ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [3/3] ambari git commit: AMBARI-14141. Enforce granular role-based access control for alert functions (rlevas)
Date Thu, 17 Dec 2015 18:50:30 GMT
AMBARI-14141. Enforce granular role-based access control for alert functions (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f7ec3bc8
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f7ec3bc8
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f7ec3bc8

Branch: refs/heads/branch-rbac-sso
Commit: f7ec3bc89d0889792c3397dda5dcee2ae85b6ff4
Parents: 5108e18
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Thu Dec 17 13:49:58 2015 -0500
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Thu Dec 17 13:49:58 2015 -0500

----------------------------------------------------------------------
 .../AbstractControllerResourceProvider.java     |  26 +-
 .../AlertDefinitionResourceProvider.java        |  86 ++--
 .../internal/AlertGroupResourceProvider.java    |  46 ++-
 .../internal/AlertHistoryResourceProvider.java  |  43 ++
 .../internal/AlertNoticeResourceProvider.java   |  33 +-
 .../internal/AlertResourceProvider.java         |  45 ++-
 .../internal/AlertResourceProviderUtils.java    | 403 +++++++++++++++++++
 .../internal/AlertTargetResourceProvider.java   |  27 +-
 .../internal/DefaultProviderModule.java         |   2 +-
 .../AmbariAuthorizationFilter.java              |  10 +-
 .../authorization/RoleAuthorization.java        |   2 +
 .../server/upgrade/UpgradeCatalog230.java       |  12 +-
 .../main/resources/Ambari-DDL-MySQL-CREATE.sql  |  18 +-
 .../main/resources/Ambari-DDL-Oracle-CREATE.sql |  16 +-
 .../resources/Ambari-DDL-Postgres-CREATE.sql    |  16 +-
 .../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql     |  16 +-
 .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql |  16 +-
 .../resources/Ambari-DDL-SQLServer-CREATE.sql   |  16 +-
 .../AlertDefinitionResourceProviderTest.java    | 253 ++++++++++--
 .../AlertGroupResourceProviderTest.java         | 402 ++++++++++++++----
 .../AlertHistoryResourceProviderTest.java       | 146 ++++++-
 .../AlertNoticeResourceProviderTest.java        | 145 ++++++-
 .../internal/AlertResourceProviderTest.java     | 213 ++++++++--
 .../AlertTargetResourceProviderTest.java        | 341 +++++++++++++++-
 .../security/TestAuthenticationFactory.java     |   1 +
 25 files changed, 2058 insertions(+), 276 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
index d47d8d3..d2f0bc9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java
@@ -83,8 +83,32 @@ public abstract class AbstractControllerResourceProvider extends AbstractAuthori
    * @return the resource id or null if not found
    * @throws AmbariException if the named cluster does not exist
    */
+  protected Long getClusterId(String clusterName) throws AmbariException {
+    Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName);
+    return (cluster == null) ? null : cluster.getClusterId();
+  }
+
+  /**
+   * Gets the resource id for the named cluster
+   *
+   * @param clusterName the name of the relevant cluster
+   * @return the resource id or null if not found
+   * @throws AmbariException if the named cluster does not exist
+   */
   protected Long getClusterResourceId(String clusterName) throws AmbariException {
-    Cluster cluster = managementController.getClusters().getCluster(clusterName);
+    Cluster cluster = (clusterName == null) ? null : managementController.getClusters().getCluster(clusterName);
+    return (cluster == null) ? null : cluster.getResourceId();
+  }
+
+  /**
+   * Gets the resource id for the cluster with the specified id
+   *
+   * @param clusterId the id of the relevant cluster
+   * @return the resource id or null if not found
+   * @throws AmbariException if the cluster does not exist
+   */
+  protected Long getClusterResourceId(Long clusterId) throws AmbariException {
+    Cluster cluster = (clusterId == null) ? null : managementController.getClusters().getClusterById(clusterId);
     return (cluster == null) ? null : cluster.getResourceId();
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
index bc5f956..263a7b8 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertDefinitionResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -50,6 +50,7 @@ import org.apache.ambari.server.events.AlertHashInvalidationEvent;
 import org.apache.ambari.server.events.publishers.AmbariEventPublisher;
 import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
 import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
 import org.apache.ambari.server.state.alert.AlertDefinition;
@@ -174,7 +175,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
 
     createResources(new Command<Void>() {
       @Override
-      public Void invoke() throws AmbariException {
+      public Void invoke() throws AmbariException, AuthorizationException {
         createAlertDefinitions(request.getProperties());
         return null;
       }
@@ -185,7 +186,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
   }
 
   private void createAlertDefinitions(Set<Map<String, Object>> requestMaps)
-    throws AmbariException {
+      throws AmbariException, AuthorizationException {
     List<AlertDefinitionEntity> entities = new ArrayList<AlertDefinitionEntity>();
 
     String clusterName = null;
@@ -235,6 +236,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
       if (null != id) {
         AlertDefinitionEntity entity = alertDefinitionDAO.findById(Long.parseLong(id));
         if (null != entity) {
+          AlertResourceProviderUtils.verifyViewAuthorization(entity);
           results.add(toResource(clusterName, entity, requestPropertyIds));
         }
       } else {
@@ -245,11 +247,21 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
           throw new NoSuchResourceException("Parent Cluster resource doesn't exist", e);
         }
 
-        List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll(
-            cluster.getClusterId());
+        List<AlertDefinitionEntity> entities = alertDefinitionDAO.findAll(cluster.getClusterId());
+
+        // Any service name that is not empty or equal to "AMBARI" indicates a service-level alert
+        boolean serviceLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("_SERVICE_NAME_", cluster.getResourceId());
+        boolean clusterLevelAuthorization = AlertResourceProviderUtils.hasViewAuthorization("", cluster.getResourceId());
 
         for (AlertDefinitionEntity entity : entities) {
-          results.add(toResource(clusterName, entity, requestPropertyIds));
+          String serviceName = entity.getServiceName();
+
+          // Include the alert in the results if the authenticated user is authorized to get it
+          if((StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName))
+              ? clusterLevelAuthorization
+              : serviceLevelAuthorization) {
+            results.add(toResource(clusterName, entity, requestPropertyIds));
+          }
         }
       }
     }
@@ -345,6 +357,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
 
       final AlertDefinitionEntity entity = alertDefinitionDAO.findById(definitionId.longValue());
 
+      AlertResourceProviderUtils.verifyManageAuthorization(entity);
+
       modifyResources(new Command<Void>() {
         @Override
         public Void invoke() throws AmbariException {
@@ -382,7 +396,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
    * @throws AmbariException
    */
   private void populateEntity(AlertDefinitionEntity entity,
-      Map<String, Object> requestMap) throws AmbariException {
+      Map<String, Object> requestMap) throws AmbariException, AuthorizationException {
 
     // some fields are required on creation; on update we keep what's there
     boolean bCreate = true;
@@ -509,56 +523,80 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
       throw new IllegalArgumentException("Source must be specified");
     }
 
-    Cluster cluster = getManagementController().getClusters().getCluster(
-        clusterName);
+    Clusters clusters = getManagementController().getClusters();
+    Cluster cluster = clusters.getCluster(clusterName);
+    Long clusterId = cluster.getClusterId();
+
+    boolean managed = false;
+    boolean toggled = false;
 
     // at this point, we have either validated all required properties or
     // we are using the exiting entity properties where not defined, so we
     // can do simply null checks
-    entity.setClusterId(Long.valueOf(cluster.getClusterId()));
+    if (!clusterId.equals(entity.getClusterId())) {
+      entity.setClusterId(clusterId);
+      managed = true;
+    }
 
-    if (null != componentName) {
+    if ((null != componentName) && !componentName.equals(entity.getComponentName())) {
       entity.setComponentName(componentName);
+      managed = true;
     }
 
-    if (null != definitionName) {
+    if ((null != definitionName) && !definitionName.equals(entity.getDefinitionName())) {
       entity.setDefinitionName(definitionName);
+      managed = true;
     }
 
-    if (null != label) {
+    if ((null != label) && !label.equals(entity.getLabel())) {
       entity.setLabel(label);
+      managed = true;
     }
 
-    if (null != description) {
+    if ((null != description) && !description.equals(entity.getDescription())) {
       entity.setDescription(description);
+      managed = true;
     }
 
-    if (null != enabled) {
-      entity.setEnabled(enabled.booleanValue());
+    if ((null != enabled) && !enabled.equals(entity.getEnabled())) {
+      entity.setEnabled(enabled);
+      toggled = true;
     }
 
-    if (null != ignoreHost) {
-      entity.setHostIgnored(ignoreHost.booleanValue());
+    if ((null != ignoreHost) && !ignoreHost.equals(entity.isHostIgnored())) {
+      entity.setHostIgnored(ignoreHost);
+      managed = true;
     }
 
-    if (null != interval) {
+    if ((null != interval) && !interval.equals(entity.getScheduleInterval())) {
       entity.setScheduleInterval(interval);
+      managed = true;
     }
 
-    if (null != serviceName) {
+    if ((null != serviceName) && !serviceName.equals(entity.getServiceName())) {
       entity.setServiceName(serviceName);
+      managed = true;
     }
 
-    if (null != sourceType) {
+    if ((null != sourceType) && !sourceType.equals(entity.getSourceType())) {
       entity.setSourceType(sourceType);
+      managed = true;
     }
 
     if (null != source) {
       entity.setSource(source.toString());
+      managed = true;
     }
 
-    if (null != scope) {
+    if ((null != scope) && !scope.equals(entity.getScope())) {
       entity.setScope(scope);
+      managed = true;
+    }
+
+    if (managed) {
+      AlertResourceProviderUtils.verifyManageAuthorization(entity);
+    } else if (toggled) {
+      AlertResourceProviderUtils.verifyToggleAuthorization(entity);
     }
 
     entity.setHash(UUID.randomUUID().toString());
@@ -677,7 +715,7 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
    *
    * @param propertyMap
    */
-  private void scheduleImmediateAlert(Map<String, Object> propertyMap) {
+  private void scheduleImmediateAlert(Map<String, Object> propertyMap) throws AuthorizationException {
     Clusters clusters = getManagementController().getClusters();
     String stringId = (String) propertyMap.get(ALERT_DEF_ID);
     long id = Long.parseLong(stringId);
@@ -697,6 +735,8 @@ public class AlertDefinitionResourceProvider extends AbstractControllerResourceP
       return;
     }
 
+    AlertResourceProviderUtils.verifyExecuteAuthorization(entity);
+
     Set<String> hostNames = alertDefinitionHash.getAssociatedHosts(cluster,
         entity.getSourceType(),
         entity.getDefinitionName(), entity.getServiceName(),

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
index 215bc8e..36469c1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertGroupResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -45,6 +45,7 @@ import org.apache.ambari.server.orm.dao.AlertDispatchDAO;
 import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
 import org.apache.ambari.server.orm.entities.AlertGroupEntity;
 import org.apache.ambari.server.orm.entities.AlertTargetEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.alert.AlertTarget;
 import org.apache.commons.lang.StringUtils;
@@ -124,7 +125,7 @@ public class AlertGroupResourceProvider extends
 
     createResources(new Command<Void>() {
       @Override
-      public Void invoke() throws AmbariException {
+      public Void invoke() throws AmbariException, AuthorizationException {
         createAlertGroups(request.getProperties());
         return null;
       }
@@ -153,6 +154,11 @@ public class AlertGroupResourceProvider extends
       if (null != id) {
         AlertGroupEntity entity = s_dao.findGroupById(Long.parseLong(id));
         if (null != entity) {
+          try {
+            AlertResourceProviderUtils.verifyViewAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+          } catch (AmbariException e) {
+            throw new SystemException(e.getMessage(), e);
+          }
           results.add(toResource(clusterName, entity, requestPropertyIds));
         }
       } else {
@@ -167,7 +173,13 @@ public class AlertGroupResourceProvider extends
         List<AlertGroupEntity> entities = s_dao.findAllGroups(cluster.getClusterId());
 
         for (AlertGroupEntity entity : entities) {
-          results.add(toResource(clusterName, entity, requestPropertyIds));
+          try {
+            if (AlertResourceProviderUtils.hasViewAuthorization(entity, getClusterResourceId(entity.getClusterId()))) {
+              results.add(toResource(clusterName, entity, requestPropertyIds));
+            }
+          } catch (AmbariException e) {
+            throw new SystemException(e.getMessage(), e);
+          }
         }
       }
     }
@@ -183,7 +195,7 @@ public class AlertGroupResourceProvider extends
 
     modifyResources(new Command<Void>() {
       @Override
-      public Void invoke() throws AmbariException {
+      public Void invoke() throws AmbariException, AuthorizationException {
         updateAlertGroups(request.getProperties());
         return null;
       }
@@ -201,17 +213,25 @@ public class AlertGroupResourceProvider extends
     Set<Resource> resources = getResources(new RequestImpl(null, null, null,
         null), predicate);
 
-    Set<Long> groupIds = new HashSet<Long>();
+    Map<Long, AlertGroupEntity> entities = new HashMap<Long, AlertGroupEntity>();
 
     for (final Resource resource : resources) {
       Long id = (Long) resource.getPropertyValue(ALERT_GROUP_ID);
-      groupIds.add(id);
+      if (!entities.containsKey(id)) {
+        AlertGroupEntity entity = s_dao.findGroupById(id);
+
+        try {
+          AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+          entities.put(id, entity);
+        } catch (AmbariException e) {
+          LOG.warn("The default alert group for {} cannot be removed", entity.getServiceName(), e);
+        }
+      }
     }
 
-    for (Long groupId : groupIds) {
-      LOG.info("Deleting alert target {}", groupId);
+    for (final AlertGroupEntity entity : entities.values()) {
+      LOG.info("Deleting alert group {}", entity.getGroupId());
 
-      final AlertGroupEntity entity = s_dao.findGroupById(groupId.longValue());
       if (entity.isDefault()) {
         // default groups cannot be removed
         LOG.warn("The default alert group for {} cannot be removed",
@@ -246,7 +266,7 @@ public class AlertGroupResourceProvider extends
    */
   @SuppressWarnings("unchecked")
   private void createAlertGroups(Set<Map<String, Object>> requestMaps)
-      throws AmbariException {
+      throws AmbariException, AuthorizationException {
 
     List<AlertGroupEntity> entities = new ArrayList<AlertGroupEntity>();
     for (Map<String, Object> requestMap : requestMaps) {
@@ -290,6 +310,8 @@ public class AlertGroupResourceProvider extends
         entity.setAlertDefinitions(definitions);
       }
 
+      AlertResourceProviderUtils.verifyManageAuthorization(entity, cluster.getResourceId());
+
       entities.add(entity);
     }
 
@@ -306,7 +328,7 @@ public class AlertGroupResourceProvider extends
    */
   @SuppressWarnings("unchecked")
   private void updateAlertGroups(Set<Map<String, Object>> requestMaps)
-      throws AmbariException {
+      throws AmbariException, AuthorizationException {
 
     for (Map<String, Object> requestMap : requestMaps) {
       String stringId = (String) requestMap.get(ALERT_GROUP_ID);
@@ -323,6 +345,8 @@ public class AlertGroupResourceProvider extends
         throw new AmbariException(message);
       }
 
+      AlertResourceProviderUtils.verifyManageAuthorization(entity, getClusterResourceId(entity.getClusterId()));
+
       String name = (String) requestMap.get(ALERT_GROUP_NAME);
 
       // empty arrays are deserialized as HashSet while populated arrays

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
index 89ee69a..f52ee62 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertHistoryResourceProvider.java
@@ -18,6 +18,7 @@
 package org.apache.ambari.server.controller.internal;
 
 import java.util.Arrays;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
@@ -25,6 +26,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.StaticallyInject;
 import org.apache.ambari.server.controller.AlertHistoryRequest;
 import org.apache.ambari.server.controller.AmbariManagementController;
@@ -39,12 +41,18 @@ import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
 import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
 import org.apache.ambari.server.orm.dao.AlertsDAO;
 import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
 import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 
 import com.google.inject.Inject;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
+import sun.net.www.protocol.http.AuthenticationHeader;
 
 /**
  * ResourceProvider for Alert History
@@ -75,6 +83,9 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple
   @Inject
   private static AlertsDAO s_dao = null;
 
+  @Inject
+  private static AlertDefinitionDAO alertDefinitionDAO = null;
+
   /**
    * The property ids for an alert history resource.
    */
@@ -161,6 +172,38 @@ public class AlertHistoryResourceProvider extends ReadOnlyResourceProvider imple
       throws SystemException, UnsupportedPropertyException,
       NoSuchResourceException, NoSuchParentResourceException {
 
+    // Verify authorization to retrieve the requested data
+    Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate);
+    for(Map<String, Object> propertyMap: propertyMaps) {
+      try {
+        String clusterName = (String) propertyMap.get(ALERT_HISTORY_CLUSTER_NAME);
+        Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName);
+        String definitionName = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_NAME);
+        String definitionId = (String) propertyMap.get(ALERT_HISTORY_DEFINITION_ID);
+
+        if(clusterId == null)  {
+          // Make sure the user has administrative access by using -1 as the cluster id
+          AlertResourceProviderUtils.verifyViewAuthorization("", -1L);
+        }
+        else if(!StringUtils.isEmpty(definitionName)) {
+          // Make sure the user has access to the alert
+          AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName);
+          AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+        }
+        else if(StringUtils.isNumeric(definitionId)) {
+          // Make sure the user has access to the alert
+          AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId));
+          AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+        }
+        else {
+          // Make sure the user has the ability to view cluster-level alerts
+          AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName));
+        }
+      } catch (AmbariException e) {
+        throw new SystemException(e.getMessage(), e);
+      }
+    }
+
     Set<Resource> results = new LinkedHashSet<Resource>();
     Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate);
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
index 8f0e526..f19bea9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertNoticeResourceProvider.java
@@ -18,6 +18,7 @@
 package org.apache.ambari.server.controller.internal;
 
 import java.util.Arrays;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
@@ -25,8 +26,10 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.StaticallyInject;
 import org.apache.ambari.server.controller.AlertNoticeRequest;
+import org.apache.ambari.server.controller.AmbariManagementController;
 import org.apache.ambari.server.controller.spi.ExtendedResourceProvider;
 import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
 import org.apache.ambari.server.controller.spi.NoSuchResourceException;
@@ -46,12 +49,16 @@ import org.apache.ambari.server.orm.entities.AlertTargetEntity;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 
 import com.google.inject.Inject;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
 
 /**
  * ResourceProvider for Alert History
  */
 @StaticallyInject
-public class AlertNoticeResourceProvider extends AbstractResourceProvider implements ExtendedResourceProvider {
+public class AlertNoticeResourceProvider extends AbstractControllerResourceProvider implements ExtendedResourceProvider {
 
   public static final String ALERT_NOTICE_ID = "AlertNotice/id";
   public static final String ALERT_NOTICE_STATE = "AlertNotice/notification_state";
@@ -101,8 +108,8 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem
   /**
    * Constructor.
    */
-  AlertNoticeResourceProvider() {
-    super(PROPERTY_IDS, KEY_PROPERTY_IDS);
+  AlertNoticeResourceProvider(AmbariManagementController managementController) {
+    super(PROPERTY_IDS, KEY_PROPERTY_IDS, managementController);
   }
 
   /**
@@ -151,6 +158,26 @@ public class AlertNoticeResourceProvider extends AbstractResourceProvider implem
       throws SystemException, UnsupportedPropertyException,
       NoSuchResourceException, NoSuchParentResourceException {
 
+    // Verify authorization to retrieve the requested data
+    Set<Map<String, Object>> propertyMaps = getPropertyMaps(predicate);
+    for (Map<String, Object> propertyMap : propertyMaps) {
+      try {
+        String clusterName = (String) propertyMap.get(ALERT_NOTICE_CLUSTER_NAME);
+        Long clusterResourceId = (StringUtils.isEmpty(clusterName)) ? null : getClusterResourceId(clusterName);
+        String serviceName = (String) propertyMap.get(ALERT_NOTICE_SERVICE_NAME);
+
+        if (clusterResourceId == null) {
+          // Make sure the user had administrative access by using -1 as the cluster id
+          clusterResourceId = -1L;
+        }
+
+        // Make sure the user had access to the alert
+        AlertResourceProviderUtils.verifyViewAuthorization(serviceName, clusterResourceId);
+      } catch (AmbariException e) {
+        throw new SystemException(e.getMessage(), e);
+      }
+    }
+
     Set<String> requestPropertyIds = getRequestPropertyIds(request, predicate);
     Set<Resource> results = new LinkedHashSet<Resource>();
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
index 4dc4dcf..0492860 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProvider.java
@@ -25,6 +25,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.StaticallyInject;
 import org.apache.ambari.server.controller.AlertCurrentRequest;
 import org.apache.ambari.server.controller.AmbariManagementController;
@@ -37,12 +38,14 @@ import org.apache.ambari.server.controller.spi.Request;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
+import org.apache.ambari.server.orm.dao.AlertDefinitionDAO;
 import org.apache.ambari.server.orm.dao.AlertsDAO;
 import org.apache.ambari.server.orm.entities.AlertCurrentEntity;
 import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
 import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
 
 import com.google.inject.Inject;
+import org.apache.commons.lang.StringUtils;
 
 /**
  * ResourceProvider for Alert instances
@@ -75,6 +78,9 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements
   @Inject
   private static AlertsDAO alertsDAO;
 
+  @Inject
+  private static AlertDefinitionDAO alertDefinitionDAO = null;
+
   /**
    * The property ids for an alert defintion resource.
    */
@@ -159,17 +165,46 @@ public class AlertResourceProvider extends ReadOnlyResourceProvider implements
         AlertCurrentEntity entity = alertsDAO.findCurrentById(Long.parseLong(id));
 
         if (null != entity) {
+          AlertResourceProviderUtils.verifyViewAuthorization(entity);
           results.add(toResource(false, clusterName, entity, requestPropertyIds));
         }
 
       } else {
+        // Verify authorization to retrieve the requested data
+        try {
+          Long clusterId = (StringUtils.isEmpty(clusterName)) ? null : getClusterId(clusterName);
+          String definitionName = (String) propertyMap.get(ALERT_DEFINITION_NAME);
+          String definitionId = (String) propertyMap.get(ALERT_DEFINITION_ID);
+
+          if(clusterId == null)  {
+            // Make sure the user has administrative access by using -1 as the cluster id
+            AlertResourceProviderUtils.verifyViewAuthorization("", -1L);
+          }
+          else if(!StringUtils.isEmpty(definitionName)) {
+            // Make sure the user has access to the alert
+            AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findByName(clusterId, definitionName);
+            AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+          }
+          else if(StringUtils.isNumeric(definitionId)) {
+            // Make sure the user has access to the alert
+            AlertDefinitionEntity alertDefinition = alertDefinitionDAO.findById(Long.valueOf(definitionId));
+            AlertResourceProviderUtils.verifyViewAuthorization(alertDefinition);
+          }
+          else {
+            // Make sure the user has the ability to view cluster-level alerts
+            AlertResourceProviderUtils.verifyViewAuthorization("", getClusterResourceId(clusterName));
+          }
+        } catch (AmbariException e) {
+          throw new SystemException(e.getMessage(), e);
+        }
+
         List<AlertCurrentEntity> entities = null;
-          AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest();
-          alertCurrentRequest.Predicate = predicate;
-          alertCurrentRequest.Pagination = request.getPageRequest();
-          alertCurrentRequest.Sort = request.getSortRequest();
+        AlertCurrentRequest alertCurrentRequest = new AlertCurrentRequest();
+        alertCurrentRequest.Predicate = predicate;
+        alertCurrentRequest.Pagination = request.getPageRequest();
+        alertCurrentRequest.Sort = request.getSortRequest();
 
-          entities = alertsDAO.findAll(alertCurrentRequest);
+        entities = alertsDAO.findAll(alertCurrentRequest);
 
         if (null == entities) {
           entities = Collections.emptyList();

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
new file mode 100644
index 0000000..3fac049
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertResourceProviderUtils.java
@@ -0,0 +1,403 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.orm.entities.AlertCurrentEntity;
+import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
+import org.apache.ambari.server.orm.entities.AlertGroupEntity;
+import org.apache.ambari.server.orm.entities.AlertHistoryEntity;
+import org.apache.ambari.server.orm.entities.ClusterEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang.StringUtils;
+
+import java.util.EnumSet;
+import java.util.Set;
+
+/**
+ * AlertResourceProviderUtils provides utility methods used to help perform tasks within alert-specific
+ * resource providers.
+ */
+public class AlertResourceProviderUtils {
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to view
+   * cluster-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_CLUSTER_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_VIEW_ALERTS,
+      RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to view
+   * service-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_VIEW_SERVICE_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_VIEW_ALERTS,
+      RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+      RoleAuthorization.SERVICE_VIEW_ALERTS,
+      RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+      RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to execute
+   * cluster-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS = AUTHORIZATIONS_VIEW_CLUSTER_ALERTS;
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to execute
+   * service-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS = AUTHORIZATIONS_VIEW_SERVICE_ALERTS;
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to toggle
+   * cluster-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to toggle
+   * service-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_TOGGLE_ALERTS,
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+      RoleAuthorization.SERVICE_TOGGLE_ALERTS,
+      RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to create, update,
+   * and delete cluster-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+
+  /**
+   * A set of RoleAuthorizations where one is required in order to be authorized to create, update,
+   * and delete service-level alerts
+   */
+  private static final Set<RoleAuthorization> AUTHORIZATIONS_MANAGE_SERVICE_ALERTS = EnumSet.of(
+      RoleAuthorization.CLUSTER_MANAGE_ALERTS,
+      RoleAuthorization.SERVICE_MANAGE_ALERTS);
+
+
+  /* ------------------------------------------------------------------------------------------
+   * Checks for VIEWING Alerts
+   * ------------------------------------------------------------------------------------------   */
+
+  /**
+   * Tests if the authenticated user is authorized to view the requested alert data
+   *
+   * @param entity            an AlertGroupEntity
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @return true if the authenticated user is authorized; otherwise false
+   */
+  public static boolean hasViewAuthorization(AlertGroupEntity entity, Long clusterResourceId) {
+    return (null != entity) &&
+        hasViewAuthorization(entity.getServiceName(), clusterResourceId);
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data
+   *
+   * @param serviceName       the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @return true if the authenticated user is authorized; otherwise false
+   */
+  public static boolean hasViewAuthorization(String serviceName, Long clusterResourceId) {
+    return hasAuthorization(serviceName, clusterResourceId,
+        AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS);
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertCurrentEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyViewAuthorization(AlertCurrentEntity entity)
+      throws AuthorizationException {
+    if (entity != null) {
+      verifyViewAuthorization(entity.getAlertHistory());
+    }
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertHistoryEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyViewAuthorization(AlertHistoryEntity entity)
+      throws AuthorizationException {
+    if (entity != null) {
+      verifyViewAuthorization(entity.getAlertDefinition());
+    }
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity            an AlertGroupEntity
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyViewAuthorization(AlertGroupEntity entity, Long clusterResourceId)
+      throws AuthorizationException {
+    if (entity != null) {
+      verifyViewAuthorization(entity.getServiceName(), clusterResourceId);
+    }
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertDefinitionEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyViewAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+    verifyAuthorization(entity, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view");
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to view service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param serviceName       the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyViewAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+    verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_VIEW_CLUSTER_ALERTS, AUTHORIZATIONS_VIEW_SERVICE_ALERTS, "view");
+  }
+
+
+  /* ------------------------------------------------------------------------------------------
+   * Checks for EXECUTING Alerts
+   * ------------------------------------------------------------------------------------------   */
+
+  /**
+   * Tests if the authenticated user is authorized to execute service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertDefinitionEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyExecuteAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+    verifyAuthorization(entity, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute");
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to execute service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param serviceName       the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyExecuteAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+    verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_EXECUTE_CLUSTER_ALERTS, AUTHORIZATIONS_EXECUTE_SERVICE_ALERTS, "execute");
+  }
+
+
+  /* ------------------------------------------------------------------------------------------
+   * Checks for TOGGLING Alerts
+   * ------------------------------------------------------------------------------------------   */
+
+  /**
+   * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertDefinitionEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyToggleAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+    verifyAuthorization(entity, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute");
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to toggle service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param serviceName       the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyToggleAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+    verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_TOGGLE_CLUSTER_ALERTS, AUTHORIZATIONS_TOGGLE_SERVICE_ALERTS, "execute");
+  }
+
+
+  /* ------------------------------------------------------------------------------------------
+   * Checks for MANAGING Alerts
+   * ------------------------------------------------------------------------------------------   */
+
+  /**
+   * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity            an AlertGroupEntity
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyManageAuthorization(AlertGroupEntity entity, Long clusterResourceId) throws AuthorizationException {
+    if (entity != null) {
+      verifyManageAuthorization(entity.getServiceName(), clusterResourceId);
+    }
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param entity an AlertDefinitionEntity
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyManageAuthorization(AlertDefinitionEntity entity) throws AuthorizationException {
+    verifyAuthorization(entity, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage");
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to manage service- or cluster-level alert data.
+   * An authorization failure results in a thrown {@link AuthorizationException}.
+   *
+   * @param serviceName       the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId the resource id of the relevant cluster
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyManageAuthorization(String serviceName, Long clusterResourceId) throws AuthorizationException {
+    verifyAuthorization(serviceName, clusterResourceId, AUTHORIZATIONS_MANAGE_CLUSTER_ALERTS, AUTHORIZATIONS_MANAGE_SERVICE_ALERTS, "manage");
+  }
+
+
+  /* ------------------------------------------------------------------------------------------
+   * Generic checks
+   * ------------------------------------------------------------------------------------------   */
+
+  /**
+   * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+   * alert data.
+   * <p/>
+   * If the service name is null or empty, the alert is considered to be a cluster-level alert,
+   * else it is considered to be a service-level alert.
+   * <p/>
+   * If the clusterResourceId is null, no cluster is assume and the alert is considered to be an
+   * Ambari-level alert.
+   *
+   * @param serviceName                the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId          the resource id of the relevant cluster
+   * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+   * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+   * @return true if the authenticated user is authorized; otherwise false
+   */
+  public static boolean hasAuthorization(String serviceName, Long clusterResourceId,
+                                         Set<RoleAuthorization> clusterLevelAuthorizations,
+                                         Set<RoleAuthorization> serviceLevelAuthorizations) {
+    if (null == clusterResourceId) {
+      // Do not let clusterResourceId be null because that indicates we don't care about which cluster
+      // we are checking authorization for, but we do.  Setting this to -1 ensures that no cluster
+      // will match will will give only Ambari administrators access to this.
+      clusterResourceId = -1L;
+    }
+
+    return AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+        (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName))
+            ? clusterLevelAuthorizations
+            : serviceLevelAuthorizations);
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+   * alert data. An authorization failure results in a thrown {@link AuthorizationException}.
+   * <p/>
+   * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to
+   * be a cluster-level alert, else it is considered to be a service-level alert.
+   *
+   * @param entity                     an AlertDefinitionEntity
+   * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+   * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+   * @param operation                  the name of the operation being tested for (used in error and logging messages)
+   * @throws AuthorizationException if the authenticated user is not authorized
+   * @see #verifyAuthorization(String, Long, Set, Set, String)
+   */
+  public static void verifyAuthorization(AlertDefinitionEntity entity,
+                                         Set<RoleAuthorization> clusterLevelAuthorizations,
+                                         Set<RoleAuthorization> serviceLevelAuthorizations,
+                                         String operation) throws AuthorizationException {
+    ClusterEntity clusterEntity = (null == entity) ? null : entity.getCluster();
+    ResourceEntity resourceEntity = (null == clusterEntity) ? null : clusterEntity.getResource();
+    Long resourceId = (null == resourceEntity) ? null : resourceEntity.getId();
+
+    verifyAuthorization((null == entity) ? null : entity.getServiceName(), resourceId,
+        clusterLevelAuthorizations, serviceLevelAuthorizations, operation);
+  }
+
+  /**
+   * Tests if the authenticated user is authorized to for either service- or cluster-level access to
+   * alert data. An authorization failure results in a thrown {@link AuthorizationException}.
+   * <p/>
+   * If the service name from the AlertDefinitionEntity is null or empty, the alert is considered to
+   * be a cluster-level alert, else it is considered to be a service-level alert.
+   *
+   * @param serviceName                the name of the relevant service - null or empty indicates a cluster-level alert
+   * @param clusterResourceId          the resource id of the relevant cluster
+   * @param clusterLevelAuthorizations the set of cluster-level authorizations to check for
+   * @param serviceLevelAuthorizations the set of service-level authorizations to check for
+   * @param operation                  the name of the operation being tested for (used in error and logging messages)
+   * @throws AuthorizationException if the authenticated user is not authorized
+   */
+  public static void verifyAuthorization(String serviceName, Long clusterResourceId,
+                                         Set<RoleAuthorization> clusterLevelAuthorizations,
+                                         Set<RoleAuthorization> serviceLevelAuthorizations,
+                                         String operation) throws AuthorizationException {
+    if (null == clusterResourceId) {
+      // Do not let clusterResourceId be null because that indicates we don't care about which cluster
+      // we are checking authorization for, but we do.  Setting this to -1 ensures that no cluster
+      // will match will will give only Ambari administrators access to this.
+      clusterResourceId = -1L;
+    }
+
+    // If the service name is AMBARI, than the alert is for the cluster
+    if (StringUtils.isEmpty(serviceName) || "AMBARI".equals(serviceName)) {
+      if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+          clusterLevelAuthorizations)) {
+        throw new AuthorizationException(String.format("The authenticated user is not authorized to %s cluster-level alerts", operation));
+      }
+    } else {
+      if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, clusterResourceId,
+          serviceLevelAuthorizations)) {
+        throw new AuthorizationException(String.format("The authenticated user is not authorized to %s service-level alerts", operation));
+      }
+    }
+  }
+}
+

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
index a310259..d28987d 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -48,6 +48,8 @@ import org.apache.ambari.server.notifications.NotificationDispatcher;
 import org.apache.ambari.server.orm.dao.AlertDispatchDAO;
 import org.apache.ambari.server.orm.entities.AlertGroupEntity;
 import org.apache.ambari.server.orm.entities.AlertTargetEntity;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.state.AlertState;
 import org.apache.ambari.server.state.alert.AlertGroup;
 import org.apache.ambari.server.state.alert.AlertTarget;
@@ -63,7 +65,7 @@ import com.google.inject.Inject;
  */
 @StaticallyInject
 public class AlertTargetResourceProvider extends
- AbstractResourceProvider {
+ AbstractAuthorizedResourceProvider {
 
   protected static final String ALERT_TARGET = "AlertTarget";
   protected static final String ALERT_TARGET_ID = "AlertTarget/id";
@@ -122,10 +124,18 @@ public class AlertTargetResourceProvider extends
    */
   AlertTargetResourceProvider() {
     super(PROPERTY_IDS, KEY_PROPERTY_IDS);
+
+    // For now only allow an Ambari administrator to create, update, and manage Alert Targets.
+    // If an alert target can associated with a particular cluster, than a cluster administrator
+    // should be able to do this as well.
+    EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.CLUSTER_MANAGE_ALERTS);
+    setRequiredCreateAuthorizations(requiredAuthorizations);
+    setRequiredUpdateAuthorizations(requiredAuthorizations);
+    setRequiredDeleteAuthorizations(requiredAuthorizations);
   }
 
   @Override
-  public RequestStatus createResources(final Request request)
+  protected RequestStatus createResourcesAuthorized(final Request request)
       throws SystemException,
       UnsupportedPropertyException, ResourceAlreadyExistsException,
       NoSuchParentResourceException {
@@ -173,7 +183,7 @@ public class AlertTargetResourceProvider extends
   }
 
   @Override
-  public RequestStatus updateResources(final Request request,
+  protected RequestStatus updateResourcesAuthorized(final Request request,
       Predicate predicate)
       throws SystemException, UnsupportedPropertyException,
       NoSuchResourceException, NoSuchParentResourceException {
@@ -202,7 +212,7 @@ public class AlertTargetResourceProvider extends
   }
 
   @Override
-  public RequestStatus deleteResources(Predicate predicate)
+  protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
       throws SystemException, UnsupportedPropertyException,
       NoSuchResourceException, NoSuchParentResourceException {
 
@@ -239,6 +249,11 @@ public class AlertTargetResourceProvider extends
     return PK_PROPERTY_IDS;
   }
 
+  @Override
+  protected ResourceType getResourceType(Request request, Predicate predicate) {
+    return ResourceType.AMBARI;
+  }
+
   /**
    * Create and persist {@link AlertTargetEntity} from the map of properties.
    *
@@ -341,7 +356,7 @@ public class AlertTargetResourceProvider extends
   /**
    * Updates existing {@link AlertTargetEntity}s with the specified properties.
    *
-   * @param requestMaps
+   * @param requestMap
    *          a set of property maps, one map for each entity.
    * @throws AmbariException
    *           if the entity could not be found.

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
index dde934d..3801cc3 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/DefaultProviderModule.java
@@ -95,7 +95,7 @@ public class DefaultProviderModule extends AbstractProviderModule {
       case AlertGroup:
         return new AlertGroupResourceProvider(managementController);
       case AlertNotice:
-        return new AlertNoticeResourceProvider();
+        return new AlertNoticeResourceProvider(managementController);
       case Upgrade:
         return new UpgradeResourceProvider(managementController);
       case UpgradeGroup:

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index d817ad7..20ce7fa 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -72,9 +72,11 @@ public class AmbariAuthorizationFilter implements Filter {
   private static final String API_CREDENTIALS_AMBARI_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*";
   private static final String API_CLUSTER_REQUESTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/requests.*";
   private static final String API_CLUSTER_SERVICES_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/services.*";
-  private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*";
+  private static final String API_CLUSTER_ALERT_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/alert.*";
+  private static final String API_CLUSTER_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/hosts.*";
   private static final String API_STACK_VERSIONS_PATTERN = API_VERSION_PREFIX + "/stacks/.*?/versions/.*";
-  private static final String API_HOSTS_ALL = API_VERSION_PREFIX + "/hosts.*";
+  private static final String API_HOSTS_ALL_PATTERN = API_VERSION_PREFIX + "/hosts.*";
+  private static final String API_ALERT_TARGETS_ALL_PATTERN = API_VERSION_PREFIX + "/alert_targets.*";
 
   protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI=";
 
@@ -252,13 +254,15 @@ public class AmbariAuthorizationFilter implements Filter {
         requestURI.matches(API_PRIVILEGES_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTER_REQUESTS_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) ||
+        requestURI.matches(API_CLUSTER_ALERT_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTERS_PATTERN) ||
         requestURI.matches(API_STACK_VERSIONS_PATTERN) ||
         requestURI.matches(API_VIEWS_ALL_PATTERN) ||
         requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) ||
         requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) ||
+        requestURI.matches(API_CLUSTER_HOSTS_ALL_PATTERN) ||
         requestURI.matches(API_HOSTS_ALL_PATTERN) ||
-        requestURI.matches(API_HOSTS_ALL) ||
+        requestURI.matches(API_ALERT_TARGETS_ALL_PATTERN) ||
         requestURI.matches(API_PRIVILEGES_ALL_PATTERN);
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
index 795db77..6d74f97 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/RoleAuthorization.java
@@ -41,6 +41,7 @@ public enum RoleAuthorization {
   CLUSTER_MANAGE_CREDENTIALS("CLUSTER.MANAGE_CREDENTIALS"),
   CLUSTER_MODIFY_CONFIGS("CLUSTER.MODIFY_CONFIGS"),
   CLUSTER_MANAGE_CONFIG_GROUPS("CLUSTER.MANAGE_CONFIG_GROUPS"),
+  CLUSTER_MANAGE_ALERTS("CLUSTER.MANAGE_ALERTS"),
   CLUSTER_TOGGLE_ALERTS("CLUSTER.TOGGLE_ALERTS"),
   CLUSTER_TOGGLE_KERBEROS("CLUSTER.TOGGLE_KERBEROS"),
   CLUSTER_UPGRADE_DOWNGRADE_STACK("CLUSTER.UPGRADE_DOWNGRADE_STACK"),
@@ -60,6 +61,7 @@ public enum RoleAuthorization {
   SERVICE_DECOMMISSION_RECOMMISSION("SERVICE.DECOMMISSION_RECOMMISSION"),
   SERVICE_ENABLE_HA("SERVICE.ENABLE_HA"),
   SERVICE_MANAGE_CONFIG_GROUPS("SERVICE.MANAGE_CONFIG_GROUPS"),
+  SERVICE_MANAGE_ALERTS("SERVICE.MANAGE_ALERTS"),
   SERVICE_MODIFY_CONFIGS("SERVICE.MODIFY_CONFIGS"),
   SERVICE_MOVE("SERVICE.MOVE"),
   SERVICE_RUN_CUSTOM_COMMAND("SERVICE.RUN_CUSTOM_COMMAND"),

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
index 57eafa6..38b3c6b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog230.java
@@ -170,7 +170,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_STATUS_INFO'", "'View status information'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_CONFIGS'", "'View configurations'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.COMPARE_CONFIGS'", "'Compare configurations'"}, false);
-    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service-level alerts'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.START_STOP'", "'Start/Stop/Restart Service'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.DECOMMISSION_RECOMMISSION'", "'Decommission/recommission'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_SERVICE_CHECK'", "'Run service checks'"}, false);
@@ -178,9 +178,10 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_CUSTOM_COMMAND'", "'Perform service-specific tasks'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MODIFY_CONFIGS'", "'Modify configurations'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_CONFIG_GROUPS'", "'Manage configuration groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_ALERTS'", "'Manage service-level alerts'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MOVE'", "'Move to another host'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ENABLE_HA'", "'Enable HA'"}, false);
-    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service-level alerts'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ADD_DELETE_SERVICES'", "'Add Service to cluster'"}, false);
 
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_METRICS'", "'View metrics'"}, false);
@@ -194,10 +195,11 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STATUS_INFO'", "'View status information'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
-    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View cluster-level alerts'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_CREDENTIALS'", "'Manage external credentials'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MODIFY_CONFIGS'", "'Modify cluster configurations'"}, false);
-    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.MANAGE_ALERTS'", "'Manage cluster-level alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable cluster-level alerts'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
     dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
 
@@ -274,6 +276,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
     map.put("SERVICE.MODIFY_CONFIGS", serviceAdministratorAndUp);
     map.put("SERVICE.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
     map.put("CLUSTER.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
+    map.put("SERVICE.MANAGE_ALERTS", serviceAdministratorAndUp);
     map.put("SERVICE.MOVE", serviceAdministratorAndUp);
     map.put("SERVICE.ENABLE_HA", serviceAdministratorAndUp);
     map.put("SERVICE.TOGGLE_ALERTS", serviceAdministratorAndUp);
@@ -291,6 +294,7 @@ public class UpgradeCatalog230 extends AbstractUpgradeCatalog {
     map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
     map.put("CLUSTER.MANAGE_CREDENTIALS", clusterAdministratorAndUp);
     map.put("CLUSTER.MODIFY_CONFIGS", clusterAdministratorAndUp);
+    map.put("CLUSTER.MANAGE_ALERTS", clusterAdministratorAndUp);
     map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
     map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
     map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 4a980ec..f40a8fd 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1024,7 +1024,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
   SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
   SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
-  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' UNION ALL
   SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
   SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
   SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
@@ -1032,9 +1032,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
   SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
   SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+  SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' UNION ALL
   SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
   SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
-  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' UNION ALL
   SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
   SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
   SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
@@ -1046,11 +1047,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
   SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
   SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
-  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' UNION ALL
   SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' UNION ALL
   SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' UNION ALL
   SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' UNION ALL
-  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+  SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' UNION ALL
   SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
   SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
   SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
@@ -1118,6 +1120,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
@@ -1145,6 +1148,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
@@ -1174,7 +1178,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
-  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
@@ -1193,6 +1197,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1211,7 +1216,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
-  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
@@ -1230,6 +1235,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL

http://git-wip-us.apache.org/repos/asf/ambari/blob/f7ec3bc8/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 60bbd30..4305a4c 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1016,7 +1016,7 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
   SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' FROM dual UNION ALL
   SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' FROM dual UNION ALL
-  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' FROM dual UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service-level alerts' FROM dual UNION ALL
   SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' FROM dual UNION ALL
   SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' FROM dual UNION ALL
   SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' FROM dual UNION ALL
@@ -1024,9 +1024,10 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' FROM dual UNION ALL
   SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' FROM dual UNION ALL
   SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' FROM dual UNION ALL
+  SELECT 'SERVICE.MANAGE_ALERTS', 'Manage service-level alerts' from dual UNION ALL
   SELECT 'SERVICE.MOVE', 'Move to another host' FROM dual UNION ALL
   SELECT 'SERVICE.ENABLE_HA', 'Enable HA' FROM dual UNION ALL
-  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' FROM dual UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service-level alerts' FROM dual UNION ALL
   SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' FROM dual UNION ALL
   SELECT 'HOST.VIEW_METRICS', 'View metrics' FROM dual UNION ALL
   SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
@@ -1038,11 +1039,12 @@ INSERT INTO roleauthorization(authorization_id, authorization_name)
   SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
   SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL
   SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL
-  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View cluster-level alerts' FROM dual UNION ALL
   SELECT 'CLUSTER.MANAGE_CREDENTIALS', 'Manage external credentials' from dual UNION ALL
   SELECT 'CLUSTER.MODIFY_CONFIGS', 'Modify cluster configurations' from dual UNION ALL
   SELECT 'CLUSTER.MANAGE_CONFIG_GROUPS', 'Manage cluster config groups' from dual UNION ALL
-  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL
+  SELECT 'CLUSTER.MANAGE_ALERTS', 'Manage cluster-level alerts' from dual UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable cluster-level alerts' FROM dual UNION ALL
   SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL
   SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL
   SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' FROM dual UNION ALL
@@ -1110,6 +1112,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
@@ -1137,6 +1140,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
@@ -1167,6 +1171,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
@@ -1185,6 +1190,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
@@ -1204,6 +1210,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
@@ -1222,6 +1229,7 @@ INSERT INTO permission_roleauthorization(permission_id, authorization_id)
   SELECT permission_id, 'CLUSTER.MANAGE_CREDENTIALS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.MANAGE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
   SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL


Mime
View raw message