ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-14197. Enforce granular role-based access control for Views functions (rlevas)
Date Thu, 10 Dec 2015 18:08:14 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk 5ed67a090 -> 1c218dc74


AMBARI-14197. Enforce granular role-based access control for Views functions (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1c218dc7
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1c218dc7
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1c218dc7

Branch: refs/heads/trunk
Commit: 1c218dc749e4b7687b52cbbd7ef7ef5f471aa886
Parents: 5ed67a0
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Thu Dec 10 13:07:55 2015 -0500
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Thu Dec 10 13:08:04 2015 -0500

----------------------------------------------------------------------
 .../api/services/ViewInstanceService.java       | 52 ++++++------------
 .../internal/ViewInstanceResourceProvider.java  | 15 +++--
 .../internal/ViewPrivilegeResourceProvider.java |  8 +++
 .../internal/ViewResourceProvider.java          | 16 ++++--
 .../AmbariAuthorizationFilter.java              | 31 +----------
 .../authorization/AuthorizationHelper.java      | 20 +++++++
 .../apache/ambari/server/view/ViewRegistry.java | 42 +++++++-------
 .../ViewInstanceResourceProviderTest.java       | 41 +++++++++++++-
 .../security/TestAuthenticationFactory.java     | 45 ++++++++++++++-
 .../AmbariAuthorizationFilterTest.java          | 49 ++++++-----------
 .../ambari/server/view/ViewRegistryTest.java    | 58 ++++++++------------
 11 files changed, 212 insertions(+), 165 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java
index 05c5079..1eea8db 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -21,6 +21,7 @@ package org.apache.ambari.server.api.services;
 import org.apache.ambari.server.api.resources.ResourceInstance;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.view.ViewRegistry;
 
 import javax.ws.rs.DELETE;
@@ -68,7 +69,7 @@ public class ViewInstanceService extends BaseService {
    */
   public ViewInstanceService(String viewName, String version) {
     this.viewName = viewName;
-    this.version  = version;
+    this.version = version;
 
     viewRegistry = ViewRegistry.getInstance();
   }
@@ -90,11 +91,8 @@ public class ViewInstanceService extends BaseService {
   @Path("{instanceName}")
   @Produces("text/plain")
   public Response getService(String body, @Context HttpHeaders headers, @Context UriInfo ui,
-                             @PathParam("instanceName") String instanceName) {
-
-    hasPermission(Request.Type.GET, instanceName);
-    return handleRequest(headers, body, ui, Request.Type.GET,
-        createResource(viewName, version, instanceName));
+                             @PathParam("instanceName") String instanceName) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.GET, createResource(viewName, version, instanceName));
   }
 
   /**
@@ -108,11 +106,8 @@ public class ViewInstanceService extends BaseService {
    */
   @GET
   @Produces("text/plain")
-  public Response getServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) {
-
-    hasPermission(Request.Type.GET, null);
-    return handleRequest(headers, body, ui, Request.Type.GET,
-        createResource(viewName, version,  null));
+  public Response getServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.GET, createResource(viewName, version, null));
   }
 
   /**
@@ -130,10 +125,8 @@ public class ViewInstanceService extends BaseService {
   @Path("{instanceName}")
   @Produces("text/plain")
   public Response createService(String body, @Context HttpHeaders headers, @Context UriInfo ui,
-                                @PathParam("instanceName") String instanceName) {
-    hasPermission(Request.Type.POST, instanceName);
-    return handleRequest(headers, body, ui, Request.Type.POST,
-        createResource(viewName, version,  instanceName));
+                                @PathParam("instanceName") String instanceName) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.POST, createResource(viewName, version, instanceName));
   }
 
   /**
@@ -148,11 +141,8 @@ public class ViewInstanceService extends BaseService {
    */
   @POST
   @Produces("text/plain")
-  public Response createServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) {
-
-    hasPermission(Request.Type.POST, null);
-    return handleRequest(headers, body, ui, Request.Type.POST,
-        createResource(viewName, version,  null));
+  public Response createServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.POST, createResource(viewName, version, null));
   }
 
   /**
@@ -170,10 +160,8 @@ public class ViewInstanceService extends BaseService {
   @Path("{instanceName}")
   @Produces("text/plain")
   public Response updateService(String body, @Context HttpHeaders headers, @Context UriInfo ui,
-                                @PathParam("instanceName") String instanceName) {
-
-    hasPermission(Request.Type.PUT, instanceName);
-    return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version,  instanceName));
+                                @PathParam("instanceName") String instanceName) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, instanceName));
   }
 
   /**
@@ -188,10 +176,8 @@ public class ViewInstanceService extends BaseService {
    */
   @PUT
   @Produces("text/plain")
-  public Response updateServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) {
-
-    hasPermission(Request.Type.PUT, null);
-    return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version,  null));
+  public Response updateServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException {
+    return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, null));
   }
 
   /**
@@ -208,10 +194,8 @@ public class ViewInstanceService extends BaseService {
   @Path("{instanceName}")
   @Produces("text/plain")
   public Response deleteService(@Context HttpHeaders headers, @Context UriInfo ui,
-                                @PathParam("instanceName") String instanceName) {
-
-    hasPermission(Request.Type.DELETE, instanceName);
-    return handleRequest(headers, null, ui, Request.Type.DELETE, createResource(viewName, version,  instanceName));
+                                @PathParam("instanceName") String instanceName) throws AuthorizationException {
+    return handleRequest(headers, null, ui, Request.Type.DELETE, createResource(viewName, version, instanceName));
   }
 
   /**
@@ -269,7 +253,7 @@ public class ViewInstanceService extends BaseService {
    * @return a view instance resource
    */
   private ResourceInstance createResource(String viewName, String viewVersion, String instanceName) {
-    Map<Resource.Type,String> mapIds = new HashMap<Resource.Type, String>();
+    Map<Resource.Type, String> mapIds = new HashMap<Resource.Type, String>();
     mapIds.put(Resource.Type.View, viewName);
     mapIds.put(Resource.Type.ViewVersion, viewVersion);
     mapIds.put(Resource.Type.ViewInstance, instanceName);

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java
index 71d0826..750a347 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java
@@ -34,6 +34,7 @@ import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.view.ViewRegistry;
 import org.apache.ambari.server.view.validation.InstanceValidationResultImpl;
 import org.apache.ambari.server.view.validation.ValidationException;
@@ -41,6 +42,7 @@ import org.apache.ambari.server.view.validation.ValidationResultImpl;
 import org.apache.ambari.view.validation.Validator;
 
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -50,7 +52,7 @@ import java.util.Set;
 /**
  * Resource provider for view instances.
  */
-public class ViewInstanceResourceProvider extends AbstractResourceProvider {
+public class ViewInstanceResourceProvider extends AbstractAuthorizedResourceProvider {
 
   /**
    * View instance property id constants.
@@ -118,13 +120,18 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider {
    */
   public ViewInstanceResourceProvider() {
     super(propertyIds, keyPropertyIds);
+
+    EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS);
+    setRequiredCreateAuthorizations(requiredAuthorizations);
+    setRequiredDeleteAuthorizations(requiredAuthorizations);
+    setRequiredUpdateAuthorizations(requiredAuthorizations);
   }
 
 
   // ----- ResourceProvider --------------------------------------------------
 
   @Override
-  public RequestStatus createResources(Request request)
+  protected RequestStatus createResourcesAuthorized(Request request)
       throws SystemException, UnsupportedPropertyException,
              ResourceAlreadyExistsException, NoSuchParentResourceException {
     for (Map<String, Object> properties : request.getProperties()) {
@@ -176,7 +183,7 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider {
   }
 
   @Override
-  public RequestStatus updateResources(Request request, Predicate predicate)
+  protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
 
     Iterator<Map<String,Object>> iterator = request.getProperties().iterator();
@@ -191,7 +198,7 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider {
   }
 
   @Override
-  public RequestStatus deleteResources(Predicate predicate)
+  protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
 
     modifyResources(getDeleteCommand(predicate));

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index a1a9c46..e5bd224 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -18,6 +18,7 @@
 package org.apache.ambari.server.controller.internal;
 
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -34,6 +35,7 @@ import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.view.ViewRegistry;
 
 /**
@@ -88,6 +90,12 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
   public ViewPrivilegeResourceProvider() {
     super(propertyIds, keyPropertyIds, Resource.Type.ViewPrivilege);
     viewUsePermission = permissionDAO.findById(PermissionEntity.VIEW_USER_PERMISSION);
+
+    EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS);
+    setRequiredCreateAuthorizations(requiredAuthorizations);
+    setRequiredDeleteAuthorizations(requiredAuthorizations);
+    setRequiredGetAuthorizations(requiredAuthorizations);
+    setRequiredUpdateAuthorizations(requiredAuthorizations);
   }
 
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java
index bc92a91..ee01927 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java
@@ -28,9 +28,11 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException;
 import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.entities.ViewEntity;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.view.ViewRegistry;
 
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -39,7 +41,7 @@ import java.util.Set;
 /**
  * Resource provider for view instances.
  */
-public class ViewResourceProvider extends AbstractResourceProvider {
+public class ViewResourceProvider extends AbstractAuthorizedResourceProvider {
 
   /**
    * View property id constants.
@@ -71,13 +73,18 @@ public class ViewResourceProvider extends AbstractResourceProvider {
    */
   public ViewResourceProvider() {
     super(propertyIds, keyPropertyIds);
+
+    EnumSet<RoleAuthorization> requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS);
+    setRequiredCreateAuthorizations(requiredAuthorizations);
+    setRequiredDeleteAuthorizations(requiredAuthorizations);
+    setRequiredUpdateAuthorizations(requiredAuthorizations);
   }
 
 
   // ----- ResourceProvider --------------------------------------------------
 
   @Override
-  public RequestStatus createResources(Request request)
+  protected RequestStatus createResourcesAuthorized(Request request)
       throws SystemException, UnsupportedPropertyException,
              ResourceAlreadyExistsException, NoSuchParentResourceException {
     throw new UnsupportedOperationException("Not yet supported.");
@@ -112,17 +119,18 @@ public class ViewResourceProvider extends AbstractResourceProvider {
         }
       }
     }
+
     return resources;
   }
 
   @Override
-  public RequestStatus updateResources(Request request, Predicate predicate)
+  protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
     throw new UnsupportedOperationException("Not yet supported.");
   }
 
   @Override
-  public RequestStatus deleteResources(Predicate predicate)
+  protected RequestStatus deleteResourcesAuthorized(Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
     throw new UnsupportedOperationException("Not yet supported.");
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 5146cca..d817ad7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -20,7 +20,6 @@ package org.apache.ambari.server.security.authorization;
 
 import java.io.IOException;
 import java.security.Principal;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import javax.servlet.Filter;
@@ -36,7 +35,6 @@ import com.google.inject.Inject;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO;
 import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
 import org.apache.ambari.server.view.ViewRegistry;
 import org.apache.commons.lang.StringUtils;
@@ -191,17 +189,9 @@ public class AmbariAuthorizationFilter implements Filter {
         }
       }
 
-      if (!authorized && requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN)) {
-        final ViewInstanceVersionDTO dto = parseViewInstanceInfo(requestURI);
-        authorized = getViewRegistry().checkPermission(dto.getViewName(), dto.getVersion(), dto.getInstanceName(), true);
-      }
-
-
       // allow GET for everything except /views, /api/v1/users, /api/v1/groups, /api/v1/ldap_sync_events
       if (!authorized &&
           (!httpRequest.getMethod().equals("GET")
-              || requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)
-              || requestURI.matches(API_GROUPS_ALL_PATTERN)
               || requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) {
 
         httpResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
@@ -264,6 +254,8 @@ public class AmbariAuthorizationFilter implements Filter {
         requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTERS_PATTERN) ||
         requestURI.matches(API_STACK_VERSIONS_PATTERN) ||
+        requestURI.matches(API_VIEWS_ALL_PATTERN) ||
+        requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) ||
         requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) ||
         requestURI.matches(API_HOSTS_ALL_PATTERN) ||
         requestURI.matches(API_HOSTS_ALL) ||
@@ -296,25 +288,6 @@ public class AmbariAuthorizationFilter implements Filter {
     return value == null || value.length() == 0 ? defaultValue : value;
   }
 
-  /**
-   * Parses context path into view name, version and instance name
-   *
-   * @param contextPath the context path
-   * @return null if context path doesn't match correct pattern
-   */
-  static ViewInstanceVersionDTO parseViewInstanceInfo(String contextPath) {
-    final Pattern pattern = Pattern.compile(VIEWS_CONTEXT_PATH_PATTERN);
-    final Matcher matcher = pattern.matcher(contextPath);
-    if (!matcher.matches()) {
-      return null;
-    } else {
-      final String viewName = matcher.group(1);
-      final String version = matcher.group(2);
-      final String instanceName = matcher.group(3);
-      return new ViewInstanceVersionDTO(viewName, version, instanceName);
-    }
-  }
-
   SecurityContext getSecurityContext() {
     return SecurityContextHolder.getContext();
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index 1b3e6f4..565c487 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -215,6 +215,26 @@ public class AuthorizationHelper {
    *
    * @param resourceType           a resource type being acted upon
    * @param resourceId             the resource id (relative to the resource type) being acted upon
+   * @param requiredAuthorization the required authorization
+   * @throws AuthorizationException if authorization is not granted
+   * @see #isAuthorized(ResourceType, Long, Set)
+   */
+  public static void verifyAuthorization(ResourceType resourceType,
+                                         Long resourceId,
+                                         RoleAuthorization requiredAuthorization)
+      throws AuthorizationException {
+    verifyAuthorization(resourceType, resourceId, EnumSet.of(requiredAuthorization));
+  }
+
+  /**
+   * Determines if the authenticated user (from application's security context) is authorized to
+   * perform an operation on the the specific resource by matching the authenticated user's
+   * authorizations with one from the provided set of authorizations.
+   * <p/>
+   * If not authorized, an {@link AuthorizationException} will be thrown.
+   *
+   * @param resourceType           a resource type being acted upon
+   * @param resourceId             the resource id (relative to the resource type) being acted upon
    * @param requiredAuthorizations a set of requirements for which one match will allow authorization
    * @throws AuthorizationException if authorization is not granted
    * @see #isAuthorized(ResourceType, Long, Set)

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
index 895e987..8c6c2a7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
@@ -63,7 +63,9 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.orm.entities.ViewParameterEntity;
 import org.apache.ambari.server.orm.entities.ViewResourceEntity;
 import org.apache.ambari.server.security.SecurityHelper;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.state.Clusters;
 import org.apache.ambari.server.state.StackId;
 import org.apache.ambari.server.state.stack.OsFamily;
@@ -91,7 +93,6 @@ import org.apache.ambari.view.events.Event;
 import org.apache.ambari.view.events.Listener;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.core.GrantedAuthority;
 
 import javax.inject.Inject;
 import javax.inject.Provider;
@@ -1394,29 +1395,24 @@ public class ViewRegistry {
 
   // check that the current user is authorized to access the given view instance resource
   private boolean checkAuthorization(ResourceEntity resourceEntity) {
-    for (GrantedAuthority grantedAuthority : securityHelper.getCurrentAuthorities()) {
-      if (grantedAuthority instanceof AmbariGrantedAuthority) {
-
-        AmbariGrantedAuthority authority       = (AmbariGrantedAuthority) grantedAuthority;
-        PrivilegeEntity        privilegeEntity = authority.getPrivilegeEntity();
-        Integer                permissionId    = privilegeEntity.getPermission().getId();
-
-        // admin has full access
-        if (permissionId.equals(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION)) {
-          return true;
-        }
-        if (resourceEntity != null) {
-          // VIEW.USER for the given view instance resource.
-          if (privilegeEntity.getResource().equals(resourceEntity)) {
-            if (permissionId.equals(PermissionEntity.VIEW_USER_PERMISSION)) {
-              return true;
-            }
-          }
-        }
+    Long resourceId = null;
+
+    // Get the relevant resource id from the ResourceEntity. Essentially, this will need to be
+    // the resource's Id, but for now it needs to be the resource type Id due to the existing architecture
+    // of the authorization (admin*) tables.
+    if(resourceEntity != null) {
+      ResourceTypeEntity resourceType = resourceEntity.getResourceType();
+
+      if(resourceType != null) {
+        Integer resourceTypeId = resourceType.getId();
+        if (resourceTypeId != null)
+          resourceId = resourceTypeId.longValue();
       }
     }
-    // TODO : should we log this?
-    return false;
+
+    return (resourceId == null)
+        ? AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_VIEWS)
+        : AuthorizationHelper.isAuthorized(ResourceType.VIEW, resourceId, RoleAuthorization.VIEW_USE);
   }
 
   // fire the onDeploy event.

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java
index 1af7264..4b6700d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java
@@ -26,13 +26,18 @@ import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.view.ViewRegistry;
 import org.apache.ambari.server.view.configuration.ViewConfig;
 import org.apache.ambari.view.ViewDefinition;
 import org.easymock.Capture;
+import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Collections;
 import java.util.HashMap;
@@ -57,6 +62,11 @@ public class ViewInstanceResourceProviderTest {
     reset(singleton);
   }
 
+  @After
+  public void clearAuthentication() {
+    SecurityContextHolder.getContext().setAuthentication(null);
+  }
+
   @Test
   public void testToResource() throws Exception {
     ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider();
@@ -108,7 +118,16 @@ public class ViewInstanceResourceProviderTest {
   }
 
   @Test
-  public void testCreateResources() throws Exception {
+  public void testCreateResourcesAsAdministrator() throws Exception {
+    testCreateResources(TestAuthenticationFactory.createAdministrator());
+  }
+
+  @Test(expected = AuthorizationException.class)
+  public void testCreateResourcesAsClusterAdministrator() throws Exception {
+    testCreateResources(TestAuthenticationFactory.createClusterAdministrator());
+  }
+
+  private void testCreateResources(Authentication authentication) throws Exception {
     ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider();
 
     Set<Map<String, Object>> properties = new HashSet<Map<String, Object>>();
@@ -156,6 +175,8 @@ public class ViewInstanceResourceProviderTest {
 
     replay(singleton);
 
+    SecurityContextHolder.getContext().setAuthentication(authentication);
+
     // as admin
     provider.createResources(PropertyHelper.getCreateRequest(properties, null));
     assertEquals(viewInstanceEntity, instanceEntityCapture.getValue());
@@ -204,6 +225,8 @@ public class ViewInstanceResourceProviderTest {
 
     replay(singleton);
 
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
     try {
       provider.createResources(PropertyHelper.getCreateRequest(properties, null));
       fail("Expected ResourceAlreadyExistsException.");
@@ -243,6 +266,8 @@ public class ViewInstanceResourceProviderTest {
 
     replay(singleton);
 
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
     try {
       provider.createResources(PropertyHelper.getCreateRequest(properties, null));
       fail("Expected IllegalStateException.");
@@ -280,6 +305,8 @@ public class ViewInstanceResourceProviderTest {
 
     replay(singleton);
 
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
+
     provider.updateResources(PropertyHelper.getCreateRequest(properties, null), predicate);
 
     Assert.assertNull(viewInstanceEntity.getIcon());
@@ -288,7 +315,16 @@ public class ViewInstanceResourceProviderTest {
   }
 
   @Test
-  public void testDeleteResources_viewNotLoaded() throws Exception {
+  public void testDeleteResourcesAsAdministrator() throws Exception {
+    testDeleteResources(TestAuthenticationFactory.createAdministrator());
+  }
+
+  @Test(expected = AuthorizationException.class)
+  public void testDeleteResourcesAsClusterAdministrator() throws Exception {
+    testDeleteResources(TestAuthenticationFactory.createClusterAdministrator());
+  }
+
+  private void testDeleteResources(Authentication authentication) throws Exception {
     ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider();
 
     PredicateBuilder predicateBuilder = new PredicateBuilder();
@@ -307,6 +343,7 @@ public class ViewInstanceResourceProviderTest {
 
     replay(singleton);
 
+    SecurityContextHolder.getContext().setAuthentication(authentication);
     provider.deleteResources(predicate);
 
     verify(singleton);

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
index 8abe757..692133f 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
@@ -76,6 +76,14 @@ public class TestAuthenticationFactory {
     return new TestAuthorization(name, Collections.singleton(createClusterUserGrantedAuthority()));
   }
 
+  public static Authentication createViewUser(Long viewResourceId) {
+    return createViewUser("viewUser", viewResourceId);
+  }
+
+  public static Authentication createViewUser(String name, Long viewResourceId) {
+    return new TestAuthorization(name, Collections.singleton(createViewUserGrantedAuthority(viewResourceId)));
+  }
+
   private static GrantedAuthority createAdministratorGrantedAuthority() {
     return new AmbariGrantedAuthority(createAdministratorPrivilegeEntity());
   }
@@ -96,6 +104,10 @@ public class TestAuthenticationFactory {
     return new AmbariGrantedAuthority(createClusterUserPrivilegeEntity());
   }
 
+  private static GrantedAuthority createViewUserGrantedAuthority(Long resourceId) {
+    return new AmbariGrantedAuthority(createViewUserPrivilegeEntity(resourceId));
+  }
+
   private static PrivilegeEntity createAdministratorPrivilegeEntity() {
     PrivilegeEntity privilegeEntity = new PrivilegeEntity();
     privilegeEntity.setResource(createAmbariResourceEntity());
@@ -131,6 +143,13 @@ public class TestAuthenticationFactory {
     return privilegeEntity;
   }
 
+  private static PrivilegeEntity createViewUserPrivilegeEntity(Long resourceId) {
+    PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+    privilegeEntity.setResource(createViewResourceEntity(resourceId));
+    privilegeEntity.setPermission(createViewUserPermission());
+    return privilegeEntity;
+  }
+
   private static PermissionEntity createAdministratorPermission() {
     PermissionEntity permissionEntity = new PermissionEntity();
     permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
@@ -251,6 +270,15 @@ public class TestAuthenticationFactory {
     return permissionEntity;
   }
 
+  private static PermissionEntity createViewUserPermission() {
+    PermissionEntity permissionEntity = new PermissionEntity();
+    permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
+    permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
+        RoleAuthorization.VIEW_USE
+    )));
+    return permissionEntity;
+  }
+
   private static ResourceEntity createAmbariResourceEntity() {
     ResourceEntity resourceEntity = new ResourceEntity();
     resourceEntity.setId(null);
@@ -265,10 +293,23 @@ public class TestAuthenticationFactory {
     return resourceEntity;
   }
 
+  private static ResourceEntity createViewResourceEntity(Long resourceId) {
+    ResourceEntity resourceEntity = new ResourceEntity();
+    resourceEntity.setId(resourceId);
+    if(resourceId != null) {
+      resourceEntity.setResourceType(createResourceTypeEntity(ResourceType.VIEW.name(), resourceId.intValue()));
+    }
+    return resourceEntity;
+  }
+
   private static ResourceTypeEntity createResourceTypeEntity(ResourceType resourceType) {
+    return createResourceTypeEntity(resourceType.name(), resourceType.getId());
+  }
+
+  private static ResourceTypeEntity createResourceTypeEntity(String resourceName, Integer resourceId) {
     ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
-    resourceTypeEntity.setId(resourceType.getId());
-    resourceTypeEntity.setName(resourceType.name());
+    resourceTypeEntity.setId(resourceId.intValue());
+    resourceTypeEntity.setName(resourceName);
     return resourceTypeEntity;
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 03a7442..4cab770 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -202,7 +202,7 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/cluster", "GET",  true);
     urlTests.put("/api/v1/clusters/cluster", "POST",  true);
     urlTests.put("/api/v1/views", "GET", true);
-    urlTests.put("/api/v1/views", "POST", false);
+    urlTests.put("/api/v1/views", "POST", true);
     urlTests.put("/api/v1/persist/SomeValue", "GET", true);
     urlTests.put("/api/v1/persist/SomeValue", "POST", false);
     urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
@@ -213,10 +213,10 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
     urlTests.put("/api/v1/users/user1", "GET", true);
     urlTests.put("/api/v1/users/user1", "POST", true);
     urlTests.put("/api/v1/users/user2", "GET", true);
@@ -235,7 +235,7 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/cluster", "GET",  true);
     urlTests.put("/api/v1/clusters/cluster", "POST",  true);
     urlTests.put("/api/v1/views", "GET", true);
-    urlTests.put("/api/v1/views", "POST", false);
+    urlTests.put("/api/v1/views", "POST", true);
     urlTests.put("/api/v1/persist/SomeValue", "GET", true);
     urlTests.put("/api/v1/persist/SomeValue", "POST", true);
     urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
@@ -246,10 +246,10 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
     urlTests.put("/api/v1/users/user1", "GET", true);
     urlTests.put("/api/v1/users/user1", "POST", true);
     urlTests.put("/api/v1/users/user2", "GET", true);
@@ -281,8 +281,8 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
     urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
     urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
     urlTests.put("/api/v1/users/user1", "GET", true);
     urlTests.put("/api/v1/users/user1", "POST", true);
     urlTests.put("/api/v1/users/user2", "GET", true);
@@ -301,7 +301,7 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/cluster", "GET",  true);
     urlTests.put("/api/v1/clusters/cluster", "POST",  true);
     urlTests.put("/api/v1/views", "GET", true);
-    urlTests.put("/api/v1/views", "POST", false);
+    urlTests.put("/api/v1/views", "POST", true);
     urlTests.put("/api/v1/persist/SomeValue", "GET", true);
     urlTests.put("/api/v1/persist/SomeValue", "POST", false);
     urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
@@ -312,10 +312,10 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
     urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false);
-    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false);
-    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
+    urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
+    urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
     urlTests.put("/api/v1/users/user1", "GET", true);
     urlTests.put("/api/v1/users/user1", "POST", true);
     urlTests.put("/api/v1/users/user2", "GET", true);
@@ -444,19 +444,4 @@ public class AmbariAuthorizationFilterTest {
       }
     }
   }
-
-  @Test
-  public void testParseViewContextPath() throws Exception {
-    final String[] pathesToTest = {
-        AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1",
-        AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1/index.html",
-        AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1/api/test"
-    };
-    for (String contextPath: pathesToTest) {
-      final ViewInstanceVersionDTO dto = AmbariAuthorizationFilter.parseViewInstanceInfo(contextPath);
-      Assert.assertEquals("INSTANCE1", dto.getInstanceName());
-      Assert.assertEquals("MY_VIEW", dto.getViewName());
-      Assert.assertEquals("1.0.0", dto.getVersion());
-    }
-  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java b/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java
index f94cb25..c47cfa4 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java
@@ -77,6 +77,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntityTest;
 import org.apache.ambari.server.security.SecurityHelper;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
@@ -98,10 +99,12 @@ import org.apache.ambari.view.validation.ValidationResult;
 import org.apache.ambari.view.validation.Validator;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
+import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
  * ViewRegistry tests.
@@ -227,6 +230,11 @@ public class ViewRegistryTest {
         clusters);
   }
 
+  @After
+  public void clearAuthentication() {
+    SecurityContextHolder.getContext().setAuthentication(null);
+  }
+
   @Test
   public void testReadViewArchives() throws Exception {
     testReadViewArchives(false, false);
@@ -1236,24 +1244,14 @@ public class ViewRegistryTest {
   public void testIncludeDefinitionForAdmin() {
     ViewRegistry registry = ViewRegistry.getInstance();
     ViewEntity viewEntity = createNiceMock(ViewEntity.class);
-    AmbariGrantedAuthority adminAuthority = createNiceMock(AmbariGrantedAuthority.class);
-    PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
-    PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
-
-    Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
-    authorities.add(adminAuthority);
 
-    securityHelper.getCurrentAuthorities();
-    EasyMock.expectLastCall().andReturn(authorities);
-    expect(adminAuthority.getPrivilegeEntity()).andReturn(privilegeEntity);
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity);
-    expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION);
+    replay(configuration);
 
-    replay(securityHelper, adminAuthority, privilegeEntity, permissionEntity, configuration);
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator());
 
     Assert.assertTrue(registry.includeDefinition(viewEntity));
 
-    verify(securityHelper, adminAuthority, privilegeEntity, permissionEntity, configuration);
+    verify(configuration);
   }
 
   @Test
@@ -1261,19 +1259,15 @@ public class ViewRegistryTest {
     ViewRegistry registry = ViewRegistry.getInstance();
     ViewEntity viewEntity = createNiceMock(ViewEntity.class);
 
-    Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+    expect(viewEntity.getInstances()).andReturn(Collections.<ViewInstanceEntity>emptyList()).anyTimes();
 
-    Collection<ViewInstanceEntity> instances = new ArrayList<ViewInstanceEntity>();
+    replay(viewEntity, configuration);
 
-    securityHelper.getCurrentAuthorities();
-    EasyMock.expectLastCall().andReturn(authorities);
-    expect(viewEntity.getInstances()).andReturn(instances);
-
-    replay(securityHelper, viewEntity, configuration);
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createViewUser(1L));
 
     Assert.assertFalse(registry.includeDefinition(viewEntity));
 
-    verify(securityHelper, viewEntity, configuration);
+    verify(viewEntity, configuration);
   }
 
   @Test
@@ -1282,29 +1276,23 @@ public class ViewRegistryTest {
     ViewEntity viewEntity = createNiceMock(ViewEntity.class);
     ViewInstanceEntity instanceEntity = createNiceMock(ViewInstanceEntity.class);
     ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
-    AmbariGrantedAuthority viewUseAuthority = createNiceMock(AmbariGrantedAuthority.class);
-    PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
-    PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class);
-
-    Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
-    authorities.add(viewUseAuthority);
+    ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
 
     Collection<ViewInstanceEntity> instances = new ArrayList<ViewInstanceEntity>();
     instances.add(instanceEntity);
 
     expect(viewEntity.getInstances()).andReturn(instances);
     expect(instanceEntity.getResource()).andReturn(resourceEntity);
-    expect(viewUseAuthority.getPrivilegeEntity()).andReturn(privilegeEntity).anyTimes();
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
-    expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
-    expect(permissionEntity.getId()).andReturn(PermissionEntity.VIEW_USER_PERMISSION).anyTimes();
-    securityHelper.getCurrentAuthorities();
-    EasyMock.expectLastCall().andReturn(authorities).anyTimes();
-    replay(securityHelper, viewEntity, instanceEntity, viewUseAuthority, privilegeEntity, permissionEntity, configuration);
+    expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+    expect(resourceTypeEntity.getId()).andReturn(1).anyTimes();
+
+    replay(viewEntity, instanceEntity, resourceEntity, resourceTypeEntity, configuration);
+
+    SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createViewUser(resourceEntity.getResourceType().getId().longValue()));
 
     Assert.assertTrue(registry.includeDefinition(viewEntity));
 
-    verify(securityHelper, viewEntity, instanceEntity, viewUseAuthority, privilegeEntity, permissionEntity, configuration);
+    verify(viewEntity, instanceEntity, resourceEntity, resourceTypeEntity, configuration);
   }
 
   @Test


Mime
View raw message