459,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1426,7 +1515,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1484,7 +1573,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1534,7 +1623,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1582,7 +1671,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1630,7 +1719,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1676,7 +1765,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1719,7 +1808,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1769,7 +1858,7 @@ public class ServiceResourceProviderTest {
expect(componentInfo.isMaster()).andReturn(false).once();
expect(componentInfo.isMaster()).andReturn(true).once();
expect(componentInfo.isClient()).andReturn(false).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1810,7 +1899,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1853,7 +1942,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -1893,7 +1982,7 @@ public class ServiceResourceProviderTest {
// set expectations
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
replay(managementController, clusters, cluster);
@@ -1922,7 +2011,7 @@ public class ServiceResourceProviderTest {
// set expectations
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
replay(managementController, clusters, cluster);
@@ -1960,7 +2049,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -2016,7 +2105,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId);
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -2080,7 +2169,7 @@ public class ServiceResourceProviderTest {
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(clusters.getCluster("C1")).andReturn(cluster).anyTimes();
- expect(managementController.getHostComponents((Set<ServiceComponentHostRequest>) anyObject())).andReturn(responses).anyTimes();
+ expect(managementController.getHostComponents(EasyMock.<Set<ServiceComponentHostRequest>>anyObject())).andReturn(responses).anyTimes();
expect(cluster.getDesiredStackVersion()).andReturn(stackId).anyTimes();
expect(stackId.getStackName()).andReturn("S1").anyTimes();
@@ -2177,7 +2266,8 @@ public class ServiceResourceProviderTest {
managementController, maintenanceStateHelper);
}
- public static void createServices(AmbariManagementController controller, Set<ServiceRequest> requests) throws AmbariException {
+ public static void createServices(AmbariManagementController controller, Set<ServiceRequest> requests)
+ throws AmbariException, AuthorizationException {
ServiceResourceProvider provider = getServiceProvider(controller);
provider.createServices(requests);
}
@@ -2191,8 +2281,8 @@ public class ServiceResourceProviderTest {
public static RequestStatusResponse updateServices(AmbariManagementController controller,
Set<ServiceRequest> requests,
Map<String, String> requestProperties, boolean runSmokeTest,
- boolean reconfigureClients) throws AmbariException
- {
+ boolean reconfigureClients)
+ throws AmbariException, AuthorizationException {
return updateServices(controller, requests, requestProperties, runSmokeTest, reconfigureClients, null);
}
@@ -2204,8 +2294,8 @@ public class ServiceResourceProviderTest {
Set<ServiceRequest> requests,
Map<String, String> requestProperties, boolean runSmokeTest,
boolean reconfigureClients,
- MaintenanceStateHelper maintenanceStateHelper) throws AmbariException
- {
+ MaintenanceStateHelper maintenanceStateHelper)
+ throws AmbariException, AuthorizationException {
ServiceResourceProvider provider;
if (maintenanceStateHelper != null) {
provider = getServiceProvider(controller, maintenanceStateHelper);
@@ -2221,7 +2311,7 @@ public class ServiceResourceProviderTest {
public static RequestStatusResponse deleteServices(AmbariManagementController controller, Set<ServiceRequest> requests)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
ServiceResourceProvider provider = getServiceProvider(controller);
return provider.deleteServices(requests);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
index 94f119c..8abe757 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
@@ -30,25 +30,52 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;
public class TestAuthenticationFactory {
+ public static Authentication createAdministrator() {
+ return createAdministrator("admin");
+ }
+
public static Authentication createAdministrator(String name) {
return new TestAuthorization(name, Collections.singleton(createAdministratorGrantedAuthority()));
}
+ public static Authentication createClusterAdministrator() {
+ return createClusterAdministrator("clusterAdmin");
+ }
+
public static Authentication createClusterAdministrator(String name) {
return new TestAuthorization(name, Collections.singleton(createClusterAdministratorGrantedAuthority()));
}
+ public static Authentication createServiceAdministrator() {
+ return createServiceAdministrator("serviceAdmin");
+ }
+
public static Authentication createServiceAdministrator(String name) {
return new TestAuthorization(name, Collections.singleton(createServiceAdministratorGrantedAuthority()));
}
+ public static Authentication createServiceOperator() {
+ return createServiceOperator("serviceOp");
+ }
+
+ public static Authentication createServiceOperator(String name) {
+ return new TestAuthorization(name, Collections.singleton(createServiceOperatorGrantedAuthority()));
+ }
+
+ public static Authentication createClusterUser() {
+ return createClusterUser("clusterUser");
+ }
+
+ public static Authentication createClusterUser(String name) {
+ return new TestAuthorization(name, Collections.singleton(createClusterUserGrantedAuthority()));
+ }
+
private static GrantedAuthority createAdministratorGrantedAuthority() {
return new AmbariGrantedAuthority(createAdministratorPrivilegeEntity());
}
@@ -61,6 +88,14 @@ public class TestAuthenticationFactory {
return new AmbariGrantedAuthority(createServiceAdministratorPrivilegeEntity());
}
+ private static GrantedAuthority createServiceOperatorGrantedAuthority() {
+ return new AmbariGrantedAuthority(createServiceOperatorPrivilegeEntity());
+ }
+
+ private static GrantedAuthority createClusterUserGrantedAuthority() {
+ return new AmbariGrantedAuthority(createClusterUserPrivilegeEntity());
+ }
+
private static PrivilegeEntity createAdministratorPrivilegeEntity() {
PrivilegeEntity privilegeEntity = new PrivilegeEntity();
privilegeEntity.setResource(createAmbariResourceEntity());
@@ -82,6 +117,20 @@ public class TestAuthenticationFactory {
return privilegeEntity;
}
+ private static PrivilegeEntity createServiceOperatorPrivilegeEntity() {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setResource(createClusterResourceEntity());
+ privilegeEntity.setPermission(createServiceOperatorPermission());
+ return privilegeEntity;
+ }
+
+ private static PrivilegeEntity createClusterUserPrivilegeEntity() {
+ PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+ privilegeEntity.setResource(createClusterResourceEntity());
+ privilegeEntity.setPermission(createClusterUserPermission());
+ return privilegeEntity;
+ }
+
private static PermissionEntity createAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
@@ -93,6 +142,8 @@ public class TestAuthenticationFactory {
PermissionEntity permissionEntity = new PermissionEntity();
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+ RoleAuthorization.CLUSTER_MANAGE_CREDENTIALS,
+ RoleAuthorization.CLUSTER_MODIFY_CONFIGS,
RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
RoleAuthorization.CLUSTER_TOGGLE_KERBEROS,
RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK,
@@ -156,6 +207,50 @@ public class TestAuthenticationFactory {
return permissionEntity;
}
+ private static PermissionEntity createServiceOperatorPermission() {
+ PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+ permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+ RoleAuthorization.SERVICE_VIEW_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_METRICS,
+ RoleAuthorization.SERVICE_VIEW_STATUS_INFO,
+ RoleAuthorization.SERVICE_COMPARE_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_ALERTS,
+ RoleAuthorization.SERVICE_START_STOP,
+ RoleAuthorization.SERVICE_DECOMMISSION_RECOMMISSION,
+ RoleAuthorization.SERVICE_RUN_CUSTOM_COMMAND,
+ RoleAuthorization.SERVICE_RUN_SERVICE_CHECK,
+ RoleAuthorization.HOST_VIEW_CONFIGS,
+ RoleAuthorization.HOST_VIEW_METRICS,
+ RoleAuthorization.HOST_VIEW_STATUS_INFO,
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_VIEW_CONFIGS,
+ RoleAuthorization.CLUSTER_VIEW_STACK_DETAILS,
+ RoleAuthorization.CLUSTER_VIEW_STATUS_INFO
+ )));
+ return permissionEntity;
+ }
+
+ private static PermissionEntity createClusterUserPermission() {
+ PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+ permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+ RoleAuthorization.SERVICE_VIEW_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_METRICS,
+ RoleAuthorization.SERVICE_VIEW_STATUS_INFO,
+ RoleAuthorization.SERVICE_COMPARE_CONFIGS,
+ RoleAuthorization.SERVICE_VIEW_ALERTS,
+ RoleAuthorization.HOST_VIEW_CONFIGS,
+ RoleAuthorization.HOST_VIEW_METRICS,
+ RoleAuthorization.HOST_VIEW_STATUS_INFO,
+ RoleAuthorization.CLUSTER_VIEW_ALERTS,
+ RoleAuthorization.CLUSTER_VIEW_CONFIGS,
+ RoleAuthorization.CLUSTER_VIEW_STACK_DETAILS,
+ RoleAuthorization.CLUSTER_VIEW_STATUS_INFO
+ )));
+ return permissionEntity;
+ }
+
private static ResourceEntity createAmbariResourceEntity() {
ResourceEntity resourceEntity = new ResourceEntity();
resourceEntity.setId(null);
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
index bd1d12b..62f719d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
@@ -131,15 +131,19 @@ public class AuthorizationHelperTest {
administratorRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.AMBARI_MANAGE_USERS.getId());
ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
- clusterResourceTypeEntity.setId(ResourceType.CLUSTER.getId());
+ clusterResourceTypeEntity.setId(1);
clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
+ ResourceTypeEntity cluster2ResourceTypeEntity = new ResourceTypeEntity();
+ cluster2ResourceTypeEntity.setId(2);
+ cluster2ResourceTypeEntity.setName(ResourceType.CLUSTER.name());
+
ResourceEntity clusterResourceEntity = new ResourceEntity();
clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
clusterResourceEntity.setId(1L);
ResourceEntity cluster2ResourceEntity = new ResourceEntity();
- cluster2ResourceEntity.setResourceType(clusterResourceTypeEntity);
+ cluster2ResourceEntity.setResourceType(cluster2ResourceTypeEntity);
cluster2ResourceEntity.setId(2L);
PermissionEntity readOnlyPermissionEntity = new PermissionEntity();
[2/3] ambari git commit: AMBARI-14192. Enforce granular role-based
access control for service functions (rlevas)
Posted by rl...@apache.org.
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
index 9dbfcff..599d566 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
@@ -104,6 +104,7 @@ import org.apache.ambari.server.orm.entities.HostRoleCommandEntity;
import org.apache.ambari.server.orm.entities.WidgetEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutEntity;
import org.apache.ambari.server.orm.entities.WidgetLayoutUserWidgetEntity;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
@@ -222,9 +223,7 @@ public class AmbariManagementControllerTest {
@BeforeClass
public static void setupAuthentication() {
// Set authenticated user so that authorization checks will pass
- InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin");
- authenticationToken.setAuthenticated(true);
- SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
}
@Before
@@ -300,7 +299,7 @@ public class AmbariManagementControllerTest {
}
private void createService(String clusterName,
- String serviceName, State desiredState) throws AmbariException {
+ String serviceName, State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -314,7 +313,7 @@ public class AmbariManagementControllerTest {
private void createServiceComponent(String clusterName,
String serviceName, String componentName, State desiredState)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -329,7 +328,7 @@ public class AmbariManagementControllerTest {
private void createServiceComponentHost(String clusterName,
String serviceName, String componentName, String hostname,
- State desiredState) throws AmbariException {
+ State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -344,7 +343,7 @@ public class AmbariManagementControllerTest {
private void deleteServiceComponentHost(String clusterName,
String serviceName, String componentName, String hostname,
- State desiredState) throws AmbariException {
+ State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -385,7 +384,7 @@ public class AmbariManagementControllerTest {
private long stopService(String clusterName, String serviceName,
boolean runSmokeTests, boolean reconfigureClients) throws
- AmbariException {
+ AmbariException, AuthorizationException {
ServiceRequest r = new ServiceRequest(clusterName, serviceName, State.INSTALLED.toString());
Set<ServiceRequest> requests = new HashSet<ServiceRequest>();
requests.add(r);
@@ -442,7 +441,7 @@ public class AmbariManagementControllerTest {
private long startService(String clusterName, String serviceName,
boolean runSmokeTests, boolean reconfigureClients) throws
- AmbariException {
+ AmbariException, AuthorizationException {
return startService(clusterName, serviceName, runSmokeTests, reconfigureClients, null);
}
@@ -450,7 +449,7 @@ public class AmbariManagementControllerTest {
private long startService(String clusterName, String serviceName,
boolean runSmokeTests, boolean reconfigureClients,
MaintenanceStateHelper maintenanceStateHelper) throws
- AmbariException {
+ AmbariException, AuthorizationException {
ServiceRequest r = new ServiceRequest(clusterName, serviceName,
State.STARTED.toString());
Set<ServiceRequest> requests = new HashSet<ServiceRequest>();
@@ -491,14 +490,14 @@ public class AmbariManagementControllerTest {
private long installService(String clusterName, String serviceName,
boolean runSmokeTests, boolean reconfigureClients)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
return installService(clusterName, serviceName, runSmokeTests, reconfigureClients, null, null);
}
private long installService(String clusterName, String serviceName,
boolean runSmokeTests, boolean reconfigureClients,
Map<String, String> mapRequestPropsInput)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
return installService(clusterName, serviceName, runSmokeTests, reconfigureClients, null, mapRequestPropsInput);
}
@@ -511,7 +510,7 @@ public class AmbariManagementControllerTest {
boolean runSmokeTests, boolean reconfigureClients,
MaintenanceStateHelper maintenanceStateHelper,
Map<String, String> mapRequestPropsInput)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
ServiceRequest r = new ServiceRequest(clusterName, serviceName,
State.INSTALLED.toString());
Set<ServiceRequest> requests = new HashSet<ServiceRequest>();
@@ -679,7 +678,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServicesWithInvalidRequest() throws AmbariException {
+ public void testCreateServicesWithInvalidRequest() throws AmbariException, AuthorizationException {
// invalid request
// dups in requests
// multi cluster updates
@@ -714,7 +713,7 @@ public class AmbariManagementControllerTest {
fail("Expected failure for invalid cluster");
} catch (AmbariException e) {
// Expected
- Assert.assertTrue(checkExceptionType(e, ParentObjectNotFoundException.class));
+ Assert.assertTrue(checkExceptionType(e, ClusterNotFoundException.class));
}
clusters.addCluster("foo", new StackId("HDP-0.1"));
@@ -821,7 +820,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServicesMultiple() throws AmbariException {
+ public void testCreateServicesMultiple() throws AmbariException, AuthorizationException {
Set<ServiceRequest> set1 = new HashSet<ServiceRequest>();
clusters.addCluster("foo", new StackId("HDP-0.1"));
@@ -891,7 +890,7 @@ public class AmbariManagementControllerTest {
@Test
public void testCreateServiceComponentWithInvalidRequest()
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
// multiple clusters
// dup objects
// existing components
@@ -1249,7 +1248,7 @@ public class AmbariManagementControllerTest {
}
@Test
- public void testCreateServiceComponentMultiple() throws AmbariException {
+ public void testCreateServiceComponentMultiple() throws AmbariException, AuthorizationException {
clusters.addCluster("c1", new StackId("HDP-0.2"));
clusters.addCluster("c2", new StackId("HDP-0.2"));
@@ -1449,7 +1448,7 @@ public class AmbariManagementControllerTest {
@Test
public void testCreateServiceComponentHostWithInvalidRequest()
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
// multiple clusters
// dup objects
// existing components
@@ -9706,7 +9705,7 @@ public class AmbariManagementControllerTest {
private void testRunSmokeTestFlag(Map<String, String> mapRequestProps,
AmbariManagementController amc,
Set<ServiceRequest> serviceRequests)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
RequestStatusResponse response;//Starting HDFS service. No run_smoke_test flag is set, smoke
//Stopping HDFS service
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
index e1e9104..fc39521 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/BackgroundCustomCommandExecutionTest.java
@@ -35,13 +35,13 @@ import org.apache.ambari.server.actionmanager.Request;
import org.apache.ambari.server.actionmanager.Stage;
import org.apache.ambari.server.agent.AgentCommand.AgentCommandType;
import org.apache.ambari.server.agent.ExecutionCommand;
-import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.controller.internal.ComponentResourceProviderTest;
import org.apache.ambari.server.controller.internal.RequestResourceFilter;
import org.apache.ambari.server.controller.internal.ServiceResourceProviderTest;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Host;
@@ -63,16 +63,14 @@ import org.mockito.runners.MockitoJUnitRunner;
import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.persist.PersistService;
+import org.springframework.security.core.context.SecurityContextHolder;
@RunWith(MockitoJUnitRunner.class)
public class BackgroundCustomCommandExecutionTest {
private Injector injector;
private AmbariManagementController controller;
- private AmbariMetaInfo ambariMetaInfo;
- private Configuration configuration;
private Clusters clusters;
- private TopologyManager topologyManager;
-
+
private static final String REQUEST_CONTEXT_PROPERTY = "context";
@Captor ArgumentCaptor<Request> requestCapture;
@@ -80,6 +78,9 @@ public class BackgroundCustomCommandExecutionTest {
@Before
public void setup() throws Exception {
+ Configuration configuration;
+ TopologyManager topologyManager;
+
InMemoryDefaultTestModule module = new InMemoryDefaultTestModule(){
@@ -100,13 +101,19 @@ public class BackgroundCustomCommandExecutionTest {
topologyManager = injector.getInstance(TopologyManager.class);
Assert.assertEquals("src/main/resources/custom_action_definitions", configuration.getCustomActionDefinitionPath());
-
- ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
+
StageUtils.setTopologyManager(topologyManager);
+
+ // Set the authenticated user
+ // TODO: remove this or replace the authenticated user to test authorization rules
+ // Set the authenticated user
+ // TODO: remove this or replace the authenticated user to test authorization rules
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
}
@After
public void teardown() {
injector.getInstance(PersistService.class).stop();
+ SecurityContextHolder.getContext().setAuthentication(null);
}
@SuppressWarnings("serial")
@@ -189,7 +196,7 @@ public class BackgroundCustomCommandExecutionTest {
}
private void createService(String clusterName,
- String serviceName, State desiredState) throws AmbariException {
+ String serviceName, State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -203,7 +210,7 @@ public class BackgroundCustomCommandExecutionTest {
private void createServiceComponent(String clusterName,
String serviceName, String componentName, State desiredState)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -216,7 +223,8 @@ public class BackgroundCustomCommandExecutionTest {
ComponentResourceProviderTest.createComponents(controller, requests);
}
- private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState) throws AmbariException {
+ private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState)
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
index c871ec7..179f658 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/RefreshYarnCapacitySchedulerReleaseConfigTest.java
@@ -27,7 +27,6 @@ import java.util.Set;
import junit.framework.Assert;
import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.controller.internal.ComponentResourceProviderTest;
import org.apache.ambari.server.controller.internal.ServiceResourceProviderTest;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
@@ -58,7 +57,6 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
private Injector injector;
private AmbariManagementController controller;
- private AmbariMetaInfo ambariMetaInfo;
private Clusters clusters;
private ConfigHelper configHelper;
@@ -71,11 +69,10 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
controller = injector.getInstance(AmbariManagementController.class);
clusters = injector.getInstance(Clusters.class);
configHelper = injector.getInstance(ConfigHelper.class);
- ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
// Set the authenticated user
// TODO: remove this or replace the authenticated user to test authorization rules
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
}
@After
@@ -200,7 +197,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
}
private void createService(String clusterName,
- String serviceName, State desiredState) throws AmbariException {
+ String serviceName, State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -214,7 +211,7 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
private void createServiceComponent(String clusterName,
String serviceName, String componentName, State desiredState)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -227,7 +224,8 @@ public class RefreshYarnCapacitySchedulerReleaseConfigTest {
ComponentResourceProviderTest.createComponents(controller, requests);
}
- private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState) throws AmbariException {
+ private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState)
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterResourceProviderTest.java
index 827f979..179a09e 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterResourceProviderTest.java
@@ -129,12 +129,12 @@ public class ClusterResourceProviderTest {
@Test
public void testCreateResource_blueprint_asAdministrator() throws Exception {
- testCreateResource_blueprint(TestAuthenticationFactory.createAdministrator("admin"));
+ testCreateResource_blueprint(TestAuthenticationFactory.createAdministrator());
}
@Test(expected = AuthorizationException.class)
public void testCreateResource_blueprint__NonAdministrator() throws Exception {
- testCreateResource_blueprint(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testCreateResource_blueprint(TestAuthenticationFactory.createClusterAdministrator());
}
@Test(expected = IllegalArgumentException.class)
@@ -160,7 +160,7 @@ public class ClusterResourceProviderTest {
expect(requestStatusResponse.getRequestId()).andReturn(5150L).anyTimes();
replayAll();
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
RequestStatus requestStatus = provider.createResources(request);
}
@@ -185,7 +185,7 @@ public class ClusterResourceProviderTest {
expect(requestStatusResponse.getRequestId()).andReturn(5150L).anyTimes();
replayAll();
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
RequestStatus requestStatus = provider.createResources(request);
assertEquals(5150L, requestStatus.getRequestResource().getPropertyValue(PropertyHelper.getPropertyId("Requests", "id")));
assertEquals(Resource.Type.Request, requestStatus.getRequestResource().getType());
@@ -206,18 +206,18 @@ public class ClusterResourceProviderTest {
("test"));
replayAll();
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
provider.createResources(request);
}
@Test
public void testCreateResourcesAsAdministrator() throws Exception{
- testCreateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ testCreateResources(TestAuthenticationFactory.createAdministrator());
}
@Test(expected = AuthorizationException.class)
public void testCreateResourcesAsNonAdministrator() throws Exception{
- testCreateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator());
}
@Test
@@ -235,7 +235,7 @@ public class ClusterResourceProviderTest {
// replay
replay(managementController, response);
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
@@ -282,12 +282,12 @@ public class ClusterResourceProviderTest {
@Test
public void testGetResourcesAsAdministrator() throws Exception{
- testGetResources(TestAuthenticationFactory.createAdministrator("admin"));
+ testGetResources(TestAuthenticationFactory.createAdministrator());
}
@Test
public void testGetResourcesAsNonAdministrator() throws Exception{
- testGetResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator());
}
public void testGetResources(Authentication authentication) throws Exception{
@@ -376,42 +376,42 @@ public class ClusterResourceProviderTest {
@Test
public void testUpdateResourcesAsAdministrator() throws Exception{
- testUpdateResources(TestAuthenticationFactory.createAdministrator("admin"));
+ testUpdateResources(TestAuthenticationFactory.createAdministrator());
}
@Test
public void testUpdateResourcesAsClusterAdministrator() throws Exception{
- testUpdateResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator());
}
@Test(expected = AuthorizationException.class)
- public void testUpdateResourcesAsServiceAdministrator() throws Exception {
- testUpdateResources(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ public void testUpdateResourcesAsServiceOperator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createServiceOperator());
}
@Test
public void testUpdateWithConfigurationAsAdministrator() throws Exception {
- testUpdateWithConfiguration(TestAuthenticationFactory.createAdministrator("admin"));
+ testUpdateWithConfiguration(TestAuthenticationFactory.createAdministrator());
}
@Test
public void testUpdateWithConfigurationAsClusterAdministrator() throws Exception {
- testUpdateWithConfiguration(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testUpdateWithConfiguration(TestAuthenticationFactory.createClusterAdministrator());
}
@Test(expected = AuthorizationException.class)
- public void testUpdateWithConfigurationAsServiceAdministrator() throws Exception {
- testUpdateWithConfiguration(TestAuthenticationFactory.createServiceAdministrator("User10"));
+ public void testUpdateWithConfigurationAsServiceOperator() throws Exception {
+ testUpdateWithConfiguration(TestAuthenticationFactory.createServiceOperator());
}
@Test
public void testDeleteResourcesAsAdministrator() throws Exception{
- testDeleteResources(TestAuthenticationFactory.createAdministrator("admin"));
+ testDeleteResources(TestAuthenticationFactory.createAdministrator());
}
@Test(expected = AuthorizationException.class)
public void testDeleteResourcesAsNonAdministrator() throws Exception{
- testDeleteResources(TestAuthenticationFactory.createClusterAdministrator("User1"));
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator());
}
//todo: configuration properties are not being added to props
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ComponentResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ComponentResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ComponentResourceProviderTest.java
index 5fb2831..6ec27ad 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ComponentResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ComponentResourceProviderTest.java
@@ -20,9 +20,7 @@ package org.apache.ambari.server.controller.internal;
import static org.easymock.EasyMock.anyBoolean;
import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.createMockBuilder;
import static org.easymock.EasyMock.expectLastCall;
-import static org.easymock.EasyMock.eq;
import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.createMock;
import static org.easymock.EasyMock.createNiceMock;
@@ -35,7 +33,6 @@ import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import java.lang.reflect.Method;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -49,7 +46,6 @@ import java.util.Set;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.ObjectNotFoundException;
import org.apache.ambari.server.ServiceComponentNotFoundException;
-import org.apache.ambari.server.StackAccessException;
import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.AmbariManagementControllerImpl;
@@ -64,6 +60,8 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.ComponentInfo;
@@ -76,19 +74,41 @@ import org.apache.ambari.server.state.StackId;
import org.apache.ambari.server.state.State;
import org.easymock.Capture;
import org.easymock.EasyMock;
-import org.easymock.IAnswer;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import com.google.gson.Gson;
import com.google.inject.Injector;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
/**
* Tests for the component resource provider.
*/
public class ComponentResourceProviderTest {
+
+ @Before
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
+ @Test
+ public void testCreateResourcesAsAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createAdministrator());
+ }
+
@Test
- public void testCreateResources() throws Exception {
+ public void testCreateResourcesAsClusterAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesAsServiceAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
MaintenanceStateHelper maintenanceStateHelper = createNiceMock(MaintenanceStateHelper.class);
@@ -108,6 +128,7 @@ public class ComponentResourceProviderTest {
expect(clusters.getCluster("Cluster100")).andReturn(cluster).anyTimes();
expect(cluster.getService("Service100")).andReturn(service).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(service.getDesiredStackVersion()).andReturn(stackId).anyTimes();
expect(service.getName()).andReturn("Service100").anyTimes();
@@ -123,6 +144,8 @@ public class ComponentResourceProviderTest {
replay(managementController, response, clusters, cluster, service, stackId, ambariMetaInfo,
serviceComponentFactory, serviceComponent);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
managementController, maintenanceStateHelper);
@@ -151,7 +174,21 @@ public class ComponentResourceProviderTest {
}
@Test
- public void testGetResources() throws Exception {
+ public void testGetResourcesAsAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsClusterAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsServiceAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testGetResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
MaintenanceStateHelper maintenanceStateHelper = createNiceMock(MaintenanceStateHelper.class);
@@ -201,6 +238,8 @@ public class ComponentResourceProviderTest {
serviceComponent1, serviceComponent2, serviceComponent3, stackId,
componentInfo1, componentInfo2);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -247,7 +286,21 @@ public class ComponentResourceProviderTest {
}
@Test
- public void testUpdateResources() throws Exception {
+ public void testUpdateResourcesAsAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testUpdateResourcesAsClusterAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testUpdateResourcesAsServiceAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
MaintenanceStateHelper maintenanceStateHelper = createNiceMock(MaintenanceStateHelper.class);
@@ -276,7 +329,7 @@ public class ComponentResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.getAmbariMetaInfo()).andReturn(ambariMetaInfo).anyTimes();
expect(managementController.getEffectiveMaintenanceState(
- capture(new Capture<ServiceComponentHost>()))).andReturn(MaintenanceState.OFF).anyTimes();
+ capture(EasyMock.<ServiceComponentHost>newCapture()))).andReturn(MaintenanceState.OFF).anyTimes();
expect(stackId.getStackName()).andReturn("stackName").anyTimes();
expect(stackId.getStackVersion()).andReturn("1").anyTimes();
@@ -294,6 +347,7 @@ public class ComponentResourceProviderTest {
expect(serviceComponent3.getName()).andReturn("Component103").anyTimes();
expect(cluster.getServices()).andReturn(Collections.singletonMap("Service100", service)).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(service.getServiceComponents()).andReturn(serviceComponentMap).anyTimes();
@@ -324,13 +378,13 @@ public class ComponentResourceProviderTest {
expect(maintenanceStateHelper.isOperationAllowed(anyObject(Resource.Type.class), anyObject(Service.class))).andReturn(true).anyTimes();
- Capture<Map<String, String>> requestPropertiesCapture = new Capture<Map<String, String>>();
- Capture<Map<State, List<Service>>> changedServicesCapture = new Capture<Map<State, List<Service>>>();
- Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = new Capture<Map<State, List<ServiceComponent>>>();
- Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = new Capture<Map<String, Map<State, List<ServiceComponentHost>>>>();
- Capture<Map<String, String>> requestParametersCapture = new Capture<Map<String, String>>();
- Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = new Capture<Collection<ServiceComponentHost>>();
- Capture<Cluster> clusterCapture = new Capture<Cluster>();
+ Capture<Map<String, String>> requestPropertiesCapture = EasyMock.newCapture();
+ Capture<Map<State, List<Service>>> changedServicesCapture = EasyMock.newCapture();
+ Capture<Map<State, List<ServiceComponent>>> changedCompsCapture = EasyMock.newCapture();
+ Capture<Map<String, Map<State, List<ServiceComponentHost>>>> changedScHostsCapture = EasyMock.newCapture();
+ Capture<Map<String, String>> requestParametersCapture = EasyMock.newCapture();
+ Capture<Collection<ServiceComponentHost>> ignoredScHostsCapture = EasyMock.newCapture();
+ Capture<Cluster> clusterCapture = EasyMock.newCapture();
expect(managementController.createAndPersistStages(capture(clusterCapture), capture(requestPropertiesCapture), capture(requestParametersCapture), capture(changedServicesCapture), capture(changedCompsCapture), capture(changedScHostsCapture), capture(ignoredScHostsCapture), anyBoolean(), anyBoolean()
)).andReturn(requestStatusResponse);
@@ -344,6 +398,8 @@ public class ComponentResourceProviderTest {
component2Info, component3Info, serviceComponent1, serviceComponent2, serviceComponent3,
serviceComponentHost, requestStatusResponse, stackId, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -368,7 +424,22 @@ public class ComponentResourceProviderTest {
serviceComponentHost, requestStatusResponse, stackId, maintenanceStateHelper);
}
- public void testSuccessDeleteResources() throws Exception {
+ @Test
+ public void testSuccessDeleteResourcesAsAdministrator() throws Exception {
+ testSuccessDeleteResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testSuccessDeleteResourcesAsClusterAdministrator() throws Exception {
+ testSuccessDeleteResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testSuccessDeleteResourcesAsServiceAdministrator() throws Exception {
+ testSuccessDeleteResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testSuccessDeleteResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -390,6 +461,7 @@ public class ComponentResourceProviderTest {
expect(clusters.getCluster("Cluster100")).andReturn(cluster);
expect(cluster.getService("Service100")).andReturn(service);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(service.getServiceComponent("Component100")).andReturn(serviceComponent);
@@ -406,6 +478,8 @@ public class ComponentResourceProviderTest {
replay(managementController, clusters, cluster, service, stackId, ambariMetaInfo,
serviceComponent, serviceComponentHost, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -433,7 +507,21 @@ public class ComponentResourceProviderTest {
}
@Test
- public void testDeleteResourcesWithEmptyClusterComponentNames() throws Exception {
+ public void testDeleteResourcesWithEmptyClusterComponentNamesAsAdministrator() throws Exception {
+ testDeleteResourcesWithEmptyClusterComponentNames(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testDeleteResourcesWithEmptyClusterComponentNamesAsClusterAdministrator() throws Exception {
+ testDeleteResourcesWithEmptyClusterComponentNames(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesWithEmptyClusterComponentNamesAsServiceAdministrator() throws Exception {
+ testDeleteResourcesWithEmptyClusterComponentNames(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testDeleteResourcesWithEmptyClusterComponentNames(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -447,6 +535,8 @@ public class ComponentResourceProviderTest {
replay(managementController, clusters, ambariMetaInfo, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -490,7 +580,21 @@ public class ComponentResourceProviderTest {
}
@Test
- public void testDeleteResourcesWithServiceComponentStarted() throws Exception {
+ public void testDeleteResourcesWithServiceComponentStartedAsAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentStarted(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testDeleteResourcesWithServiceComponentStartedAsClusterAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentStarted(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesWithServiceComponentStartedAsServiceAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentStarted(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testDeleteResourcesWithServiceComponentStarted(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -512,6 +616,7 @@ public class ComponentResourceProviderTest {
expect(clusters.getCluster("Cluster100")).andReturn(cluster);
expect(cluster.getService("Service100")).andReturn(service);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(service.getServiceComponent("Component100")).andReturn(serviceComponent);
@@ -525,6 +630,8 @@ public class ComponentResourceProviderTest {
replay(managementController, clusters, cluster, service, stackId, ambariMetaInfo,
serviceComponent, serviceComponentHost, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -548,6 +655,9 @@ public class ComponentResourceProviderTest {
provider.deleteResources(predicate);
Assert.fail("Expected exception.");
} catch(Exception e) {
+ if (e instanceof AuthorizationException) {
+ throw e;
+ }
//expected
}
@@ -556,7 +666,21 @@ public class ComponentResourceProviderTest {
}
@Test
- public void testDeleteResourcesWithServiceComponentHostStarted() throws Exception {
+ public void testDeleteResourcesWithServiceComponentHostStartedAsAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentHostStarted(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testDeleteResourcesWithServiceComponentHostStartedAsClusterAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentHostStarted(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesWithServiceComponentHostStartedAsServiceAdministrator() throws Exception {
+ testDeleteResourcesWithServiceComponentHostStarted(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testDeleteResourcesWithServiceComponentHostStarted(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Component;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -578,6 +702,7 @@ public class ComponentResourceProviderTest {
expect(clusters.getCluster("Cluster100")).andReturn(cluster);
expect(cluster.getService("Service100")).andReturn(service);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(service.getServiceComponent("Component100")).andReturn(serviceComponent);
@@ -591,6 +716,8 @@ public class ComponentResourceProviderTest {
replay(managementController, clusters, cluster, service, stackId, ambariMetaInfo,
serviceComponent, serviceComponentHost, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = new ComponentResourceProvider(
PropertyHelper.getPropertyIds(type),
PropertyHelper.getKeyPropertyIds(type),
@@ -614,6 +741,9 @@ public class ComponentResourceProviderTest {
provider.deleteResources(predicate);
Assert.fail("Expected exception.");
} catch(Exception e) {
+ if (e instanceof AuthorizationException) {
+ throw e;
+ }
//expected
}
@@ -781,7 +911,7 @@ public class ComponentResourceProviderTest {
public void testGetComponents___ServiceComponentNotFoundException() throws Exception {
// member state mocks
Injector injector = createStrictMock(Injector.class);
- Capture<AmbariManagementController> controllerCapture = new Capture<AmbariManagementController>();
+ Capture<AmbariManagementController> controllerCapture = EasyMock.newCapture();
Clusters clusters = createNiceMock(Clusters.class);
MaintenanceStateHelper maintHelper = createNiceMock(MaintenanceStateHelper.class);
Cluster cluster = createNiceMock(Cluster.class);
@@ -824,7 +954,8 @@ public class ComponentResourceProviderTest {
verify(injector, clusters, cluster, service);
}
- public static void createComponents(AmbariManagementController controller, Set<ServiceComponentRequest> requests) throws AmbariException {
+ public static void createComponents(AmbariManagementController controller, Set<ServiceComponentRequest> requests)
+ throws AmbariException, AuthorizationException {
ComponentResourceProvider provider = getComponentResourceProvider(controller);
provider.createComponents(requests);
}
@@ -837,8 +968,8 @@ public class ComponentResourceProviderTest {
public static RequestStatusResponse updateComponents(AmbariManagementController controller,
Set<ServiceComponentRequest> requests,
- Map<String, String> requestProperties, boolean runSmokeTest) throws AmbariException
- {
+ Map<String, String> requestProperties, boolean runSmokeTest)
+ throws AmbariException, AuthorizationException {
ComponentResourceProvider provider = getComponentResourceProvider(controller);
return provider.updateComponents(requests, requestProperties, runSmokeTest);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/HostComponentResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/HostComponentResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/HostComponentResourceProviderTest.java
index 734bbc4..f9c1fe4 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/HostComponentResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/HostComponentResourceProviderTest.java
@@ -18,7 +18,6 @@
package org.apache.ambari.server.controller.internal;
-import static org.easymock.EasyMock.anyObject;
import static org.easymock.EasyMock.createMock;
import static org.easymock.EasyMock.createNiceMock;
import static org.easymock.EasyMock.eq;
@@ -49,10 +48,13 @@ import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Request;
import org.apache.ambari.server.controller.spi.RequestStatus;
import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.Resource.Type;
import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.PredicateBuilder;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.dao.HostVersionDAO;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Service;
@@ -63,16 +65,38 @@ import org.apache.ambari.server.state.State;
import org.apache.ambari.server.state.UpgradeState;
import org.easymock.EasyMock;
import org.junit.Assert;
+import org.junit.Before;
import org.junit.Test;
import com.google.inject.Injector;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
/**
* HostComponentResourceProvider tests.
*/
public class HostComponentResourceProviderTest {
+ @Before
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
+ @Test
+ public void testCreateResourcesAsAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createAdministrator());
+ }
+
@Test
- public void testCreateResources() throws Exception {
+ public void testCreateResourcesAsClusterAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesAsServiceAdministrator() throws Exception {
+ testCreateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testCreateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.HostComponent;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -90,8 +114,8 @@ public class HostComponentResourceProviderTest {
AbstractResourceProviderTest.Matcher.getHostComponentRequestSet(
"Cluster100", "Service100", "Component100", "Host100", null, null));
- expect(resourceProviderFactory.getHostComponentResourceProvider(anyObject(Set.class),
- anyObject(Map.class),
+ expect(resourceProviderFactory.getHostComponentResourceProvider(EasyMock.<Set<String>>anyObject(),
+ EasyMock.<Map<Type,String>>anyObject(),
eq(managementController))).
andReturn(hostComponentResourceProvider).anyTimes();
@@ -99,6 +123,8 @@ public class HostComponentResourceProviderTest {
// replay
replay(managementController, response, resourceProviderFactory);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
PropertyHelper.getPropertyIds(type),
@@ -129,7 +155,21 @@ public class HostComponentResourceProviderTest {
}
@Test
- public void testGetResources() throws Exception {
+ public void testGetResourcesAsAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsClusterAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testGetResourcesAsServiceAdministrator() throws Exception {
+ testGetResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testGetResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.HostComponent;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -167,8 +207,8 @@ public class HostComponentResourceProviderTest {
// set expectations
- expect(resourceProviderFactory.getHostComponentResourceProvider(anyObject(Set.class),
- anyObject(Map.class),
+ expect(resourceProviderFactory.getHostComponentResourceProvider(EasyMock.<Set<String>>anyObject(),
+ EasyMock.<Map<Type,String>>anyObject(),
eq(managementController))).
andReturn(hostComponentResourceProvider).anyTimes();
@@ -229,6 +269,8 @@ public class HostComponentResourceProviderTest {
// replay
replay(managementController, resourceProviderFactory, hostComponentResourceProvider);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
ResourceProvider provider = AbstractControllerResourceProvider.getResourceProvider(
type,
PropertyHelper.getPropertyIds(type),
@@ -257,7 +299,21 @@ public class HostComponentResourceProviderTest {
}
@Test
- public void testUpdateResources() throws Exception {
+ public void testUpdateResourcesAsAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testUpdateResourcesAsClusterAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testUpdateResourcesAsServiceAdministrator() throws Exception {
+ testUpdateResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testUpdateResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.HostComponent;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -285,6 +341,7 @@ public class HostComponentResourceProviderTest {
expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.findServiceName(cluster, "Component100")).andReturn("Service100").anyTimes();
expect(clusters.getCluster("Cluster102")).andReturn(cluster).anyTimes();
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
expect(cluster.getService("Service100")).andReturn(service).anyTimes();
expect(service.getServiceComponent("Component100")).andReturn(component).anyTimes();
expect(component.getServiceComponentHost("Host100")).andReturn(componentHost).anyTimes();
@@ -317,8 +374,8 @@ public class HostComponentResourceProviderTest {
provider.setFieldValue("maintenanceStateHelper", maintenanceStateHelper);
provider.setFieldValue("hostVersionDAO", hostVersionDAO);
- expect(resourceProviderFactory.getHostComponentResourceProvider(anyObject(Set.class),
- anyObject(Map.class),
+ expect(resourceProviderFactory.getHostComponentResourceProvider(EasyMock.<Set<String>>anyObject(),
+ EasyMock.<Map<Type,String>>anyObject(),
eq(managementController))).
andReturn(provider).anyTimes();
@@ -326,6 +383,8 @@ public class HostComponentResourceProviderTest {
replay(managementController, response, resourceProviderFactory, clusters, cluster, service,
component, componentHost, stageContainer, maintenanceStateHelper);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
Map<String, Object> properties = new LinkedHashMap<String, Object>();
properties.put(HostComponentResourceProvider.HOST_COMPONENT_STATE_PROPERTY_ID, "STARTED");
@@ -351,7 +410,21 @@ public class HostComponentResourceProviderTest {
@Test
- public void testDeleteResources() throws Exception {
+ public void testDeleteResourcesAsAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testDeleteResourcesAsClusterAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testDeleteResourcesAsServiceAdministrator() throws Exception {
+ testDeleteResources(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ private void testDeleteResources(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.HostComponent;
AmbariManagementController managementController = createMock(AmbariManagementController.class);
@@ -360,8 +433,8 @@ public class HostComponentResourceProviderTest {
HostComponentResourceProvider provider =
new HostComponentResourceProvider(PropertyHelper.getPropertyIds(type),
- PropertyHelper.getKeyPropertyIds(type),
- managementController, injector);
+ PropertyHelper.getKeyPropertyIds(type),
+ managementController, injector);
// set expectations
expect(managementController.deleteHostComponents(
@@ -371,6 +444,8 @@ public class HostComponentResourceProviderTest {
// replay
replay(managementController, response);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
AbstractResourceProviderTest.TestObserver observer = new AbstractResourceProviderTest.TestObserver();
provider.addObserver(observer);
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/JMXHostProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/JMXHostProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/JMXHostProviderTest.java
index 36286e7..d1bf6f4 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/JMXHostProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/JMXHostProviderTest.java
@@ -28,7 +28,6 @@ import java.util.Map;
import java.util.Set;
import org.apache.ambari.server.AmbariException;
-import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.ClusterRequest;
import org.apache.ambari.server.controller.ConfigurationRequest;
@@ -83,11 +82,10 @@ public class JMXHostProviderTest {
injector.getInstance(GuiceJpaInitializer.class);
clusters = injector.getInstance(Clusters.class);
controller = injector.getInstance(AmbariManagementController.class);
- AmbariMetaInfo ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
// Set the authenticated user
// TODO: remove this or replace the authenticated user to test authorization rules
- SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
}
@After
@@ -99,7 +97,8 @@ public class JMXHostProviderTest {
}
private void createService(String clusterName,
- String serviceName, State desiredState) throws AmbariException {
+ String serviceName, State desiredState)
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -112,7 +111,7 @@ public class JMXHostProviderTest {
private void createServiceComponent(String clusterName,
String serviceName, String componentName, State desiredState)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -127,7 +126,7 @@ public class JMXHostProviderTest {
private void createServiceComponentHost(String clusterName,
String serviceName, String componentName, String hostname,
- State desiredState) throws AmbariException {
+ State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -152,9 +151,6 @@ public class JMXHostProviderTest {
String componentName2 = "DATANODE";
String componentName3 = "HDFS_CLIENT";
- Map<String, String> mapRequestProps = new HashMap<String, String>();
- mapRequestProps.put("context", "Called from a test");
-
createServiceComponent(clusterName, serviceName, componentName1,
State.INIT);
createServiceComponent(clusterName, serviceName, componentName2,
@@ -390,7 +386,7 @@ public class JMXHostProviderTest {
providerModule.managementController = managementControllerMock;
Set<String> result = providerModule.getHostNames("c1", "DATANODE");
- Assert.assertTrue(result.iterator().next().toString().equals("host1"));
+ Assert.assertTrue(result.iterator().next().equals("host1"));
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
index 22aa124..b3168f2 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
@@ -24,6 +24,7 @@ import static org.easymock.EasyMock.createMock;
import static org.easymock.EasyMock.createNiceMock;
import static org.easymock.EasyMock.eq;
import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.newCapture;
import static org.easymock.EasyMock.replay;
import static org.easymock.EasyMock.reset;
import static org.easymock.EasyMock.verify;
@@ -61,15 +62,20 @@ import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
import org.apache.ambari.server.orm.dao.HostRoleCommandStatusSummaryDTO;
import org.apache.ambari.server.orm.dao.RequestDAO;
import org.apache.ambari.server.orm.entities.RequestEntity;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.topology.LogicalRequest;
import org.apache.ambari.server.topology.TopologyManager;
import org.easymock.Capture;
import org.easymock.EasyMock;
+import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
/**
* RequestResourceProvider tests.
@@ -111,6 +117,10 @@ public class RequestResourceProviderTest {
field.set(null, topologyManager);
}
+ @After
+ public void cleanAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
@Test
public void testCreateResources() throws Exception {
@@ -234,7 +244,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager);
@@ -284,7 +294,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
expect(requestMock.getRequestScheduleId()).andReturn(11L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager);
@@ -337,7 +347,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
expect(requestMock.getRequestScheduleId()).andReturn(null).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager);
@@ -394,7 +404,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getClusterId()).andReturn(50L).anyTimes();
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
@@ -464,7 +474,7 @@ public class RequestResourceProviderTest {
expect(requestMock1.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock1.getRequestId()).andReturn(101L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
@@ -518,7 +528,7 @@ public class RequestResourceProviderTest {
expect(requestMock1.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock1.getRequestId()).andReturn(101L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
@@ -752,7 +762,7 @@ public class RequestResourceProviderTest {
expect(stage.getOrderedHostRoleCommands()).andReturn(hostRoleCommands).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
@@ -871,21 +881,54 @@ public class RequestResourceProviderTest {
}
@Test
- public void testCreateResourcesForCommands() throws Exception {
+ public void testCreateResourcesForCommandsAsAdministrator() throws Exception {
+ testCreateResourcesForCommands(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsAsClusterAdministrator() throws Exception {
+ testCreateResourcesForCommands(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsAsServiceAdministrator() throws Exception {
+ testCreateResourcesForCommands(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsAsServiceOperator() throws Exception {
+ testCreateResourcesForCommands(TestAuthenticationFactory.createServiceOperator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesForCommandsAsClusterUser() throws Exception {
+ testCreateResourcesForCommands(TestAuthenticationFactory.createClusterUser());
+ }
+
+ private void testCreateResourcesForCommands(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Request;
- Capture<ExecuteActionRequest> actionRequest = new Capture<ExecuteActionRequest>();
- Capture<HashMap<String, String>> propertyMap = new Capture<HashMap<String, String>>();
+ Capture<ExecuteActionRequest> actionRequest = newCapture();
+ Capture<HashMap<String, String>> propertyMap = newCapture();
+
+ Cluster cluster = createMock(Cluster.class);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
+
+ Clusters clusters = createMock(Clusters.class);
+ expect(clusters.getCluster("c1")).andReturn(cluster).anyTimes();
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.createAction(capture(actionRequest), capture(propertyMap)))
.andReturn(response).anyTimes();
expect(response.getMessage()).andReturn("Message").anyTimes();
// replay
- replay(managementController, response);
+ replay(cluster, clusters, managementController, response);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
// add the property map to a set for the request. add more maps for multiple creates
Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
@@ -934,20 +977,53 @@ public class RequestResourceProviderTest {
}
@Test
- public void testCreateResourcesForCommandsWithParams() throws Exception {
+ public void testCreateResourcesForCommandsWithParamsAsAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithParams(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithParamsAsClusterAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithParams(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithParamsAsServiceAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithParams(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithParamsAsServiceOperator() throws Exception {
+ testCreateResourcesForCommandsWithParams(TestAuthenticationFactory.createServiceOperator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesForCommandsWithParamsAsClusterUser() throws Exception {
+ testCreateResourcesForCommandsWithParams(TestAuthenticationFactory.createClusterUser());
+ }
+
+ private void testCreateResourcesForCommandsWithParams(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Request;
- Capture<ExecuteActionRequest> actionRequest = new Capture<ExecuteActionRequest>();
- Capture<HashMap<String, String>> propertyMap = new Capture<HashMap<String, String>>();
+ Capture<ExecuteActionRequest> actionRequest = newCapture();
+ Capture<HashMap<String, String>> propertyMap = newCapture();
+
+ Cluster cluster = createMock(Cluster.class);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
+
+ Clusters clusters = createMock(Clusters.class);
+ expect(clusters.getCluster("c1")).andReturn(cluster).anyTimes();
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.createAction(capture(actionRequest), capture(propertyMap)))
.andReturn(response).anyTimes();
expect(response.getMessage()).andReturn("Message").anyTimes();
// replay
- replay(managementController, response);
+ replay(cluster, clusters, managementController, response);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
// add the property map to a set for the request. add more maps for multiple creates
Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
@@ -1021,21 +1097,54 @@ public class RequestResourceProviderTest {
}
@Test
- public void testCreateResourcesForCommandsWithOpLvl() throws Exception {
+ public void testCreateResourcesForCommandsWithOpLvlAsAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithOpLvl(TestAuthenticationFactory.createAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithOpLvlAsClusterAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithOpLvl(TestAuthenticationFactory.createClusterAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithOpLvlAsServiceAdministrator() throws Exception {
+ testCreateResourcesForCommandsWithOpLvl(TestAuthenticationFactory.createServiceAdministrator());
+ }
+
+ @Test
+ public void testCreateResourcesForCommandsWithOpLvlAsServiceOperator() throws Exception {
+ testCreateResourcesForCommandsWithOpLvl(TestAuthenticationFactory.createServiceOperator());
+ }
+
+ @Test(expected = AuthorizationException.class)
+ public void testCreateResourcesForCommandsWithOpLvlAsClusterUser() throws Exception {
+ testCreateResourcesForCommandsWithOpLvl(TestAuthenticationFactory.createClusterUser());
+ }
+
+ private void testCreateResourcesForCommandsWithOpLvl(Authentication authentication) throws Exception {
Resource.Type type = Resource.Type.Request;
- Capture<ExecuteActionRequest> actionRequest = new Capture<ExecuteActionRequest>();
- Capture<HashMap<String, String>> propertyMap = new Capture<HashMap<String, String>>();
+ Capture<ExecuteActionRequest> actionRequest = newCapture();
+ Capture<HashMap<String, String>> propertyMap = newCapture();
+
+ Cluster cluster = createMock(Cluster.class);
+ expect(cluster.getClusterId()).andReturn(2L).anyTimes();
+
+ Clusters clusters = createMock(Clusters.class);
+ expect(clusters.getCluster("c1")).andReturn(cluster).anyTimes();
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
+ expect(managementController.getClusters()).andReturn(clusters).anyTimes();
expect(managementController.createAction(capture(actionRequest), capture(propertyMap)))
.andReturn(response).anyTimes();
expect(response.getMessage()).andReturn("Message").anyTimes();
// replay
- replay(managementController, response);
+ replay(cluster, clusters, managementController, response);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
// add the property map to a set for the request. add more maps for multiple creates
Set<Map<String, Object>> propertySet = new LinkedHashSet<Map<String, Object>>();
@@ -1098,8 +1207,8 @@ public class RequestResourceProviderTest {
public void testCreateResourcesForNonCluster() throws Exception {
Resource.Type type = Resource.Type.Request;
- Capture<ExecuteActionRequest> actionRequest = new Capture<ExecuteActionRequest>();
- Capture<HashMap<String, String>> propertyMap = new Capture<HashMap<String, String>>();
+ Capture<ExecuteActionRequest> actionRequest = newCapture();
+ Capture<HashMap<String, String>> propertyMap = newCapture();
AmbariManagementController managementController = createMock(AmbariManagementController.class);
RequestStatusResponse response = createNiceMock(RequestStatusResponse.class);
@@ -1165,7 +1274,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
@@ -1221,7 +1330,7 @@ public class RequestResourceProviderTest {
expect(requestMock.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
- Capture<Collection<Long>> requestIdsCapture = new Capture<Collection<Long>>();
+ Capture<Collection<Long>> requestIdsCapture = newCapture();
// set expectations
expect(managementController.getActionManager()).andReturn(actionManager).anyTimes();
[3/3] ambari git commit: AMBARI-14192. Enforce granular role-based
access control for service functions (rlevas)
Posted by rl...@apache.org.
AMBARI-14192. Enforce granular role-based access control for service functions (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f08db5c9
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f08db5c9
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f08db5c9
Branch: refs/heads/trunk
Commit: f08db5c996757d265f3fe8d4ecfe5b5e03e693d2
Parents: c17f410
Author: Robert Levas <rl...@hortonworks.com>
Authored: Wed Dec 9 12:51:35 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Wed Dec 9 12:51:35 2015 -0500
----------------------------------------------------------------------
.../controller/AmbariManagementController.java | 4 +-
.../AmbariManagementControllerImpl.java | 176 +++++++++++---
.../AbstractControllerResourceProvider.java | 14 ++
.../internal/ComponentResourceProvider.java | 42 +++-
.../internal/HostComponentResourceProvider.java | 29 ++-
.../internal/RequestResourceProvider.java | 35 ++-
.../internal/ServiceResourceProvider.java | 47 +++-
.../AmbariAuthorizationFilter.java | 9 +
.../authorization/AuthorizationHelper.java | 13 +-
.../authorization/RoleAuthorization.java | 51 +++-
.../server/state/cluster/ClusterImpl.java | 4 +-
.../ambari/server/topology/AmbariContext.java | 3 +-
.../server/upgrade/UpgradeCatalog220.java | 2 +
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 3 +
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 3 +
.../resources/Ambari-DDL-Postgres-CREATE.sql | 3 +
.../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql | 3 +
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 3 +
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 3 +
.../AmbariCustomCommandExecutionHelperTest.java | 33 ++-
.../AmbariManagementControllerTest.java | 39 ++-
.../BackgroundCustomCommandExecutionTest.java | 28 ++-
...hYarnCapacitySchedulerReleaseConfigTest.java | 12 +-
.../internal/ClusterResourceProviderTest.java | 40 +--
.../internal/ComponentResourceProviderTest.java | 179 ++++++++++++--
.../HostComponentResourceProviderTest.java | 101 +++++++-
.../internal/JMXHostProviderTest.java | 16 +-
.../internal/RequestResourceProviderTest.java | 155 ++++++++++--
.../internal/ServiceResourceProviderTest.java | 242 +++++++++++++------
.../security/TestAuthenticationFactory.java | 97 +++++++-
.../authorization/AuthorizationHelperTest.java | 8 +-
31 files changed, 1113 insertions(+), 284 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
index 4d7eca8..cb197df 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java
@@ -86,7 +86,7 @@ public interface AmbariManagementController {
* @throws AmbariException thrown if the host component cannot be created
*/
public void createHostComponents(
- Set<ServiceComponentHostRequest> requests) throws AmbariException;
+ Set<ServiceComponentHostRequest> requests) throws AmbariException, AuthorizationException;
/**
* Creates a configuration.
@@ -281,7 +281,7 @@ public interface AmbariManagementController {
* @throws AmbariException thrown if the resource cannot be deleted
*/
public RequestStatusResponse deleteHostComponents(
- Set<ServiceComponentHostRequest> requests) throws AmbariException;
+ Set<ServiceComponentHostRequest> requests) throws AmbariException, AuthorizationException;
/**
* Deletes the users specified.
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
index 5f765bf..3c66127 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
@@ -428,7 +428,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
@Override
public synchronized void createHostComponents(Set<ServiceComponentHostRequest> requests)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
if (requests.isEmpty()) {
LOG.warn("Received an empty requests set");
@@ -450,6 +450,11 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
"Attempted to add a host_component to a cluster which doesn't exist: ", e);
}
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(),
+ EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,RoleAuthorization.HOST_ADD_DELETE_COMPONENTS))) {
+ throw new AuthorizationException("The authenticated user is not authorized to install service components on to hosts");
+ }
+
if (StringUtils.isEmpty(request.getServiceName())) {
request.setServiceName(findServiceName(cluster, request.getComponentName()));
}
@@ -1479,44 +1484,71 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
// set or create configuration mapping (and optionally create the map of properties)
if (isConfigurationCreationNeeded) {
- Set<Config> configs = new HashSet<Config>();
- String note = null;
- for (ConfigurationRequest cr: request.getDesiredConfig()) {
-
- if (null != cr.getProperties()) {
- // !!! empty property sets are supported, and need to be able to use
- // previously-defined configs (revert)
- Map<String, Config> all = cluster.getConfigsByType(cr.getType());
- if (null == all || // none set
- !all.containsKey(cr.getVersionTag()) || // tag not set
- cr.getProperties().size() > 0) { // properties to set
-
- LOG.info(MessageFormat.format("Applying configuration with tag ''{0}'' to cluster ''{1}'' for configuration type {2}",
- cr.getVersionTag(),
- request.getClusterName(),
- cr.getType()));
-
- cr.setClusterName(cluster.getClusterName());
- configurationResponses.add(createConfiguration(cr));
- }
- }
- note = cr.getServiceConfigVersionNote();
- configs.add(cluster.getConfig(cr.getType(), cr.getVersionTag()));
- }
- if (!configs.isEmpty()) {
- if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.SERVICE_MODIFY_CONFIGS))) {
- throw new AuthorizationException("The authenticated user does not have authorization to modify service configurations");
- }
+ List<ConfigurationRequest> desiredConfigs = request.getDesiredConfig();
+
+ if (!desiredConfigs.isEmpty()) {
+ Set<Config> configs = new HashSet<Config>();
+ String note = null;
+
+ for (ConfigurationRequest cr : desiredConfigs) {
+ String configType = cr.getType();
+
+ // If the config type is for a service, then allow a user with SERVICE_MODIFY_CONFIGS to
+ // update, else ensure the user has CLUSTER_MODIFY_CONFIGS
+ String service = null;
+
+ try {
+ service = cluster.getServiceForConfigTypes(Collections.singleton(configType));
+ } catch (IllegalArgumentException e) {
+ // Ignore this since we may have hit a config type that spans multiple services. This may
+ // happen in unit test cases but should not happen with later versions of stacks.
+ }
+
+ if(StringUtils.isEmpty(service)) {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.CLUSTER_MODIFY_CONFIGS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to modify cluster configurations");
+ }
+ }
+ else {
+ if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), EnumSet.of(RoleAuthorization.SERVICE_MODIFY_CONFIGS))) {
+ throw new AuthorizationException("The authenticated user does not have authorization to modify service configurations");
+ }
+ }
+
+ if (null != cr.getProperties()) {
+ // !!! empty property sets are supported, and need to be able to use
+ // previously-defined configs (revert)
+ Map<String, Config> all = cluster.getConfigsByType(configType);
+ if (null == all || // none set
+ !all.containsKey(cr.getVersionTag()) || // tag not set
+ cr.getProperties().size() > 0) { // properties to set
- String authName = getAuthName();
- serviceConfigVersionResponse = cluster.addDesiredConfig(authName, configs, note);
- if (serviceConfigVersionResponse != null) {
- Logger logger = LoggerFactory.getLogger("configchange");
- for (Config config: configs) {
- logger.info("cluster '" + request.getClusterName() + "' "
- + "changed by: '" + authName + "'; "
- + "type='" + config.getType() + "' "
- + "tag='" + config.getTag() + "'");
+ // Ensure the user is allowed to update all properties
+ validateAuthorizationToUpdateServiceUsersAndGroups(cluster, cr);
+
+ LOG.info(MessageFormat.format("Applying configuration with tag ''{0}'' to cluster ''{1}'' for configuration type {2}",
+ cr.getVersionTag(),
+ request.getClusterName(),
+ configType));
+
+ cr.setClusterName(cluster.getClusterName());
+ configurationResponses.add(createConfiguration(cr));
+ }
+ }
+ note = cr.getServiceConfigVersionNote();
+ configs.add(cluster.getConfig(configType, cr.getVersionTag()));
+ }
+ if (!configs.isEmpty()) {
+ String authName = getAuthName();
+ serviceConfigVersionResponse = cluster.addDesiredConfig(authName, configs, note);
+ if (serviceConfigVersionResponse != null) {
+ Logger logger = LoggerFactory.getLogger("configchange");
+ for (Config config : configs) {
+ logger.info("cluster '" + request.getClusterName() + "' "
+ + "changed by: '" + authName + "'; "
+ + "type='" + config.getType() + "' "
+ + "tag='" + config.getTag() + "'");
+ }
}
}
}
@@ -2907,7 +2939,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
@Override
public RequestStatusResponse deleteHostComponents(
- Set<ServiceComponentHostRequest> requests) throws AmbariException {
+ Set<ServiceComponentHostRequest> requests) throws AmbariException, AuthorizationException {
Set<ServiceComponentHostRequest> expanded = new HashSet<ServiceComponentHostRequest>();
@@ -2920,6 +2952,11 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
}
Cluster cluster = clusters.getCluster(request.getClusterName());
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(),
+ EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,RoleAuthorization.HOST_ADD_DELETE_COMPONENTS))) {
+ throw new AuthorizationException("The authenticated user is not authorized to delete service components from hosts");
+ }
+
for (ServiceComponentHost sch : cluster.getServiceComponentHosts(request.getHostname())) {
ServiceComponentHostRequest schr = new ServiceComponentHostRequest(request.getClusterName(),
sch.getServiceName(), sch.getServiceComponentName(), sch.getHostName(), null);
@@ -4492,4 +4529,65 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
properties.put("storage.temporary", String.valueOf(credentialStoreService.isInitialized(CredentialStoreType.TEMPORARY)));
return properties;
}
+
+ /**
+ * Validates that the authenticated user can set a service's (run-as) user and group.
+ * <p/>
+ * If the user is authorized to set service users and groups, than this method exits quickly.
+ * If the user is not authorized to set service users and groups, then this method verifies that
+ * the properties of types USER and GROUP have not been changed. If they have been, an
+ * AuthorizationException is thrown.
+ *
+ * @param cluster the relevant cluster
+ * @param request the configuration request
+ * @throws AuthorizationException if the user is not authorized to perform this operation
+ */
+ protected void validateAuthorizationToUpdateServiceUsersAndGroups(Cluster cluster, ConfigurationRequest request)
+ throws AuthorizationException {
+ // If the authenticated user is not authorized to set service users or groups, make sure the
+ // relevant properties are not changed. However, if the user is authorized to set service
+ // users and groups, there is nothing to check.
+ if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(),
+ RoleAuthorization.AMBARI_SET_SERVICE_USERS_GROUPS)) {
+
+ Map<String, String> requestProperties = request.getProperties();
+ if (requestProperties != null) {
+ Map<PropertyInfo.PropertyType, Set<String>> propertyTypes = cluster.getConfigPropertiesTypes(
+ request.getType());
+
+ // Create a composite set of properties to check...
+ Set<String> propertiesToCheck = new HashSet<String>();
+
+ Set<String> userProperties = propertyTypes.get(PropertyType.USER);
+ if (userProperties != null) {
+ propertiesToCheck.addAll(userProperties);
+ }
+
+ Set<String> groupProperties = propertyTypes.get(PropertyType.GROUP);
+ if (groupProperties != null) {
+ propertiesToCheck.addAll(groupProperties);
+ }
+
+ // If there are no USER or GROUP type properties, skip the validation check...
+ if (!propertiesToCheck.isEmpty()) {
+
+ Config existingConfig = cluster.getDesiredConfigByType(request.getType());
+ Map<String, String> existingProperties = (existingConfig == null) ? null : existingConfig.getProperties();
+ if (existingProperties == null) {
+ existingProperties = Collections.emptyMap();
+ }
+
+ for (String propertyName : propertiesToCheck) {
+ String existingProperty = existingProperties.get(propertyName);
+ String requestProperty = requestProperties.get(propertyName);
+
+ // If the properties don't match, so thrown an authorization exception
+ if ((existingProperty == null) ? (requestProperty != null) : !existingProperty.equals(requestProperty)) {
+ throw new AuthorizationException("The authenticated user is not authorized to set service user and groups");
+ }
+ }
+ }
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
index 60b6901..fdee605 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
@@ -21,11 +21,13 @@ package org.apache.ambari.server.controller.internal;
import java.util.Map;
import java.util.Set;
+import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.controller.AmbariManagementController;
import org.apache.ambari.server.controller.ResourceProviderFactory;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceProvider;
import org.apache.ambari.server.controller.utilities.ClusterControllerHelper;
+import org.apache.ambari.server.state.Cluster;
/**
* Abstract resource provider implementation that maps to an Ambari management controller.
@@ -75,6 +77,18 @@ public abstract class AbstractControllerResourceProvider extends AbstractAuthori
// ----- utility methods ---------------------------------------------------
/**
+ * Gets the cluster id for the named cluster
+ *
+ * @param clusterName the name of the relevant cluster
+ * @return the cluster id or null if not found
+ * @throws AmbariException if the named cluster does not exist
+ */
+ protected Long getClusterId(String clusterName) throws AmbariException {
+ Cluster cluster = managementController.getClusters().getCluster(clusterName);
+ return (cluster == null) ? null : cluster.getClusterId();
+ }
+
+ /**
* Factory method for obtaining a resource provider based on a given type and management controller.
*
* @param type the resource type
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ComponentResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ComponentResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ComponentResourceProvider.java
index 59b5fcf..b45ef72 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ComponentResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ComponentResourceProvider.java
@@ -20,6 +20,7 @@ package org.apache.ambari.server.controller.internal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -47,6 +48,10 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.ComponentInfo;
@@ -107,13 +112,20 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
MaintenanceStateHelper maintenanceStateHelper) {
super(propertyIds, keyPropertyIds, managementController);
this.maintenanceStateHelper = maintenanceStateHelper;
+
+
+ setRequiredCreateAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES));
+ setRequiredDeleteAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES));
+ setRequiredGetAuthorizations(RoleAuthorization.AUTHORIZATIONS_VIEW_SERVICE);
+ setRequiredGetAuthorizations(RoleAuthorization.AUTHORIZATIONS_VIEW_SERVICE);
+ setRequiredUpdateAuthorizations(RoleAuthorization.AUTHORIZATIONS_UPDATE_CLUSTER);
}
// ----- ResourceProvider ------------------------------------------------
@Override
- public RequestStatus createResources(Request request)
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -126,7 +138,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
createComponents(requests);
return null;
}
@@ -191,7 +203,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
RequestStatusResponse response = modifyResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
return updateComponents(requests, request.getRequestInfoProperties(), runSmokeTest);
}
});
@@ -202,7 +214,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<ServiceComponentRequest> requests = new HashSet<ServiceComponentRequest>();
@@ -211,7 +223,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
}
RequestStatusResponse response = modifyResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
return deleteComponents(requests);
}
});
@@ -249,7 +261,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
// Create the components for the given requests.
public synchronized void createComponents(
- Set<ServiceComponentRequest> requests) throws AmbariException {
+ Set<ServiceComponentRequest> requests) throws AmbariException, AuthorizationException {
if (requests.isEmpty()) {
LOG.warn("Received an empty requests set");
@@ -284,6 +296,10 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
"Attempted to add a component to a cluster which doesn't exist:", e);
}
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_ADD_DELETE_SERVICES)) {
+ throw new AuthorizationException("The user is not authorized to create components");
+ }
+
if (request.getServiceName() == null
|| request.getServiceName().isEmpty()) {
StackId stackId = cluster.getDesiredStackVersion();
@@ -570,7 +586,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
// Update the components for the given requests.
protected synchronized RequestStatusResponse updateComponents(Set<ServiceComponentRequest> requests,
Map<String, String> requestProperties, boolean runSmokeTest)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
if (requests.isEmpty()) {
LOG.warn("Received an empty requests set");
@@ -723,6 +739,12 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
State oldScState = sc.getDesiredState();
if (newState != oldScState) {
+ // The if user is trying to start or stop the component, ensure authorization
+ if (((newState == State.INSTALLED) || (newState == State.STARTED)) &&
+ !AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_START_STOP)) {
+ throw new AuthorizationException("The authenticated user is not authorized to start or stop components of services");
+ }
+
if (!State.isValidDesiredStateTransition(oldScState, newState)) {
// FIXME throw correct error
throw new AmbariException("Invalid transition for"
@@ -837,7 +859,7 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
ignoredScHosts, runSmokeTest, false);
}
- protected RequestStatusResponse deleteComponents(Set<ServiceComponentRequest> requests) throws AmbariException {
+ protected RequestStatusResponse deleteComponents(Set<ServiceComponentRequest> requests) throws AmbariException, AuthorizationException {
AmbariManagementController controller = getManagementController();
Clusters clusters = controller.getClusters();
AmbariMetaInfo ambariMetaInfo = controller.getAmbariMetaInfo();
@@ -860,6 +882,10 @@ public class ComponentResourceProvider extends AbstractControllerResourceProvide
"Attempted to add a component to a cluster which doesn't exist:", e);
}
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_ADD_DELETE_SERVICES)) {
+ throw new AuthorizationException("The user is not authorized to delete components");
+ }
+
if (request.getServiceName() == null || request.getServiceName().isEmpty()) {
StackId stackId = cluster.getDesiredStackVersion();
String serviceName = ambariMetaInfo.getComponentToService(stackId.getStackName(),
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostComponentResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostComponentResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostComponentResourceProvider.java
index af39076..760dcbc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostComponentResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/HostComponentResourceProvider.java
@@ -52,6 +52,10 @@ import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.orm.dao.HostVersionDAO;
import org.apache.ambari.server.orm.entities.HostVersionEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.MaintenanceState;
@@ -157,12 +161,15 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
PropertyHelper.getPropertyId("HostRoles", "component_name"));
HOST_COMPONENT_PROPERTIES_PROVIDER.put("RESOURCEMANAGER", httpPropertyProvider);
+
+ setRequiredCreateAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,RoleAuthorization.HOST_ADD_DELETE_COMPONENTS));
+ setRequiredDeleteAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,RoleAuthorization.HOST_ADD_DELETE_COMPONENTS));
}
// ----- ResourceProvider ------------------------------------------------
@Override
- public RequestStatus createResources(Request request)
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -175,7 +182,7 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
getManagementController().createHostComponents(requests);
return null;
}
@@ -309,7 +316,7 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<ServiceComponentHostRequest> requests = new HashSet<ServiceComponentHostRequest>();
for (Map<String, Object> propertyMap : getPropertyMaps(predicate)) {
@@ -317,7 +324,7 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
}
RequestStatusResponse response = modifyResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
return getManagementController().deleteHostComponents(requests);
}
});
@@ -449,7 +456,7 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
protected synchronized RequestStageContainer updateHostComponents(RequestStageContainer stages,
Set<ServiceComponentHostRequest> requests,
Map<String, String> requestProperties,
- boolean runSmokeTest) throws AmbariException {
+ boolean runSmokeTest) throws AmbariException, AuthorizationException {
Clusters clusters = getManagementController().getClusters();
@@ -472,6 +479,12 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
Cluster cluster = clusters.getCluster(request.getClusterName());
+ if(runSmokeTest) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_RUN_SERVICE_CHECK)) {
+ throw new AuthorizationException("The authenticated user is not authorized to run service checks");
+ }
+ }
+
if (StringUtils.isEmpty(request.getServiceName())) {
request.setServiceName(getManagementController().findServiceName(cluster, request.getComponentName()));
}
@@ -554,6 +567,12 @@ public class HostComponentResourceProvider extends AbstractControllerResourcePro
continue;
}
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(),
+ EnumSet.of(RoleAuthorization.SERVICE_START_STOP, RoleAuthorization.SERVICE_ADD_DELETE_SERVICES,
+ RoleAuthorization.HOST_ADD_DELETE_COMPONENTS, RoleAuthorization.HOST_ADD_DELETE_HOSTS))) {
+ throw new AuthorizationException("The authenticated user is not authorized to change the state of service components");
+ }
+
// STARTED state is invalid for the client component, but this shouldn't cancel the whole stage
if (sc.isClientComponent() && newState == State.STARTED &&
!requestProperties.containsKey(sch.getServiceComponentName().toLowerCase())) {
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
index 061b27d..a356236 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
@@ -50,6 +50,10 @@ import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
import org.apache.ambari.server.orm.dao.HostRoleCommandStatusSummaryDTO;
import org.apache.ambari.server.orm.dao.RequestDAO;
import org.apache.ambari.server.orm.entities.RequestEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
@@ -159,9 +163,38 @@ public class RequestResourceProvider extends AbstractControllerResourceProvider
}
final ExecuteActionRequest actionRequest = getActionRequest(request);
final Map<String, String> requestInfoProperties = request.getRequestInfoProperties();
+
return getRequestStatus(createResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
+
+ String clusterName = actionRequest.getClusterName();
+
+ if(clusterName == null) {
+ // This must be an administrative action?
+ // TODO: Perform authorization check for this?
+ }
+ else if(actionRequest.isCommand()) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, getClusterId(clusterName), RoleAuthorization.SERVICE_RUN_CUSTOM_COMMAND)) {
+ throw new AuthorizationException("The authenticated user is not authorized to execute custom service commands.");
+ }
+ }
+ else {
+ String actionName = actionRequest.getActionName();
+
+ // actionName is expected to not be null since the action request is not a command
+ if(actionName.contains("SERVICE_CHECK")) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, getClusterId(clusterName), RoleAuthorization.SERVICE_RUN_SERVICE_CHECK)) {
+ throw new AuthorizationException("The authenticated user is not authorized to execute service checks.");
+ }
+ }
+ else if(actionName.equals("DECOMMISSION")) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, getClusterId(clusterName), RoleAuthorization.SERVICE_DECOMMISSION_RECOMMISSION)) {
+ throw new AuthorizationException("The authenticated user is not authorized to decommission services.");
+ }
+ }
+ }
+
return getManagementController().createAction(actionRequest, requestInfoProperties);
}
}));
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
index 0df2507..28af9cb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ServiceResourceProvider.java
@@ -48,6 +48,10 @@ import org.apache.ambari.server.controller.spi.SystemException;
import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
import org.apache.ambari.server.controller.utilities.PropertyHelper;
import org.apache.ambari.server.metadata.RoleCommandOrder;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
import org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosMissingAdminCredentialsException;
@@ -142,12 +146,17 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
MaintenanceStateHelper maintenanceStateHelper) {
super(propertyIds, keyPropertyIds, managementController);
this.maintenanceStateHelper = maintenanceStateHelper;
+
+ setRequiredCreateAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES));
+ setRequiredUpdateAuthorizations(RoleAuthorization.AUTHORIZATIONS_UPDATE_SERVICE);
+ setRequiredGetAuthorizations(RoleAuthorization.AUTHORIZATIONS_VIEW_SERVICE);
+ setRequiredDeleteAuthorizations(EnumSet.of(RoleAuthorization.SERVICE_ADD_DELETE_SERVICES));
}
// ----- ResourceProvider ------------------------------------------------
@Override
- public RequestStatus createResources(Request request)
+ protected RequestStatus createResourcesAuthorized(Request request)
throws SystemException,
UnsupportedPropertyException,
ResourceAlreadyExistsException,
@@ -159,7 +168,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
}
createResources(new Command<Void>() {
@Override
- public Void invoke() throws AmbariException {
+ public Void invoke() throws AmbariException, AuthorizationException {
createServices(requests);
return null;
}
@@ -170,7 +179,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
}
@Override
- public Set<Resource> getResources(Request request, Predicate predicate) throws
+ protected Set<Resource> getResourcesAuthorized(Request request, Predicate predicate) throws
SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<ServiceRequest> requests = new HashSet<ServiceRequest>();
@@ -214,7 +223,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
}
@Override
- public RequestStatus updateResources(final Request request, Predicate predicate)
+ protected RequestStatus updateResourcesAuthorized(final Request request, Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
RequestStageContainer requestStages = doUpdateResources(null, request, predicate);
@@ -234,7 +243,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
}
@Override
- public RequestStatus deleteResources(Predicate predicate)
+ protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
final Set<ServiceRequest> requests = new HashSet<ServiceRequest>();
@@ -243,7 +252,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
}
RequestStatusResponse response = modifyResources(new Command<RequestStatusResponse>() {
@Override
- public RequestStatusResponse invoke() throws AmbariException {
+ public RequestStatusResponse invoke() throws AmbariException, AuthorizationException {
return deleteServices(requests);
}
});
@@ -305,7 +314,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
requestStages = modifyResources(new Command<RequestStageContainer>() {
@Override
- public RequestStageContainer invoke() throws AmbariException {
+ public RequestStageContainer invoke() throws AmbariException, AuthorizationException {
return updateServices(stages, requests, request.getRequestInfoProperties(),
runSmokeTest, reconfigureClients, startDependencies);
}
@@ -337,7 +346,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
// Create services from the given request.
public synchronized void createServices(Set<ServiceRequest> requests)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
if (requests.isEmpty()) {
LOG.warn("Received an empty requests set");
@@ -366,6 +375,10 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
+ ", request=" + request);
}
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, getClusterId(request.getClusterName()), RoleAuthorization.SERVICE_ADD_DELETE_SERVICES)) {
+ throw new AuthorizationException("The user is not authorized to create services");
+ }
+
if (!serviceNames.containsKey(request.getClusterName())) {
serviceNames.put(request.getClusterName(), new HashSet<String>());
}
@@ -537,7 +550,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
// Update services based on the given requests.
protected synchronized RequestStageContainer updateServices(RequestStageContainer requestStages, Set<ServiceRequest> requests,
Map<String, String> requestProperties, boolean runSmokeTest,
- boolean reconfigureClients, boolean startDependencies) throws AmbariException {
+ boolean reconfigureClients, boolean startDependencies) throws AmbariException, AuthorizationException {
AmbariManagementController controller = getManagementController();
@@ -624,6 +637,10 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
// Setting Maintenance state for service
if (null != request.getMaintenanceState()) {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_TOGGLE_MAINTENANCE)) {
+ throw new AuthorizationException("The authenticated user is not authorized to toggle the maintainence state of services");
+ }
+
MaintenanceState newMaint = MaintenanceState.valueOf(request.getMaintenanceState());
if (newMaint != s.getMaintenanceState()) {
if (newMaint.equals(MaintenanceState.IMPLIED_FROM_HOST)
@@ -656,6 +673,12 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
seenNewStates.add(newState);
if (newState != oldState) {
+ // The if user is trying to start or stop the service, ensure authorization
+ if (((newState == State.INSTALLED) || (newState == State.STARTED)) &&
+ !AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getClusterId(), RoleAuthorization.SERVICE_START_STOP)) {
+ throw new AuthorizationException("The authenticated user is not authorized to start or stop services");
+ }
+
if (!State.isValidDesiredStateTransition(oldState, newState)) {
throw new AmbariException("Invalid transition for"
+ " service"
@@ -849,7 +872,7 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
// Delete services based on the given set of requests
protected RequestStatusResponse deleteServices(Set<ServiceRequest> request)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
Clusters clusters = getManagementController().getClusters();
@@ -861,6 +884,10 @@ public class ServiceResourceProvider extends AbstractControllerResourceProvider
throw new AmbariException("invalid arguments");
} else {
+ if(!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, getClusterId(serviceRequest.getClusterName()), RoleAuthorization.SERVICE_ADD_DELETE_SERVICES)) {
+ throw new AuthorizationException("The user is not authorized to delete services");
+ }
+
Service service = clusters.getCluster(
serviceRequest.getClusterName()).getService(
serviceRequest.getServiceName());
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index c87c338..21745b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -65,12 +65,16 @@ public class AmbariAuthorizationFilter implements Filter {
private static final String API_PRIVILEGES_ALL_PATTERN = API_VERSION_PREFIX + "/privileges.*";
private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*";
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?";
+ private static final String API_WIDGET_LAYOUTS_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/widget_layouts.*?";
private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*";
private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*";
private static final String API_PERSIST_ALL_PATTERN = API_VERSION_PREFIX + "/persist.*";
private static final String API_LDAP_SYNC_EVENTS_ALL_PATTERN = API_VERSION_PREFIX + "/ldap_sync_events.*";
private static final String API_CREDENTIALS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials.*";
private static final String API_CREDENTIALS_AMBARI_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*";
+ private static final String API_CLUSTER_REQUESTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/requests.*";
+ private static final String API_CLUSTER_SERVICES_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/services.*";
+ private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*";
private static final String API_STACK_VERSIONS_PATTERN = API_VERSION_PREFIX + "/stacks/.*?/versions/.*";
protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI=";
@@ -254,8 +258,13 @@ public class AmbariAuthorizationFilter implements Filter {
return requestURI.matches(API_USERS_ALL_PATTERN) ||
requestURI.matches(API_GROUPS_ALL_PATTERN) ||
requestURI.matches(API_CREDENTIALS_ALL_PATTERN) ||
+ requestURI.matches(API_PRIVILEGES_ALL_PATTERN) ||
+ requestURI.matches(API_CLUSTER_REQUESTS_ALL_PATTERN) ||
+ requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) ||
requestURI.matches(API_CLUSTERS_PATTERN) ||
requestURI.matches(API_STACK_VERSIONS_PATTERN) ||
+ requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) ||
+ requestURI.matches(API_HOSTS_ALL_PATTERN) ||
requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index e303066..1b3e6f4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -21,6 +21,7 @@ import com.google.inject.Singleton;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -163,7 +164,17 @@ public class AuthorizationHelper {
// This resource type indicates administrative access
resourceOK = true;
} else if (resourceType == privilegeResourceType) {
- resourceOK = (resourceId == null) || resourceId.equals(privilegeResource.getId());
+ if(resourceId == null) {
+ resourceOK = true;
+ }
+ else {
+ // Note: This will be an issue for multiple clusters. Apparently we assume only one cluster
+ // and it's resource id is 2.
+ // TODO: Change adminresource to include a reference to the resource instance, not just the type
+ ResourceTypeEntity privilegeResourceResourceType = privilegeResource.getResourceType();
+ Integer privilegeResourceId = privilegeResourceResourceType.getId();
+ resourceOK = resourceId.equals(privilegeResourceId.longValue());
+ }
} else {
// This is not an expected resource type, so skip this authority
resourceOK = false;
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
index 1f53b06..02eb5b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
@@ -39,6 +39,7 @@ public enum RoleAuthorization {
AMBARI_RENAME_CLUSTER("AMBARI.RENAME_CLUSTER"),
AMBARI_SET_SERVICE_USERS_GROUPS("AMBARI.SET_SERVICE_USERS_GROUPS"),
CLUSTER_MANAGE_CREDENTIALS("CLUSTER.MANAGE_CREDENTIALS"),
+ CLUSTER_MODIFY_CONFIGS("CLUSTER.MODIFY_CONFIGS"),
CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"),
CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"),
CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"),
@@ -71,8 +72,54 @@ public enum RoleAuthorization {
SERVICE_VIEW_STATUS_INFO("SERVICE.VIEW_STATUS_INFO"),
VIEW_USE("VIEW.USE");
- public static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER = EnumSet.of(CLUSTER_VIEW_STATUS_INFO, CLUSTER_VIEW_ALERTS, CLUSTER_VIEW_CONFIGS, CLUSTER_VIEW_METRICS, CLUSTER_VIEW_STACK_DETAILS);
- public static final Set<RoleAuthorization> AUTHORIZATIONS_UPDATE_CLUSTER = EnumSet.of(CLUSTER_TOGGLE_ALERTS, CLUSTER_TOGGLE_KERBEROS, CLUSTER_UPGRADE_DOWNGRADE_STACK);
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER = EnumSet.of(
+ CLUSTER_VIEW_STATUS_INFO,
+ CLUSTER_VIEW_ALERTS,
+ CLUSTER_VIEW_CONFIGS,
+ CLUSTER_VIEW_METRICS,
+ CLUSTER_VIEW_STACK_DETAILS,
+ CLUSTER_MODIFY_CONFIGS,
+ CLUSTER_TOGGLE_ALERTS,
+ CLUSTER_TOGGLE_KERBEROS,
+ CLUSTER_UPGRADE_DOWNGRADE_STACK);
+
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_UPDATE_CLUSTER = EnumSet.of(
+ CLUSTER_TOGGLE_ALERTS,
+ CLUSTER_TOGGLE_KERBEROS,
+ CLUSTER_UPGRADE_DOWNGRADE_STACK,
+ CLUSTER_MODIFY_CONFIGS,
+ SERVICE_MODIFY_CONFIGS);
+
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_SERVICE = EnumSet.of(
+ SERVICE_VIEW_ALERTS,
+ SERVICE_VIEW_CONFIGS,
+ SERVICE_VIEW_METRICS,
+ SERVICE_VIEW_STATUS_INFO,
+ SERVICE_COMPARE_CONFIGS,
+ SERVICE_ADD_DELETE_SERVICES,
+ SERVICE_DECOMMISSION_RECOMMISSION,
+ SERVICE_ENABLE_HA,
+ SERVICE_MANAGE_CONFIG_GROUPS,
+ SERVICE_MODIFY_CONFIGS,
+ SERVICE_START_STOP,
+ SERVICE_TOGGLE_MAINTENANCE,
+ SERVICE_TOGGLE_ALERTS,
+ SERVICE_MOVE,
+ SERVICE_RUN_CUSTOM_COMMAND,
+ SERVICE_RUN_SERVICE_CHECK);
+
+ public static final Set<RoleAuthorization> AUTHORIZATIONS_UPDATE_SERVICE = EnumSet.of(
+ SERVICE_ADD_DELETE_SERVICES,
+ SERVICE_DECOMMISSION_RECOMMISSION,
+ SERVICE_ENABLE_HA,
+ SERVICE_MANAGE_CONFIG_GROUPS,
+ SERVICE_MODIFY_CONFIGS,
+ SERVICE_START_STOP,
+ SERVICE_TOGGLE_MAINTENANCE,
+ SERVICE_TOGGLE_ALERTS,
+ SERVICE_MOVE,
+ SERVICE_RUN_CUSTOM_COMMAND,
+ SERVICE_RUN_SERVICE_CHECK);
private final String id;
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClusterImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClusterImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClusterImpl.java
index 1078343..911d8d7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClusterImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClusterImpl.java
@@ -2261,8 +2261,8 @@ public class ClusterImpl implements Cluster {
if (StringUtils.equals(entry.getValue(), configType)) {
if (serviceName != null) {
if (entry.getKey()!=null && !StringUtils.equals(serviceName, entry.getKey())) {
- throw new IllegalArgumentException("Config type {} belongs to {} service, " +
- "but config group qualified for {}");
+ throw new IllegalArgumentException(String.format("Config type %s belongs to %s service, " +
+ "but also qualified for %s", configType, serviceName, entry.getKey()));
}
} else {
serviceName = entry.getKey();
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariContext.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariContext.java b/ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariContext.java
index d9ac183..0a2bd18 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariContext.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/topology/AmbariContext.java
@@ -47,6 +47,7 @@ import org.apache.ambari.server.controller.spi.ClusterController;
import org.apache.ambari.server.controller.spi.Predicate;
import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.controller.utilities.ClusterControllerHelper;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Config;
@@ -188,7 +189,7 @@ public class AmbariContext {
try {
getServiceResourceProvider().createServices(serviceRequests);
getComponentResourceProvider().createComponents(componentRequests);
- } catch (AmbariException e) {
+ } catch (AmbariException | AuthorizationException e) {
throw new RuntimeException("Failed to persist service and component resources: " + e, e);
}
// set all services state to INSTALLED->STARTED
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
index f83501c..ab0b3cd 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
@@ -196,6 +196,7 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_CREDENTIALS'", "'Manage external credentials'"}, false);
+ dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MODIFY_CONFIGS'", "'Modify cluster configurations'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
@@ -288,6 +289,7 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
map.put("CLUSTER.VIEW_STACK_DETAILS", clusterUserAndUp);
map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
map.put("CLUSTER.MANAGE_CREDENTIALS", clusterAdministratorAndUp);
+ map.put("CLUSTER.MODIFY_CONFIGS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 5d65665..788c2a7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1048,6 +1048,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1187,6 +1188,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1222,6 +1224,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 7aab3f7..ae560d9 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1040,6 +1040,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' from dual UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' from dual UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL
@@ -1179,6 +1180,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1214,6 +1216,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 6c56a85..155a6a7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -1084,6 +1084,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1223,6 +1224,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1258,6 +1260,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
index 3413285..4c20767 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
@@ -1182,6 +1182,7 @@ INSERT INTO ambari.roleauthorization(authorization_id, authorization_name)
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1321,6 +1322,7 @@ INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1356,6 +1358,7 @@ INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index bacce35..dc08960 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -1036,6 +1036,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1175,6 +1176,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1210,6 +1212,7 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index 8d44b28..10b1ac6 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -1145,6 +1145,7 @@ BEGIN TRANSACTION
SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
+ SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
@@ -1284,6 +1285,7 @@ BEGIN TRANSACTION
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1319,6 +1321,7 @@ BEGIN TRANSACTION
SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+ SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
http://git-wip-us.apache.org/repos/asf/ambari/blob/f08db5c9/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
index 53630aa..9eed672 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariCustomCommandExecutionHelperTest.java
@@ -33,7 +33,6 @@ import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper;
import org.apache.ambari.server.actionmanager.Request;
import org.apache.ambari.server.actionmanager.Stage;
import org.apache.ambari.server.agent.ExecutionCommand;
-import org.apache.ambari.server.api.services.AmbariMetaInfo;
import org.apache.ambari.server.controller.internal.ComponentResourceProviderTest;
import org.apache.ambari.server.controller.internal.RequestOperationLevel;
import org.apache.ambari.server.controller.internal.RequestResourceFilter;
@@ -42,6 +41,7 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.metadata.ActionMetadata;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.security.authorization.AuthorizationException;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.state.Host;
@@ -66,14 +66,14 @@ import com.google.inject.Injector;
import com.google.inject.persist.PersistService;
import junit.framework.Assert;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
@RunWith(MockitoJUnitRunner.class)
public class AmbariCustomCommandExecutionHelperTest {
private Injector injector;
private AmbariManagementController controller;
- private AmbariMetaInfo ambariMetaInfo;
private Clusters clusters;
- private TopologyManager topologyManager;
private static final String REQUEST_CONTEXT_PROPERTY = "context";
@@ -83,6 +83,7 @@ public class AmbariCustomCommandExecutionHelperTest {
@Before
public void setup() throws Exception {
+ TopologyManager topologyManager;
InMemoryDefaultTestModule module = new InMemoryDefaultTestModule(){
@Override
protected void configure() {
@@ -96,10 +97,15 @@ public class AmbariCustomCommandExecutionHelperTest {
injector.getInstance(GuiceJpaInitializer.class);
controller = injector.getInstance(AmbariManagementController.class);
clusters = injector.getInstance(Clusters.class);
- ambariMetaInfo = injector.getInstance(AmbariMetaInfo.class);
topologyManager = injector.getInstance(TopologyManager.class);
StageUtils.setTopologyManager(topologyManager);
}
+
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ }
+
@After
public void teardown() {
injector.getInstance(PersistService.class).stop();
@@ -108,6 +114,8 @@ public class AmbariCustomCommandExecutionHelperTest {
@SuppressWarnings("serial")
@Test
public void testRefreshQueueCustomCommand() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
createClusterFixture("HDP-2.0.6");
Map<String, String> requestProperties = new HashMap<String, String>() {
@@ -152,6 +160,8 @@ public class AmbariCustomCommandExecutionHelperTest {
@Test
public void testHostsFilterHealthy() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
createClusterFixture("HDP-2.0.6");
Map<String, String> requestProperties = new HashMap<String, String>() {
@@ -195,6 +205,8 @@ public class AmbariCustomCommandExecutionHelperTest {
@Test
public void testHostsFilterUnhealthyHost() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
createClusterFixture("HDP-2.0.6");
// Set custom status to host
@@ -239,6 +251,8 @@ public class AmbariCustomCommandExecutionHelperTest {
@Test
public void testHostsFilterUnhealthyComponent() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
createClusterFixture("HDP-2.0.6");
// Set custom status to host
@@ -289,6 +303,8 @@ public class AmbariCustomCommandExecutionHelperTest {
*/
@Test(expected = AmbariException.class)
public void testNoCandidateHostThrowsException() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
createClusterFixture("HDP-2.0.6");
long clusterId = clusters.getCluster("c1").getClusterId();
@@ -326,6 +342,8 @@ public class AmbariCustomCommandExecutionHelperTest {
@Test
public void testIsTopologyRefreshRequired() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
AmbariCustomCommandExecutionHelper helper = injector.getInstance(AmbariCustomCommandExecutionHelper.class);
createClusterFixture("HDP-2.1.1");
@@ -385,7 +403,7 @@ public class AmbariCustomCommandExecutionHelperTest {
}
private void createService(String clusterName,
- String serviceName, State desiredState) throws AmbariException {
+ String serviceName, State desiredState) throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -399,7 +417,7 @@ public class AmbariCustomCommandExecutionHelperTest {
private void createServiceComponent(String clusterName,
String serviceName, String componentName, State desiredState)
- throws AmbariException {
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();
@@ -412,7 +430,8 @@ public class AmbariCustomCommandExecutionHelperTest {
ComponentResourceProviderTest.createComponents(controller, requests);
}
- private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState) throws AmbariException {
+ private void createServiceComponentHost(String clusterName, String serviceName, String componentName, String hostname, State desiredState)
+ throws AmbariException, AuthorizationException {
String dStateStr = null;
if (desiredState != null) {
dStateStr = desiredState.toString();