ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aonis...@apache.org
Subject [2/2] ambari git commit: AMBARI-17292. Operations during upgrade are permitted by all roles (aonishuk)
Date Wed, 22 Jun 2016 09:11:16 GMT
AMBARI-17292. Operations during upgrade are permitted by all roles (aonishuk)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/799b8a6e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/799b8a6e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/799b8a6e

Branch: refs/heads/branch-2.4
Commit: 799b8a6ed65d14b2d3b36a7af0f99ace59f71f0f
Parents: bdf3fb2
Author: Andrew Onishuk <aonishuk@hortonworks.com>
Authored: Wed Jun 22 12:11:11 2016 +0300
Committer: Andrew Onishuk <aonishuk@hortonworks.com>
Committed: Wed Jun 22 12:11:11 2016 +0300

----------------------------------------------------------------------
 ambari-server/pom.xml                           |  1 +
 .../internal/UpgradeItemResourceProvider.java   | 25 +++++++++++++
 .../internal/UpgradeResourceProvider.java       | 39 +++++++++++++++++++-
 .../AmbariAuthorizationFilter.java              |  4 +-
 .../UpgradeResourceProviderHDP22Test.java       | 24 +++++++++++-
 .../internal/UpgradeResourceProviderTest.java   | 28 +++++++++++++-
 6 files changed, 115 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml
index f0bd67c..c2ee86d 100644
--- a/ambari-server/pom.xml
+++ b/ambari-server/pom.xml
@@ -569,6 +569,7 @@
         <artifactId>maven-surefire-plugin</artifactId>
         <configuration>
           <skip>${skipSurefireTests}</skip>
+          <argLine>-Xmx1024m -XX:MaxPermSize=512m -Xms512m</argLine>
         </configuration>
       </plugin>
       <plugin>

http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
index 0719430..3d46424 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeItemResourceProvider.java
@@ -19,6 +19,7 @@ package org.apache.ambari.server.controller.internal;
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -27,6 +28,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.StaticallyInject;
 import org.apache.ambari.server.actionmanager.HostRoleStatus;
 import org.apache.ambari.server.controller.AmbariManagementController;
@@ -46,6 +48,11 @@ import org.apache.ambari.server.orm.entities.StageEntityPK;
 import org.apache.ambari.server.orm.entities.UpgradeEntity;
 import org.apache.ambari.server.orm.entities.UpgradeGroupEntity;
 import org.apache.ambari.server.orm.entities.UpgradeItemEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.UpgradeHelper;
 
 import com.google.inject.Inject;
@@ -135,6 +142,24 @@ public class UpgradeItemResourceProvider extends ReadOnlyResourceProvider
{
       Set<Resource> resources = getResources(PropertyHelper.getReadRequest(), predicate);
 
       for (Resource resource : resources) {
+        final String clusterName = (String)resource.getPropertyValue(UPGRADE_CLUSTER_NAME);
+        final Cluster cluster;
+
+        try {
+          cluster = getManagementController().getClusters().getCluster(clusterName);
+        } catch (AmbariException e) {
+          throw new NoSuchParentResourceException(
+              String.format("Cluster %s could not be loaded", clusterName));
+        }
+
+
+        if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getResourceId(),
+            EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK))) {
+          throw new AuthorizationException("The authenticated user does not have authorization
to " +
+              "manage upgrade and downgrade");
+        }
+
+
         // Set the desired status on the underlying stage.
         Long requestId = (Long) resource.getPropertyValue(UPGRADE_REQUEST_ID);
         Long stageId = (Long) resource.getPropertyValue(UPGRADE_ITEM_STAGE_ID);

http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
index ac0c78c..6aab72b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UpgradeResourceProvider.java
@@ -78,6 +78,9 @@ import org.apache.ambari.server.orm.entities.UpgradeEntity;
 import org.apache.ambari.server.orm.entities.UpgradeGroupEntity;
 import org.apache.ambari.server.orm.entities.UpgradeItemEntity;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.serveraction.upgrades.UpdateDesiredStackAction;
 import org.apache.ambari.server.stack.MasterHostResolver;
 import org.apache.ambari.server.state.Cluster;
@@ -314,19 +317,33 @@ public class UpgradeResourceProvider extends AbstractControllerResourceProvider
 
     // !!! above check ensures only one
     final Map<String, Object> requestMap = requestMaps.iterator().next();
+    final String clusterName = (String) requestMap.get(UPGRADE_CLUSTER_NAME);
+    final Cluster cluster;
+
+    try {
+      cluster = getManagementController().getClusters().getCluster(clusterName);
+    } catch (AmbariException e) {
+      throw new NoSuchParentResourceException(
+          String.format("Cluster %s could not be loaded", clusterName));
+    }
+
+    if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getResourceId(),
+        EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK))) {
+      throw new AuthorizationException("The authenticated user does not have authorization
to " +
+          "manage upgrade and downgrade");
+    }
+
     final Map<String, String> requestInfoProps = request.getRequestInfoProperties();
 
     UpgradeEntity entity = createResources(new Command<UpgradeEntity>() {
       @Override
       public UpgradeEntity invoke() throws AmbariException, AuthorizationException {
         String forceDowngrade = requestInfoProps.get(UpgradeResourceDefinition.DOWNGRADE_DIRECTIVE);
-        String clusterName = (String) requestMap.get(UPGRADE_CLUSTER_NAME);
 
         if (null == clusterName) {
           throw new AmbariException(String.format("%s is required", UPGRADE_CLUSTER_NAME));
         }
 
-        Cluster cluster = getManagementController().getClusters().getCluster(clusterName);
         Direction direction = Boolean.parseBoolean(forceDowngrade) ? Direction.DOWNGRADE
             : Direction.UPGRADE;
 
@@ -434,6 +451,24 @@ public class UpgradeResourceProvider extends AbstractControllerResourceProvider
     // !!! above check ensures only one
     final Map<String, Object> propertyMap = requestMaps.iterator().next();
 
+    final String clusterName = (String) propertyMap.get(UPGRADE_CLUSTER_NAME);
+    final Cluster cluster;
+
+    try {
+      cluster = getManagementController().getClusters().getCluster(clusterName);
+    } catch (AmbariException e) {
+      throw new NoSuchParentResourceException(
+          String.format("Cluster %s could not be loaded", clusterName));
+    }
+
+    if (!AuthorizationHelper.isAuthorized(ResourceType.CLUSTER, cluster.getResourceId(),
+        EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK))) {
+      throw new AuthorizationException("The authenticated user does not have authorization
to " +
+          "manage upgrade and downgrade");
+    }
+
+
+
     String requestIdProperty = (String) propertyMap.get(UPGRADE_REQUEST_ID);
     if (null == requestIdProperty) {
       throw new IllegalArgumentException(String.format("%s is required", UPGRADE_REQUEST_ID));

http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 922a215..2f676b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -86,6 +86,7 @@ public class AmbariAuthorizationFilter implements Filter {
   private static final String API_ALERT_TARGETS_ALL_PATTERN = API_VERSION_PREFIX + "/alert_targets.*";
   private static final String API_BOOTSTRAP_PATTERN_ALL = API_VERSION_PREFIX + "/bootstrap.*";
   private static final String API_REQUESTS_ALL_PATTERN = API_VERSION_PREFIX + "/requests.*";
+  private static final String API_CLUSTERS_UPGRADES_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/upgrades.*";
 
   protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI=";
 
@@ -315,7 +316,8 @@ public class AmbariAuthorizationFilter implements Filter {
         requestURI.matches(API_HOSTS_ALL_PATTERN) ||
         requestURI.matches(API_ALERT_TARGETS_ALL_PATTERN) ||
         requestURI.matches(API_PRIVILEGES_ALL_PATTERN) ||
-        requestURI.matches(API_PERSIST_ALL_PATTERN);
+        requestURI.matches(API_PERSIST_ALL_PATTERN) ||
+        requestURI.matches(API_CLUSTERS_UPGRADES_PATTERN);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
index c052a6c..115b518 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderHDP22Test.java
@@ -17,14 +17,18 @@
  */
 package org.apache.ambari.server.controller.internal;
 
-import static org.easymock.EasyMock.createNiceMock;
+import static org.easymock.EasyMock.anyLong;
+import static org.easymock.EasyMock.eq;
 import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.createNiceMock;
 import static org.easymock.EasyMock.replay;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -56,6 +60,9 @@ import org.apache.ambari.server.orm.entities.StackEntity;
 import org.apache.ambari.server.orm.entities.UpgradeEntity;
 import org.apache.ambari.server.orm.entities.UpgradeGroupEntity;
 import org.apache.ambari.server.orm.entities.UpgradeItemEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
 import org.apache.ambari.server.state.Config;
@@ -83,10 +90,18 @@ import com.google.inject.Injector;
 import com.google.inject.Module;
 import com.google.inject.persist.PersistService;
 import com.google.inject.util.Modules;
+import org.junit.runner.RunWith;
+import org.powermock.api.easymock.PowerMock;
+import org.powermock.core.classloader.annotations.PowerMockIgnore;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
 
 /**
  * UpgradeResourceDefinition tests.
  */
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({AuthorizationHelper.class})
+@PowerMockIgnore({"javax.management.*", "javax.crypto.*"})
 public class UpgradeResourceProviderHDP22Test {
 
   private UpgradeDAO upgradeDao = null;
@@ -242,6 +257,13 @@ public class UpgradeResourceProviderHDP22Test {
     StageUtils.setTopologyManager(topologyManager);
     StageUtils.setConfiguration(injector.getInstance(Configuration.class));
     ActionManager.setTopologyManager(topologyManager);
+
+
+    Method isAuthorizedMethod = AuthorizationHelper.class.getMethod("isAuthorized", ResourceType.class,
Long.class, Set.class);
+    PowerMock.mockStatic(AuthorizationHelper.class, isAuthorizedMethod);
+    expect(AuthorizationHelper.isAuthorized(eq(ResourceType.CLUSTER), anyLong(),
+        eq(EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK)))).andReturn(true).anyTimes();
+    PowerMock.replay(AuthorizationHelper.class);
   }
 
   @After

http://git-wip-us.apache.org/repos/asf/ambari/blob/799b8a6e/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
index 5bcfd86..a5db0f0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UpgradeResourceProviderTest.java
@@ -17,9 +17,11 @@
  */
 package org.apache.ambari.server.controller.internal;
 
-import static org.easymock.EasyMock.createNiceMock;
 import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.createNiceMock;
 import static org.easymock.EasyMock.replay;
+import static org.easymock.EasyMock.eq;
+import static org.easymock.EasyMock.anyLong;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -27,8 +29,10 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -72,6 +76,9 @@ import org.apache.ambari.server.orm.entities.StageEntity;
 import org.apache.ambari.server.orm.entities.UpgradeEntity;
 import org.apache.ambari.server.orm.entities.UpgradeGroupEntity;
 import org.apache.ambari.server.orm.entities.UpgradeItemEntity;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ResourceType;
+import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.serveraction.upgrades.AutoSkipFailedSummaryAction;
 import org.apache.ambari.server.state.Cluster;
 import org.apache.ambari.server.state.Clusters;
@@ -110,11 +117,18 @@ import com.google.inject.Injector;
 import com.google.inject.Module;
 import com.google.inject.persist.PersistService;
 import com.google.inject.util.Modules;
+import org.junit.runner.RunWith;
+import org.powermock.api.easymock.PowerMock;
+import org.powermock.core.classloader.annotations.PowerMockIgnore;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
 
 /**
  * UpgradeResourceDefinition tests.
  */
-@SuppressWarnings("unchecked")
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({AuthorizationHelper.class})
+@PowerMockIgnore({"javax.management.*", "javax.crypto.*"})
 public class UpgradeResourceProviderTest {
 
   private UpgradeDAO upgradeDao = null;
@@ -241,6 +255,12 @@ public class UpgradeResourceProviderTest {
     StageUtils.setConfiguration(injector.getInstance(Configuration.class));
     ActionManager.setTopologyManager(topologyManager);
     EasyMock.replay(injector.getInstance(AuditLogger.class));
+
+    Method isAuthorizedMethod = AuthorizationHelper.class.getMethod("isAuthorized", ResourceType.class,
Long.class, Set.class);
+    PowerMock.mockStatic(AuthorizationHelper.class, isAuthorizedMethod);
+    expect(AuthorizationHelper.isAuthorized(eq(ResourceType.CLUSTER), anyLong(),
+        eq(EnumSet.of(RoleAuthorization.CLUSTER_UPGRADE_DOWNGRADE_STACK)))).andReturn(true).anyTimes();
+    PowerMock.replay(AuthorizationHelper.class);
   }
 
   @After
@@ -804,6 +824,7 @@ public class UpgradeResourceProviderTest {
 
     Map<String, Object> requestProps = new HashMap<String, Object>();
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_ID, id.toString());
+    requestProps.put(UpgradeResourceProvider.UPGRADE_CLUSTER_NAME, "c1");
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_STATUS, "ABORTED");
     requestProps.put(UpgradeResourceProvider.UPGRADE_SUSPENDED, "true");
 
@@ -828,6 +849,7 @@ public class UpgradeResourceProviderTest {
 
     Map<String, Object> requestProps = new HashMap<String, Object>();
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_ID, id.toString());
+    requestProps.put(UpgradeResourceProvider.UPGRADE_CLUSTER_NAME, "c1");
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_STATUS, "ABORTED");
     requestProps.put(UpgradeResourceProvider.UPGRADE_SUSPENDED, "true");
 
@@ -861,6 +883,7 @@ public class UpgradeResourceProviderTest {
     requestProps = new HashMap<String, Object>();
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_ID, id.toString());
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_STATUS, "PENDING");
+    requestProps.put(UpgradeResourceProvider.UPGRADE_CLUSTER_NAME, "c1");
     requestProps.put(UpgradeResourceProvider.UPGRADE_SUSPENDED, "false");
 
     // !!! make sure we can.  actual reset is tested elsewhere
@@ -881,6 +904,7 @@ public class UpgradeResourceProviderTest {
 
     Map<String, Object> requestProps = new HashMap<String, Object>();
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_ID, id.toString());
+    requestProps.put(UpgradeResourceProvider.UPGRADE_CLUSTER_NAME, "c1");
     requestProps.put(UpgradeResourceProvider.UPGRADE_REQUEST_STATUS, "ABORTED");
 
     UpgradeResourceProvider urp = createProvider(amc);


Mime
View raw message