ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [4/4] ambari git commit: AMBARI-13865. Add authorizations to permissions so that the definition of a permission (or role) is explicit (rlevas)
Date Wed, 18 Nov 2015 18:43:08 GMT
AMBARI-13865. Add authorizations to permissions so that the definition of a permission (or role) is explicit (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d08107d7
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d08107d7
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d08107d7

Branch: refs/heads/trunk
Commit: d08107d70a71932a92fb9b7dc0b7652f0c365be7
Parents: 58b598a
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Wed Nov 18 13:42:51 2015 -0500
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Wed Nov 18 13:42:58 2015 -0500

----------------------------------------------------------------------
 .../api/services/RoleAuthorizationService.java  |   6 +
 .../api/services/UserAuthorizationService.java  |   7 +
 .../RoleAuthorizationResourceProvider.java      | 160 +---------
 .../UserAuthorizationResourceProvider.java      | 154 +--------
 .../server/orm/dao/RoleAuthorizationDAO.java    |  67 ++++
 .../server/orm/entities/PermissionEntity.java   |  44 ++-
 .../orm/entities/RoleAuthorizationEntity.java   | 114 +++++++
 .../server/upgrade/UpgradeCatalog220.java       | 224 ++++++++++++-
 .../main/resources/Ambari-DDL-MySQL-CREATE.sql  | 234 +++++++++++++-
 .../main/resources/Ambari-DDL-Oracle-CREATE.sql | 234 +++++++++++++-
 .../resources/Ambari-DDL-Postgres-CREATE.sql    | 234 +++++++++++++-
 .../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql     | 236 +++++++++++++-
 .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 236 +++++++++++++-
 .../resources/Ambari-DDL-SQLServer-CREATE.sql   | 231 +++++++++++++-
 .../src/main/resources/META-INF/persistence.xml |   1 +
 .../services/RoleAuthorizationServiceTest.java  |  86 +++++
 .../services/UserAuthorizationServiceTest.java  |  87 +++++
 .../RoleAuthorizationResourceProviderTest.java  | 202 ++++++++++++
 .../UserAuthorizationResourceProviderTest.java  | 315 +++++++++++++++++++
 .../server/upgrade/UpgradeCatalog220Test.java   | 185 ++++++++---
 20 files changed, 2716 insertions(+), 341 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java b/ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java
index 082200d..60f8a36 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java
@@ -32,6 +32,12 @@ import javax.ws.rs.core.UriInfo;
 import java.util.HashMap;
 import java.util.Map;
 
+/**
+ * RoleAuthorizationService is a read-only service responsible for role authorization resource requests.
+ * <p/>
+ * The result sets returned by this service are either the full set of available authorizations or
+ * those related to a particular permission.
+ */
 @Path("/authorizations/")
 public class RoleAuthorizationService extends BaseService {
   private String permissionId;

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java b/ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java
index d6ee2fc..6861d3d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java
@@ -32,6 +32,13 @@ import javax.ws.rs.core.UriInfo;
 import java.util.HashMap;
 import java.util.Map;
 
+/**
+ * UserAuthorizationService is a read-only service responsible for user authorization resource requests.
+ * <p/>
+ * The result sets returned by this service represent the set of authorizations assigned to a given user.
+ * Authorizations are tied to a resource, so a user may have the multiple authorization entries for the
+ * same authorization id (for example VIEW.USE), however each will represnet a different view instance.
+ */
 public class UserAuthorizationService extends BaseService {
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java
index 82981a9..1b08d85 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java
@@ -30,7 +30,9 @@ import org.apache.ambari.server.controller.spi.Resource.Type;
 import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.dao.RoleAuthorizationDAO;
 import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.commons.lang.StringUtils;
 
@@ -79,10 +81,16 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
   }
 
   /**
+   * Data access object used to obtain authorization entities.
+   */
+  @Inject
+  private static RoleAuthorizationDAO roleAuthorizationDAO;
+
+  /**
    * Data access object used to obtain permission entities.
    */
   @Inject
-  protected static PermissionDAO permissionDAO;
+  private static PermissionDAO permissionDAO;
 
   /**
    * Create a new resource provider.
@@ -127,39 +135,25 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
         }
 
         if (permissionId == null) {
-          // TODO: ** This is stubbed out until the data layer catches up...
-          // TODO: entities = roleAuthorizationDAO.findAll();
-          authorizationEntities = createAdminAuthorizations();
+          authorizationEntities = roleAuthorizationDAO.findAll();
         } else {
           PermissionEntity permissionEntity = permissionDAO.findById(permissionId);
 
-          if(permissionEntity == null)
+          if (permissionEntity == null) {
             authorizationEntities = null;
-          else
-          {
-            // TODO: ** This is stubbed out until the data layer catches up...
-            // TODO: authorizationEntities = (permissionEntity == null)
-            // TODO: ? null
-            // TODO: : permissionEntity.getAuthorizations();
-            String permissionName = permissionEntity.getPermissionName();
-            if (permissionName.startsWith("AMBARI")) {
-              authorizationEntities = createAdminAuthorizations();
-            } else if (permissionName.startsWith("CLUSTER")) {
-              authorizationEntities = createOperatorAuthorizations();
-            } else {
-              authorizationEntities = null;
-            }
+          } else {
+            authorizationEntities = permissionEntity.getAuthorizations();
           }
         }
 
         if (authorizationEntities != null) {
           String authorizationId = (String) propertyMap.get(AUTHORIZATION_ID_PROPERTY_ID);
 
-          if(!StringUtils.isEmpty(authorizationId)) {
+          if (!StringUtils.isEmpty(authorizationId)) {
             // Filter the entities
             Iterator<RoleAuthorizationEntity> iterator = authorizationEntities.iterator();
-            while(iterator.hasNext()) {
-              if(!authorizationId.equals(iterator.next().getAuthorizationId())) {
+            while (iterator.hasNext()) {
+              if (!authorizationId.equals(iterator.next().getAuthorizationId())) {
                 iterator.remove();
               }
             }
@@ -190,130 +184,10 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
   private Resource toResource(Integer permissionId, RoleAuthorizationEntity entity, Set<String> requestedIds) {
     Resource resource = new ResourceImpl(Type.RoleAuthorization);
     setResourceProperty(resource, AUTHORIZATION_ID_PROPERTY_ID, entity.getAuthorizationId(), requestedIds);
-    if(permissionId != null) {
+    if (permissionId != null) {
       setResourceProperty(resource, PERMISSION_ID_PROPERTY_ID, permissionId, requestedIds);
     }
     setResourceProperty(resource, AUTHORIZATION_NAME_PROPERTY_ID, entity.getAuthorizationName(), requestedIds);
     return resource;
   }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createAdminAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ADD_DELETE_CLUSTERS", "Create new clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.SET_SERVICE_USERS_GROUPS", "Set service users and groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.RENAME_CLUSTER", "Rename clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_USERS", "Manage users"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_GROUPS", "Manage groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_VIEWS", "Manage Ambari Views"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ASSIGN_ROLES", "Assign roles"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_STACK_VERSIONS", "Manage stack versions"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.EDIT_STACK_REPOS", "Edit stack repository URLs"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createOperatorAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    return authorizationEntities;
-  }
-
-  /**
-   * RoleAuthorizationEntity is a stubbed out Entity class to be replaced by a real Entity class
-   * TODO: Replace with real RoleAuthorizationEntity class when the data later catches up
-   */
-  private static class RoleAuthorizationEntity {
-    private final String authorizationId;
-    private final String authorizationName;
-
-    private RoleAuthorizationEntity(String authorizationId, String authorizationName) {
-      this.authorizationId = authorizationId;
-      this.authorizationName = authorizationName;
-    }
-
-    public String getAuthorizationId() {
-      return authorizationId;
-    }
-
-    public String getAuthorizationName() {
-      return authorizationName;
-    }
-  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
index ec686e5..15aa0ec 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java
@@ -38,6 +38,7 @@ import org.apache.ambari.server.orm.dao.PermissionDAO;
 import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -97,13 +98,13 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
    * Data access object used to obtain permission entities.
    */
   @Inject
-  protected static PermissionDAO permissionDAO;
+  private static PermissionDAO permissionDAO;
 
   /**
    * Data access object used to obtain resource type entities.
    */
   @Inject
-  protected static ResourceTypeDAO resourceTypeDAO;
+  private static ResourceTypeDAO resourceTypeDAO;
 
   /**
    * The ClusterController user to get access to other resource providers
@@ -149,17 +150,7 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
             if (permissionEntity == null) {
               authorizationEntities = null;
             } else {
-              // TODO: ** This is stubbed out until the data layer catches up...
-              // TODO: authorizationEntities = permissionEntity.getAuthorizations();
-              if (permissionName.startsWith("AMBARI")) {
-                authorizationEntities = createAdminAuthorizations();
-              } else if (permissionName.startsWith("CLUSTER")) {
-                authorizationEntities = createOperatorAuthorizations();
-              } else if (permissionName.startsWith("VIEW")) {
-                authorizationEntities = createViewUserAuthorizations();
-              } else {
-                authorizationEntities = null;
-              }
+              authorizationEntities = permissionEntity.getAuthorizations();
             }
 
             if (authorizationEntities != null) {
@@ -296,141 +287,4 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
       resources.add(resource);
     }
   }
-
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createAdminAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ADD_DELETE_CLUSTERS", "Create new clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.SET_SERVICE_USERS_GROUPS", "Set service users and groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.RENAME_CLUSTER", "Rename clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_USERS", "Manage users"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_GROUPS", "Manage groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_VIEWS", "Manage Ambari Views"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ASSIGN_ROLES", "Assign roles"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_STACK_VERSIONS", "Manage stack versions"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.EDIT_STACK_REPOS", "Edit stack repository URLs"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createOperatorAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for a view user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createViewUserAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    return authorizationEntities;
-  }
-
-
-  /**
-   * RoleAuthorizationEntity is a stubbed out Entity class to be replaced by a real Entity class
-   * TODO: Replace with real RoleAuthorizationEntity class when the data later catches up
-   */
-  private static class RoleAuthorizationEntity {
-    private final String authorizationId;
-    private final String authorizationName;
-
-    private RoleAuthorizationEntity(String authorizationId, String authorizationName) {
-      this.authorizationId = authorizationId;
-      this.authorizationName = authorizationName;
-    }
-
-    public String getAuthorizationId() {
-      return authorizationId;
-    }
-
-    public String getAuthorizationName() {
-      return authorizationName;
-    }
-  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleAuthorizationDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleAuthorizationDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleAuthorizationDAO.java
new file mode 100644
index 0000000..e549416
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleAuthorizationDAO.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing authorizations and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.orm.dao;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import org.apache.ambari.server.orm.RequiresSession;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+
+import javax.persistence.EntityManager;
+import javax.persistence.TypedQuery;
+import java.util.List;
+
+/**
+ * Authorization (definition) Data Access Object.
+ */
+@Singleton
+public class RoleAuthorizationDAO {
+
+  /**
+   * JPA entity manager
+   */
+  @Inject
+  Provider<EntityManager> entityManagerProvider;
+
+  @Inject
+  DaoUtils daoUtils;
+
+  /**
+   * Find a authorization entity with the given id.
+   *
+   * @param id type id
+   * @return a matching authorization entity or null
+   */
+  @RequiresSession
+  public RoleAuthorizationEntity findById(String id) {
+    return entityManagerProvider.get().find(RoleAuthorizationEntity.class, id);
+  }
+
+  /**
+   * Find all authorization entities.
+   *
+   * @return all entities or an empty List
+   */
+  @RequiresSession
+  public List<RoleAuthorizationEntity> findAll() {
+    TypedQuery<RoleAuthorizationEntity> query = entityManagerProvider.get().createNamedQuery("findAll", RoleAuthorizationEntity.class);
+    return daoUtils.selectList(query);
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index 976aecc..a692730 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -26,9 +26,12 @@ import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.JoinColumns;
+import javax.persistence.JoinTable;
+import javax.persistence.ManyToMany;
 import javax.persistence.ManyToOne;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
+import java.util.Collection;
 
 /**
  * Represents an admin permission.
@@ -38,7 +41,7 @@ import javax.persistence.TableGenerator;
 @TableGenerator(name = "permission_id_generator",
     table = "ambari_sequences", pkColumnName = "sequence_name", valueColumnName = "sequence_value"
     , pkColumnValue = "permission_id_seq"
-    , initialValue = 5
+    , initialValue = 8
 )
 public class PermissionEntity {
 
@@ -85,6 +88,20 @@ public class PermissionEntity {
   })
   private ResourceTypeEntity resourceType;
 
+  /**
+   * The set of authorizations related to this permission.
+   *
+   * This value declares the granular details for which operations this PermissionEntity grants
+   * access.
+   */
+  @ManyToMany
+  @JoinTable(
+      name = "permission_roleauthorization",
+      joinColumns = {@JoinColumn(name = "permission_id")},
+      inverseJoinColumns = {@JoinColumn(name = "authorization_id")}
+  )
+  private Collection<RoleAuthorizationEntity> authorizations;
+
 
   // ----- PermissionEntity ---------------------------------------------------
 
@@ -160,8 +177,25 @@ public class PermissionEntity {
     this.resourceType = resourceType;
   }
 
+  /**
+   * Gets the collection of granular authorizations for this PermissionEntity
+   *
+   * @return a collection of granular authorizations
+   */
+  public Collection<RoleAuthorizationEntity> getAuthorizations() {
+    return authorizations;
+  }
+
+  /**
+   * Sets the collection of granular authorizations for this PermissionEntity
+   *
+   * @param authorizations a collection of granular authorizations
+   */
+  public void setAuthorizations(Collection<RoleAuthorizationEntity> authorizations) {
+    this.authorizations = authorizations;
+  }
 
-  // ----- Object overrides --------------------------------------------------
+// ----- Object overrides --------------------------------------------------
 
   @Override
   public boolean equals(Object o) {
@@ -173,7 +207,8 @@ public class PermissionEntity {
     return !(id != null ? !id.equals(that.id) : that.id != null) &&
         !(permissionName != null ? !permissionName.equals(that.permissionName) : that.permissionName != null) &&
         !(permissionLabel != null ? !permissionLabel.equals(that.permissionLabel) : that.permissionLabel != null) &&
-        !(resourceType != null ? !resourceType.equals(that.resourceType) : that.resourceType != null);
+        !(resourceType != null ? !resourceType.equals(that.resourceType) : that.resourceType != null) &&
+        !(authorizations != null ? !authorizations.equals(that.authorizations) : that.authorizations != null);
   }
 
   @Override
@@ -182,6 +217,7 @@ public class PermissionEntity {
     result = 31 * result + (permissionName != null ? permissionName.hashCode() : 0);
     result = 31 * result + (permissionLabel != null ? permissionLabel.hashCode() : 0);
     result = 31 * result + (resourceType != null ? resourceType.hashCode() : 0);
+    result = 31 * result + (authorizations != null ? authorizations.hashCode() : 0);
     return result;
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleAuthorizationEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleAuthorizationEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleAuthorizationEntity.java
new file mode 100644
index 0000000..2ad3384
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleAuthorizationEntity.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.orm.entities;
+
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * Represents an authorization (typically assigned to a permission)
+ */
+@Table(name = "roleauthorization")
+@Entity
+@NamedQueries({
+    @NamedQuery(name = "findAll", query = "SELECT a FROM RoleAuthorizationEntity a")
+})
+public class RoleAuthorizationEntity {
+
+  /**
+   * The authorization id.
+   */
+  @Id
+  @Column(name = "authorization_id")
+  private String authorizationId;
+
+
+  /**
+   * The authorization name.
+   */
+  @Column(name = "authorization_name")
+  private String authorizationName;
+
+  // ----- RoleAuthorizationEntity ---------------------------------------------------
+
+  /**
+   * Get the authorization id.
+   *
+   * @return the authorization id.
+   */
+  public String getAuthorizationId() {
+    return authorizationId;
+  }
+
+  /**
+   * Set the authorization id.
+   *
+   * @param authorizationId the type id.
+   */
+  public void setAuthorizationId(String authorizationId) {
+    this.authorizationId = authorizationId;
+  }
+
+  /**
+   * Get the authorization name.
+   *
+   * @return the authorization name
+   */
+  public String getAuthorizationName() {
+    return authorizationName;
+  }
+
+  /**
+   * Set the authorization name.
+   *
+   * @param authorizationName the authorization name
+   */
+  public void setAuthorizationName(String authorizationName) {
+    this.authorizationName = authorizationName;
+  }
+
+  // ----- Object overrides --------------------------------------------------
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    RoleAuthorizationEntity that = (RoleAuthorizationEntity) o;
+
+    return !(authorizationId != null ? !authorizationId.equals(that.authorizationId) : that.authorizationId != null) &&
+        !(authorizationName != null ? !authorizationName.equals(that.authorizationName) : that.authorizationName != null);
+  }
+
+  @Override
+  public int hashCode() {
+    int result = authorizationId != null ? authorizationId.hashCode() : 0;
+    result = 31 * result + (authorizationName != null ? authorizationName.hashCode() : 0);
+    return result;
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
index 4251111..5f7e850 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
@@ -19,10 +19,17 @@
 package org.apache.ambari.server.upgrade;
 
 import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
 import org.apache.ambari.server.orm.dao.DaoUtils;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -46,6 +53,11 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
   private static final String PERMISSION_NAME_COL = "permission_name";
   private static final String PERMISSION_LABEL_COL = "permission_label";
 
+  private static final String ROLE_AUTHORIZATION_TABLE = "roleauthorization";
+  private static final String PERMISSION_ROLE_AUTHORIZATION_TABLE = "permission_roleauthorization";
+  private static final String ROLE_AUTHORIZATION_ID_COL = "authorization_id";
+  private static final String ROLE_AUTHORIZATION_NAME_COL = "authorization_name";
+
   @Inject
   DaoUtils daoUtils;
 
@@ -100,8 +112,8 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
 
     dbAccessor.addUniqueConstraint(USERS_TABLE, "UNQ_users_0", "user_name", "user_type");
 
-
     updateAdminPermissionTable();
+    createRoleAuthorizationTables();
   }
 
   @Override
@@ -112,6 +124,191 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
   protected void executeDMLUpdates() throws AmbariException, SQLException {
     setPermissionLabels();
     updatePermissionNames();
+    addNewPermissions();
+    createRoleAuthorizations();
+    createPermissionRoleAuthorizationMap();
+  }
+
+  private void addNewPermissions() throws SQLException {
+    LOG.info("Adding new permissions: CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR");
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+    PermissionEntity permissionEntity = new PermissionEntity();
+
+    // CLUSTER.OPERATOR: Cluster Operator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("CLUSTER.OPERATOR");
+    permissionEntity.setPermissionLabel("Cluster Operator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+
+    // SERVICE.ADMINISTRATOR: Service Administrator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("SERVICE.ADMINISTRATOR");
+    permissionEntity.setPermissionLabel("Service Administrator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+
+    // SERVICE.OPERATOR: Service Operator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("SERVICE.OPERATOR");
+    permissionEntity.setPermissionLabel("Service Operator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+  }
+
+
+  private void createRoleAuthorizations() throws SQLException {
+    LOG.info("Adding authorizations");
+
+    String[] columnNames = new String[]{ROLE_AUTHORIZATION_ID_COL, ROLE_AUTHORIZATION_NAME_COL};
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'VIEW.USE'", "'Use View'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_CONFIGS'", "'View configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.COMPARE_CONFIGS'", "'Compare configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.START_STOP'", "'Start/Stop/Restart Service'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.DECOMMISSION_RECOMMISSION'", "'Decommission/recommission'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_SERVICE_CHECK'", "'Run service checks'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_MAINTENANCE'", "'Turn on/off maintenance mode'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_CUSTOM_COMMAND'", "'Perform service-specific tasks'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MODIFY_CONFIGS'", "'Modify configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_CONFIG_GROUPS'", "'Manage configuration groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MOVE'", "'Move to another host'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ENABLE_HA'", "'Enable HA'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ADD_DELETE_SERVICES'", "'Add Service to cluster'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_CONFIGS'", "'View configuration'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.TOGGLE_MAINTENANCE'", "'Turn on/off maintenance mode'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.ADD_DELETE_COMPONENTS'", "'Install components'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.ADD_DELETE_HOSTS'", "'Add/Delete hosts'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.ADD_DELETE_CLUSTERS'", "'Create new clusters'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.SET_SERVICE_USERS_GROUPS'", "'Set service users and groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.RENAME_CLUSTER'", "'Rename clusters'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_USERS'", "'Manage users'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_GROUPS'", "'Manage groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_VIEWS'", "'Manage Ambari Views'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.ASSIGN_ROLES'", "'Assign roles'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_STACK_VERSIONS'", "'Manage stack versions'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.EDIT_STACK_REPOS'", "'Edit stack repository URLs'"}, false);
+  }
+
+  private void createPermissionRoleAuthorizationMap() throws SQLException {
+    LOG.info("Creating permission to authorizations map");
+
+    String[] columnNames = new String[] {PERMISSION_ID_COL, ROLE_AUTHORIZATION_ID_COL};
+
+    // Determine the role Ids"
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+
+    String viewPermissionId = permissionDAO.findPermissionByNameAndType("VIEW.USER", resourceTypeDAO.findByName("VIEW")).getId().toString();
+    String administratorPermissionId = permissionDAO.findPermissionByNameAndType("AMBARI.ADMINISTRATOR", resourceTypeDAO.findByName("AMBARI")).getId().toString();
+    String clusterUserPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.USER", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String clusterOperatorPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String clusterAdministratorPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.ADMINISTRATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String serviceAdministratorPermissionId = permissionDAO.findPermissionByNameAndType("SERVICE.ADMINISTRATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String serviceOperatorPermissionId = permissionDAO.findPermissionByNameAndType("SERVICE.OPERATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+
+    // Create role groups
+    List<String> viewUserOnly = Arrays.asList(viewPermissionId);
+    List<String> clusterUserAndUp = Arrays.asList(
+        clusterUserPermissionId,
+        serviceOperatorPermissionId,
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> serviceOperatorAndUp = Arrays.asList(
+        serviceOperatorPermissionId,
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> serviceAdministratorAndUp = Arrays.asList(
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> clusterOperatorAndUp = Arrays.asList(
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> clusterAdministratorAndUp = Arrays.asList(
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> administratorOnly = Arrays.asList(administratorPermissionId);
+
+    // A map of the authorizations to the relevant roles
+    Map<String, List<String>> map = new HashMap<String, List<String>>();
+    map.put("VIEW.USE", viewUserOnly);
+    map.put("SERVICE.VIEW_METRICS", clusterUserAndUp);
+    map.put("SERVICE.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("SERVICE.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("SERVICE.COMPARE_CONFIGS", clusterUserAndUp);
+    map.put("SERVICE.VIEW_ALERTS", clusterUserAndUp);
+    map.put("SERVICE.START_STOP", serviceOperatorAndUp);
+    map.put("SERVICE.DECOMMISSION_RECOMMISSION", serviceOperatorAndUp);
+    map.put("SERVICE.RUN_SERVICE_CHECK", serviceOperatorAndUp);
+    map.put("SERVICE.TOGGLE_MAINTENANCE", serviceOperatorAndUp);
+    map.put("SERVICE.RUN_CUSTOM_COMMAND", serviceOperatorAndUp);
+    map.put("SERVICE.MODIFY_CONFIGS", serviceAdministratorAndUp);
+    map.put("SERVICE.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
+    map.put("SERVICE.MOVE", serviceAdministratorAndUp);
+    map.put("SERVICE.ENABLE_HA", serviceAdministratorAndUp);
+    map.put("SERVICE.TOGGLE_ALERTS", serviceAdministratorAndUp);
+    map.put("SERVICE.ADD_DELETE_SERVICES", clusterAdministratorAndUp);
+    map.put("HOST.VIEW_METRICS",clusterUserAndUp);
+    map.put("HOST.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("HOST.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("HOST.TOGGLE_MAINTENANCE", clusterOperatorAndUp);
+    map.put("HOST.ADD_DELETE_COMPONENTS", clusterOperatorAndUp);
+    map.put("HOST.ADD_DELETE_HOSTS", clusterOperatorAndUp);
+    map.put("CLUSTER.VIEW_METRICS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_STACK_DETAILS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
+    map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
+    map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
+    map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);
+    map.put("AMBARI.ADD_DELETE_CLUSTERS", administratorOnly);
+    map.put("AMBARI.SET_SERVICE_USERS_GROUPS", administratorOnly);
+    map.put("AMBARI.RENAME_CLUSTER", administratorOnly);
+    map.put("AMBARI.MANAGE_USERS", administratorOnly);
+    map.put("AMBARI.MANAGE_GROUPS", administratorOnly);
+    map.put("AMBARI.MANAGE_VIEWS", administratorOnly);
+    map.put("AMBARI.ASSIGN_ROLES", administratorOnly);
+    map.put("AMBARI.MANAGE_STACK_VERSIONS", administratorOnly);
+    map.put("AMBARI.EDIT_STACK_REPOS", administratorOnly);
+
+    // Iterate over the map of authorizations to role to find the set of roles to map to each
+    // authorization and then add the relevant record
+    for(Map.Entry<String,List<String>> entry: map.entrySet()) {
+      String authorizationId = entry.getKey();
+
+      for(String permissionId : entry.getValue()) {
+        dbAccessor.insertRow(PERMISSION_ROLE_AUTHORIZATION_TABLE, columnNames,
+            new String[]{permissionId, "'" + authorizationId + "'"}, false);
+      }
+    }
   }
 
 
@@ -122,6 +319,31 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
     dbAccessor.addColumn(ADMIN_PERMISSION_TABLE, new DBColumnInfo(PERMISSION_LABEL_COL, String.class, 255, null, true));
   }
 
+  private void createRoleAuthorizationTables() throws SQLException {
+
+    ArrayList<DBColumnInfo> columns;
+
+    //  Add roleauthorization table
+    LOG.info("Creating " + ROLE_AUTHORIZATION_TABLE + " table");
+    columns = new ArrayList<DBColumnInfo>();
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_ID_COL, String.class, 100, null, false));
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_NAME_COL, String.class, 255, null, false));
+    dbAccessor.createTable(ROLE_AUTHORIZATION_TABLE, columns, ROLE_AUTHORIZATION_ID_COL);
+
+    //  Add permission_roleauthorization table to map roleauthorizations to permissions (aka roles)
+    LOG.info("Creating " + PERMISSION_ROLE_AUTHORIZATION_TABLE + " table");
+    columns = new ArrayList<DBColumnInfo>();
+    columns.add(new DBColumnInfo(PERMISSION_ID_COL, Long.class, null, null, false));
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_ID_COL, String.class, 100, null, false));
+    dbAccessor.createTable(PERMISSION_ROLE_AUTHORIZATION_TABLE, columns, PERMISSION_ID_COL, ROLE_AUTHORIZATION_ID_COL);
+
+    dbAccessor.addFKConstraint(PERMISSION_ROLE_AUTHORIZATION_TABLE, "FK_permission_roleauthorization_permission_id",
+        PERMISSION_ID_COL, ADMIN_PERMISSION_TABLE, PERMISSION_ID_COL, false);
+
+    dbAccessor.addFKConstraint(PERMISSION_ROLE_AUTHORIZATION_TABLE, "FK_permission_roleauthorization_authorization_id",
+        ROLE_AUTHORIZATION_ID_COL, ROLE_AUTHORIZATION_TABLE, ROLE_AUTHORIZATION_ID_COL, false);
+  }
+
   private void setPermissionLabels() throws SQLException {
     String updateStatement = "UPDATE " + ADMIN_PERMISSION_TABLE + " SET " + PERMISSION_LABEL_COL + "='%s' WHERE " + PERMISSION_ID_COL + "=%d";
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/d08107d7/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 65dacd1..f7d6927 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -534,6 +534,16 @@ CREATE TABLE adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id BIGINT NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id BIGINT,
   permission_id BIGINT NOT NULL,
@@ -719,6 +729,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -998,7 +1010,227 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
   union all
   select 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'
   union all
-  select 4, 'VIEW.USER', 3, 'View User';
+  select 4, 'VIEW.USER', 3, 'View User'
+  union all
+  select 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'
+  union all
+  select 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'
+  union all
+  select 7, 'SERVICE.OPERATOR', 2, 'Service Operator';
+
+INSERT INTO roleauthorization(authorization_id, authorization_name)
+  SELECT 'VIEW.USE', 'Use View' UNION ALL
+  SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+  SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+  SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+  SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+  SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+  SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+  SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+  SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+  SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
+  SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+  SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+  SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+  SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+  SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+  SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+  SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+  SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+  SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+  SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+  SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+  SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+  SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+  SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+  SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs' FROM  adminresourcetype WHERE resource_type_name='AMBARI';
+
+-- Set authorizations for View User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+-- Set authorizations for Cluster User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+-- Set authorizations for Service Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+-- Set authorizations for Service Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+-- Set authorizations for Cluster Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+-- Set authorizations for Cluster Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+-- Set authorizations for Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
 insert into adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   select 1, 1, 1, 1;


Mime
View raw message