ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [2/4] ambari git commit: Revert "AMBARI-1365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)"
Date Fri, 21 Oct 2016 20:01:58 GMT
Revert "AMBARI-1365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)"

This reverts commit b3dda4ffe9c8bc47725fd9292dc621568df45610.


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b90b2863
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b90b2863
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b90b2863

Branch: refs/heads/trunk
Commit: b90b286366e67b7b494b2f2cf886dc4eab4ff006
Parents: 0dd7770
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Fri Oct 21 16:01:10 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Fri Oct 21 16:01:10 2016 -0400

----------------------------------------------------------------------
 .../controllers/ambariViews/ViewsEditCtrl.js    |  16 +-
 .../ui/admin-web/app/scripts/i18n.config.js     |  10 +-
 .../app/scripts/services/PermissionLoader.js    |  11 +-
 .../app/scripts/services/PermissionsSaver.js    |   8 +-
 .../ui/admin-web/app/scripts/services/View.js   |  12 +-
 .../admin-web/app/views/ambariViews/edit.html   |   4 +-
 .../test/unit/services/PermissionSaver_test.js  |  16 +-
 ...ClusterPrivilegeChangeRequestAuditEvent.java |  21 +-
 .../ViewPrivilegeChangeRequestAuditEvent.java   |  18 +-
 .../eventcreator/PrivilegeEventCreator.java     |   4 +-
 .../eventcreator/ViewPrivilegeEventCreator.java |   4 +-
 .../ambari/server/controller/AmbariServer.java  |   2 +-
 .../AmbariPrivilegeResourceProvider.java        |   9 +-
 .../ClusterPrivilegeResourceProvider.java       |   3 +-
 .../GroupPrivilegeResourceProvider.java         |  18 +-
 .../internal/PrivilegeResourceProvider.java     | 114 +++-------
 .../internal/UserPrivilegeResourceProvider.java |  49 +++--
 .../internal/ViewPrivilegeResourceProvider.java |   8 +-
 .../ambari/server/orm/dao/PermissionDAO.java    |  35 +--
 .../ambari/server/orm/dao/PrincipalDAO.java     |  13 +-
 .../ambari/server/orm/dao/PrincipalTypeDAO.java |  29 +--
 .../server/orm/entities/PermissionEntity.java   |   6 -
 .../orm/entities/PrincipalTypeEntity.java       |  17 +-
 .../authorization/AuthorizationHelper.java      |  56 ++++-
 .../ClusterInheritedPermissionHelper.java       | 213 +++++++++++++++++++
 .../server/security/authorization/Users.java    | 145 ++-----------
 .../server/upgrade/UpgradeCatalog242.java       | 100 ---------
 .../apache/ambari/server/view/ViewRegistry.java |  75 ++++---
 .../view/configuration/AutoInstanceConfig.java  |  43 ++--
 .../main/resources/Ambari-DDL-Derby-CREATE.sql  |  10 +
 .../main/resources/Ambari-DDL-MySQL-CREATE.sql  |   5 +
 .../main/resources/Ambari-DDL-Oracle-CREATE.sql |  10 +
 .../resources/Ambari-DDL-Postgres-CREATE.sql    |   5 +
 .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql |  10 +
 .../resources/Ambari-DDL-SQLServer-CREATE.sql   |   5 +
 .../AbstractPrivilegeResourceProviderTest.java  |  38 ----
 .../AmbariPrivilegeResourceProviderTest.java    |  21 +-
 .../ClusterPrivilegeResourceProviderTest.java   |   8 +
 .../GroupPrivilegeResourceProviderTest.java     |  67 +++---
 .../UserPrivilegeResourceProviderTest.java      | 113 ++++------
 .../ViewPrivilegeResourceProviderTest.java      |   5 +-
 .../authorization/AuthorizationHelperTest.java  |  66 ++++++
 .../server/upgrade/UpgradeCatalog242Test.java   | 134 +-----------
 .../configuration/AutoInstanceConfigTest.java   |  17 +-
 44 files changed, 716 insertions(+), 857 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
index 834efdb..bd74b16 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
     $scope.identity = angular.identity;
     $scope.isConfigurationEmpty = true;
     $scope.isSettingsEmpty = true;
-    $scope.permissionRoles = View.permissionRoles;
+    $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
     $scope.constants = {
       instance: $t('views.instance'),
       props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
                 data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
               }
             });
-            $scope.removeAllRolePermissions();
+            $scope.clearClusterInheritedPermissions();
 
           }
 
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
         });
     };
 
-    $scope.removeAllRolePermissions = function() {
-      angular.forEach(View.permissionRoles, function(key) {
-        $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
+    $scope.clearClusterInheritedPermissions = function() {
+      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+        $scope.permissionsEdit["VIEW.USER"][key] = false;
       })
     };
 
@@ -510,9 +510,11 @@ angular.module('ambariAdminConsole')
     };
 
     function setAllViewRoles(value) {
-      var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
+      var viewRoles = $scope.permissionsEdit["VIEW.USER"];
       for (var role in viewRoles) {
-        $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
+        if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
+          viewRoles[role] = value;
+        }
       }
     }
   }]);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
index cd9b922..af22d7f 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
@@ -234,11 +234,11 @@ angular.module('ambariAdminConsole')
 
       'clusterPermissions': {
         'label': 'Local Cluster Permissions',
-        'clusteradministrator': 'Cluster Administrator',
-        'clusteroperator': 'Cluster Operator',
-        'clusteruser': 'Cluster User',
-        'serviceadministrator': 'Service Administrator',
-        'serviceoperator': 'Service Operator',
+        'allclusteradministrator': 'Cluster Administrator',
+        'allclusteroperator': 'Cluster Operator',
+        'allclusteruser': 'Cluster User',
+        'allserviceadministrator': 'Service Administrator',
+        'allserviceoperator': 'Service Operator',
         'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
         'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
       },

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
index 9cc04e4..988986b 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
@@ -28,9 +28,8 @@ angular.module('ambariAdminConsole')
       angular.forEach(permissions, function(permission) {
         permission.GROUP = [];
         permission.USER = [];
-        permission.ROLE = {};
-        angular.forEach(View.permissionRoles, function(key) {
-          permission.ROLE[key] = false;
+        angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+          permission[key] = false;
         });
         permissionsInner[permission.PermissionInfo.permission_name] = permission;
       });
@@ -38,10 +37,10 @@ angular.module('ambariAdminConsole')
       // Now we can get privileges
       resource.getPrivileges(params).then(function(privileges) {
         angular.forEach(privileges, function(privilege) {
-          if(privilege.PrivilegeInfo.principal_type == "ROLE") {
-            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
-          } else {
+          if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
             permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+          } else {
+            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
           }
         });
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
index c170235..c7b9295 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
         }
       }));
 
-      angular.forEach(View.permissionRoles, function(key) {
-        if(permission.ROLE[key] === true) {
+      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
+        if(permission[key] === true) {
           arr.push({
             'PrivilegeInfo': {
               'permission_name': 'VIEW.USER',
-              'principal_name': key,
-              'principal_type': 'ROLE'
+              'principal_name': '*',
+              'principal_type': key
             }
           });
         }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
index f549b29..5bc0509 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
     self.versionsList = item.versions;
   }
 
-  View.permissionRoles = [
-    "CLUSTER.ADMINISTRATOR",
-    "CLUSTER.OPERATOR",
-    "SERVICE.OPERATOR",
-    "SERVICE.ADMINISTRATOR",
-    "CLUSTER.USER"
+  View.clusterInheritedPermissionKeys = [
+    "ALL.CLUSTER.ADMINISTRATOR",
+    "ALL.CLUSTER.OPERATOR",
+    "ALL.SERVICE.OPERATOR",
+    "ALL.SERVICE.ADMINISTRATOR",
+    "ALL.CLUSTER.USER"
   ];
 
   View.getInstance = function(viewName, version, instanceName) {

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
index 418c115..69eb1c1 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
@@ -287,10 +287,10 @@
         <span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
       </div>
       <div class="col-sm-offset-2 col-sm-10">
-        <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
+        <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
           <div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
             <label>
-              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
+              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
             </label>
           </div>
         </div>

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
index 6c662f2..fa36d98 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
@@ -178,13 +178,11 @@ describe('PermissionSaver Service', function () {
           'PermissionInfo': {
             permission_name: 'VIEW.USER'
           },
-          'ROLE': {
-            'CLUSTER.ADMINISTRATOR': true,
-            'CLUSTER.OPERATOR': false,
-            'SERVICE.OPERATOR': false,
-            'SERVICE.ADMINISTRATOR': false,
-            'CLUSTER.USER': false
-          },
+          'ALL.CLUSTER.ADMINISTRATOR': true,
+          'ALL.CLUSTER.OPERATOR': false,
+          'ALL.SERVICE.OPERATOR': false,
+          'ALL.SERVICE.ADMINISTRATOR': false,
+          'ALL.CLUSTER.USER': false,
           'USER': ['u0', 'u1', 'g0'],
           'GROUP': ['g0', 'g1', 'u0']
         }
@@ -235,8 +233,8 @@ describe('PermissionSaver Service', function () {
         {
           PrivilegeInfo: {
             permission_name: 'VIEW.USER',
-            principal_name: 'CLUSTER.ADMINISTRATOR',
-            principal_type: 'ROLE'
+            principal_name: '*',
+            principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
           }
         }
       ];

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
index 29fb7b4..b28bb2a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
 
 package org.apache.ambari.server.audit.event.request;
 
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -45,16 +47,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
 
     /**
      * Roles for groups
-     * group name -> list of roles
+     * groupname -> list fo roles
      */
     private Map<String, List<String>> groups;
 
-    /**
-     * Roles for roles
-     * role name -> list of roles
-     */
-    private Map<String, List<String>> roles;
-
     public ClusterPrivilegeChangeRequestAuditEventBuilder() {
       super.withOperation("Role change");
     }
@@ -76,10 +72,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
-      roleSet.addAll(roles.keySet());
 
       builder.append(", Roles(");
-      if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -93,9 +88,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
-        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
-          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
-        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -112,11 +104,6 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
-
-    public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
-      this.roles = roles;
-      return this;
-    }
   }
 
   protected ClusterPrivilegeChangeRequestAuditEvent() {

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
index 73c1aa6..11c558c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
@@ -18,9 +18,11 @@
 
 package org.apache.ambari.server.audit.event.request;
 
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -48,11 +50,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
     private Map<String, List<String>> groups;
 
     /**
-     * Roles with their roles
-     */
-    private Map<String, List<String>> roles;
-
-    /**
      * View name
      */
     private String name;
@@ -97,10 +94,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
-      roleSet.addAll(roles.keySet());
 
       builder.append(", Permissions(");
-      if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -114,9 +110,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
-        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
-          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
-        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -148,11 +141,6 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
-
-    public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
-      this.roles = roles;
-      return this;
-    }
   }
 
   protected ViewPrivilegeChangeRequestAuditEvent() {

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
index a7be8e1..5c476c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
@@ -33,6 +33,8 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
 import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
@@ -86,7 +88,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
-    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     switch (request.getRequestType()) {
       case PUT:
@@ -98,7 +99,6 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
           .withRemoteIp(request.getRemoteAddress())
           .withUsers(users)
           .withGroups(groups)
-          .withRoles(roles)
           .build();
       case POST:
         String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
index 47983ff..56d35c0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
@@ -32,6 +32,8 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
 import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 
@@ -85,7 +87,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
-    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     return ViewPrivilegeChangeRequestAuditEvent.builder()
       .withTimestamp(System.currentTimeMillis())
@@ -98,7 +99,6 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
       .withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
       .withUsers(users)
       .withGroups(groups)
-      .withRoles(roles)
       .build();
 
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 68ee67f..56e2398 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -876,7 +876,7 @@ public class AmbariServer {
         injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
         injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
     UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
-        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
+        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
     ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index bd17b6a..e5c95cb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -22,7 +22,6 @@ import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -149,10 +148,8 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, PermissionEntity> roleEntities,
-                                Map<Long, Object> resourceEntities,
-                                Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+                                Map<Long, Object> resourceEntities, Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ResourceEntity resourceEntity = privilegeEntity.getResource();
       ResourceTypeEntity type = resourceEntity.getResourceType();

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index fb7bff3..8f37764 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -147,11 +147,10 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, ClusterEntity> resourceEntities,
                                 Set<String> requestedIds) {
 
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
       setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
index 4b71b47..94d1cad 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
@@ -28,6 +28,7 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -37,7 +38,6 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.*;
 
-import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * Users (helper) object used to obtain privilege entities.
+   * Data access object used to obtain privilege entities.
    */
   @Inject
-  protected static Users users;
+  protected static PrivilegeDAO privilegeDAO;
 
   /**
    * The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    *  @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param users           the users helper instance
+   * @param privilegeDAO
    */
   public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, Users users) {
+                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
     GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
     GroupPrivilegeResourceProvider.groupDAO = groupDAO;
     GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    GroupPrivilegeResourceProvider.users = users;
+    GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
   }
 
   @SuppressWarnings("serial")
@@ -180,7 +180,11 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("Group " + groupName + " was not found");
         }
 
-        final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
+        final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
+
+        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+        privileges.addAll(allViewPrivilegesWithClusterPermission);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, groupName, requestedIds));

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 07b98bd..34111df 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.commons.lang.StringUtils;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 
 /**
  * Abstract resource provider for privilege resources.
@@ -195,58 +195,35 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
       resourceIds.addAll(resourceEntities.keySet());
 
-      Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
-      List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
-      List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
-      List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+      Set<PrivilegeEntity>  entitySet     = new HashSet<PrivilegeEntity>();
+      List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
 
       List<PrivilegeEntity> entities = privilegeDAO.findAll();
 
       for(PrivilegeEntity privilegeEntity : entities){
         if (resourceIds.contains(privilegeEntity.getResource().getId())) {
           PrincipalEntity principal = privilegeEntity.getPrincipal();
-          String principalType = principal.getPrincipalType().getName();
-
           entitySet.add(privilegeEntity);
-
-          if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
-            userPrincipals.add(principal);
-          }
-          else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
-            groupPrincipals.add(principal);
-          }
-          else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
-            rolePrincipals.add(principal);
-          }
+          principalList.add(principal);
         }
       }
 
       Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
-      if(!userPrincipals.isEmpty()) {
-        List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
-        for (UserEntity userEntity : userList) {
-          userEntities.put(userEntity.getPrincipal().getId(), userEntity);
-        }
+      List<UserEntity>      userList     = userDAO.findUsersByPrincipal(principalList);
+
+      for (UserEntity userEntity : userList) {
+        userEntities.put(userEntity.getPrincipal().getId(), userEntity);
       }
 
       Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
-      if(!groupPrincipals.isEmpty()) {
-        List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
-        for (GroupEntity groupEntity : groupList) {
-          groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
-        }
-      }
+      List<GroupEntity>      groupList     = groupDAO.findGroupsByPrincipal(principalList);
 
-      Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
-      if (!rolePrincipals.isEmpty()){
-        List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
-        for (PermissionEntity roleEntity : roleList) {
-          roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
-        }
+      for (GroupEntity groupEntity : groupList) {
+        groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
       }
 
       for(PrivilegeEntity privilegeEntity : entitySet){
-        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
         if (resource != null && (predicate == null || predicate.evaluate(resource))) {
           resources.add(resource);
         }
@@ -304,7 +281,6 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
    * @param privilegeEntity   the privilege entity to be converted
    * @param userEntities      the map of user entities keyed by resource id
    * @param groupEntities     the map of group entities keyed by resource id
-   * @param roleEntities      the map of role entities keyed by resource id
    * @param resourceEntities  the map of resource entities keyed by resource id
    * @param requestedIds      the requested property ids
    *
@@ -313,48 +289,29 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, T> resourceEntities,
                                 Set<String> requestedIds) {
     Resource resource = new ResourceImpl(resourceType);
 
-    PrincipalEntity principal = privilegeEntity.getPrincipal();
-    String principalTypeName = null;
-    String resourcePropertyName = null;
-
-    if(principal != null) {
-      PrincipalTypeEntity principalType = principal.getPrincipalType();
-
-      if (principalType != null) {
-        Long principalId = principal.getId();
-
-        principalTypeName = principalType.getName();
-
-        if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
-          GroupEntity groupEntity = groupEntities.get(principalId);
-          if (groupEntity != null) {
-            resourcePropertyName = groupEntity.getGroupName();
-          }
-        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
-          PermissionEntity roleEntity = roleEntities.get(principalId);
-          if (roleEntity != null) {
-            resourcePropertyName = roleEntity.getPermissionName();
-          }
-        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
-          UserEntity userEntity = userEntities.get(principalId);
-          if (userEntity != null) {
-            resourcePropertyName = userEntity.getUserName();
-          }
-        }
-      }
+    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
+        privilegeEntity.getId(), requestedIds);
+    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
+        privilegeEntity.getPermission().getPermissionName(), requestedIds);
+    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
+        privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+
+    PrincipalEntity principal   = privilegeEntity.getPrincipal();
+    Long            principalId = principal.getId();
+
+    if (userEntities.containsKey(principalId)) {
+      UserEntity userEntity = userEntities.get(principalId);
+      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
+    } else if (groupEntities.containsKey(principalId)){
+      GroupEntity groupEntity = groupEntities.get(principalId);
+      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
     }
 
-    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
-    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
-    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
-    setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
-    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
-
+    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
     return resource;
   }
 
@@ -382,21 +339,18 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
     String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
     String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
-    if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
+    if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
       GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
       if (groupEntity != null) {
         entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
       }
-    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
-      PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
-      if (permissionEntity != null) {
-        entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
-      }
-    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
+    } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
       UserEntity userEntity = userDAO.findUserByName(principalName);
       if (userEntity != null) {
         entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
       }
+    } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
+      entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
     } else {
       throw new AmbariException("Unknown principal type " + principalType);
     }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index 009c38b..bdd73a6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -17,6 +17,8 @@
  */
 package org.apache.ambari.server.controller.internal;
 
+import com.google.common.base.Function;
+import com.google.common.collect.FluentIterable;
 import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
 import org.apache.ambari.server.controller.spi.NoSuchResourceException;
 import org.apache.ambari.server.controller.spi.Predicate;
@@ -26,23 +28,26 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
+import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
 
-import java.util.Collection;
+import javax.annotation.Nullable;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -54,17 +59,17 @@ import java.util.Set;
  */
 public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
 
-  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID    = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
-  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
+  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID       = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID    = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID   = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID    = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_TYPE_PROPERTY_ID            = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID       = "PrivilegeInfo/user_name";
 
   /**
    * Data access object used to obtain user entities.
@@ -87,9 +92,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * Helper to obtain privilege data for requested users
+   * DAO used to obtain privilege entities.
    */
-  private static Users users;
+  protected static PrivilegeDAO privilegeDAO;
 
   /**
    * The property ids for a privilege resource.
@@ -115,15 +120,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    * @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param users           the Users helper object
+   * @param privilegeDAO
    */
   public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, Users users) {
+                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
     UserPrivilegeResourceProvider.userDAO         = userDAO;
     UserPrivilegeResourceProvider.clusterDAO      = clusterDAO;
     UserPrivilegeResourceProvider.groupDAO        = groupDAO;
     UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    UserPrivilegeResourceProvider.users           = users;
+    UserPrivilegeResourceProvider.privilegeDAO    = privilegeDAO;
   }
 
   @SuppressWarnings("serial")
@@ -194,7 +199,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("User " + userName + " was not found");
         }
 
-        final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
+        final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
+
+        for (MemberEntity membership : userEntity.getMemberEntities()) {
+          privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
+        }
+
+        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
+          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
+        privileges.addAll(allViewPrivilegesWithClusterPermission);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, userName, requestedIds));

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index 7182f4c..e5bd224 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -191,10 +191,8 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, PermissionEntity> roleEntities,
-                                Map<Long, ViewInstanceEntity> resourceEntities,
-                                Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
+                                Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
     if (resource != null) {
 
       ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
index c844ab6..88d9775 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,7 +18,6 @@
 
 package org.apache.ambari.server.orm.dao;
 
-import java.util.Collections;
 import java.util.List;
 
 import javax.persistence.EntityManager;
@@ -26,7 +25,6 @@ import javax.persistence.TypedQuery;
 
 import org.apache.ambari.server.orm.RequiresSession;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
 
 import com.google.inject.Inject;
@@ -82,37 +80,6 @@ public class PermissionDAO {
   }
 
   /**
-   * Find a permission entity with the given name.
-   *
-   * @param name  permission name
-   *
-   * @return  a matching permission entity or null
-   */
-  @RequiresSession
-  public PermissionEntity findByName(String name) {
-    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
-    query.setParameter("permissionName", name);
-    return daoUtils.selectSingle(query);
-  }
-
-  /**
-   * Find the permission entities for the given list of principals
-   *
-   * @param principalList  the list of principal entities
-   *
-   * @return the list of permissions (or roles) matching the query
-   */
-  @RequiresSession
-  public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
-    if (principalList == null || principalList.isEmpty()) {
-      return Collections.emptyList();
-    }
-    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
-    query.setParameter("principalList", principalList);
-    return daoUtils.selectList(query);
-  }
-
-  /**
    * Find all permission entities.
    *
    * @return all entities or an empty List

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
index 45a1658..efbdfab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -121,15 +121,4 @@ public class PrincipalDAO {
   public PrincipalEntity merge(PrincipalEntity entity) {
     return entityManagerProvider.get().merge(entity);
   }
-
-  /**
-   * Remove the entity instance.
-   *
-   * @param entity  entity to remove
-   */
-  @Transactional
-  public void remove(PrincipalEntity entity) {
-    entityManagerProvider.get().remove(entity);
-  }
-
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
index 17628c6..7823d56 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -60,20 +60,6 @@ public class PrincipalTypeDAO {
   }
 
   /**
-   * Find a principal type entity with the given name.
-   *
-   * @param name  principal type name
-   *
-   * @return  a matching principal type entity or null
-   */
-  @RequiresSession
-  public PrincipalTypeEntity findByName(String name) {
-    TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
-    query.setParameter("name", name);
-    return daoUtils.selectSingle(query);
-  }
-
-  /**
    * Find all principal types.
    *
    * @return all principal types or an empty List
@@ -100,16 +86,6 @@ public class PrincipalTypeDAO {
   }
 
   /**
-   * Remove the entity instance.
-   *
-   * @param entity entity to remove
-   */
-  @Transactional
-  public void remove(PrincipalTypeEntity entity) {
-    entityManagerProvider.get().remove(entity);
-  }
-
-  /**
    * Creates and returns principal type if it wasn't persisted yet.
    *
    * @param principalType id of principal type
@@ -128,9 +104,6 @@ public class PrincipalTypeDAO {
         case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
           principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
           break;
-        case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
-          principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
-          break;
         default:
           throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
       }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index b6f1557..f091bab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -29,8 +29,6 @@ import javax.persistence.JoinColumns;
 import javax.persistence.JoinTable;
 import javax.persistence.ManyToMany;
 import javax.persistence.ManyToOne;
-import javax.persistence.NamedQueries;
-import javax.persistence.NamedQuery;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
@@ -46,10 +44,6 @@ import java.util.Collection;
     , pkColumnValue = "permission_id_seq"
     , initialValue = 100
 )
-@NamedQueries({
-    @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
-    @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
-})
 public class PermissionEntity {
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
index 31e11e6..716d4f7 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
@@ -1,4 +1,4 @@
-/*
+/**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -30,9 +30,6 @@ import javax.persistence.*;
     , pkColumnValue = "principal_type_id_seq"
     , initialValue = 100
 )
-@NamedQueries({
-    @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
-})
 public class PrincipalTypeEntity {
 
   /**
@@ -40,11 +37,19 @@ public class PrincipalTypeEntity {
    */
   public static final int USER_PRINCIPAL_TYPE  = 1;
   public static final int GROUP_PRINCIPAL_TYPE = 2;
-  public static final int ROLE_PRINCIPAL_TYPE = 8;
+  public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
+  public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
+  public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
+  public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
+  public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
 
   public static final String USER_PRINCIPAL_TYPE_NAME  = "USER";
   public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
-  public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
+  public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
+  public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
+  public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
+  public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
+  public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
 
   /**
    * The type id.

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index e875e8a..8639a2f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -17,6 +17,9 @@
  */
 package org.apache.ambari.server.security.authorization;
 
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Lists;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -27,6 +30,7 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
@@ -43,10 +47,10 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
+@Singleton
 /**
  * Provides utility methods for authentication functionality
  */
-@Singleton
 public class AuthorizationHelper {
   private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
 
@@ -226,8 +230,56 @@ public class AuthorizationHelper {
         }
       }
 
-      return false;
+      // Check if the resourceId is a view.
+      // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
+      // type.
+      // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
+      // cluster resource with the permission.
+      // Then if the permission type matches the cluster/service type principal(names) then the user should have access
+      // to those views.
+
+      if(resourceId == null) {
+        return false;
+      }
+
+      ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
+
+      ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
+      if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
+        return false;
+      }
+
+      PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
+
+      final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
+        .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+        .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
+        .toSet();
+
+      return FluentIterable.from(authentication.getAuthorities())
+        .filter(new Predicate<GrantedAuthority>() {
+          @Override
+          public boolean apply(GrantedAuthority grantedAuthority) {
+            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+            PrivilegeEntity privilege = authority.getPrivilegeEntity();
+            String resourceTypeName = privilege.getResource().getResourceType().getName();
+            return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+          }
+        }).transform(new Function<GrantedAuthority, PermissionEntity>() {
+          @Override
+          public PermissionEntity apply(GrantedAuthority grantedAuthority) {
+            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
+            PrivilegeEntity privilege = authority.getPrivilegeEntity();
+            return privilege.getPermission();
+          }
+        }).anyMatch(new Predicate<PermissionEntity>() {
+          @Override
+          public boolean apply(PermissionEntity input) {
+            return privilegeNames.contains(input.getPermissionName());
+          }
+        });
     }
+
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
new file mode 100644
index 0000000..9922bb2
--- /dev/null
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.common.base.Function;
+import com.google.common.base.Predicate;
+import com.google.common.collect.FluentIterable;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
+import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
+
+import javax.annotation.Nullable;
+import java.util.Collection;
+import java.util.Set;
+
+
+/**
+ * Helper class to take care of the cluster inherited permission for any view.
+ */
+public class ClusterInheritedPermissionHelper {
+
+  /**
+   * Predicate which validates if the principalType passed is valid or not.
+   */
+  public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
+    @Override
+    public boolean apply(String principalType) {
+      return isValidPrincipalType(principalType);
+    }
+  };
+
+  /**
+   * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
+   */
+  public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
+    @Override
+    public boolean apply(PrivilegeEntity privilegeEntity) {
+      String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
+      return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
+    }
+  };
+
+  /**
+   * Predicate which validates if view instance entity is cluster associated
+   */
+  public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
+    @Override
+    public boolean apply(ViewInstanceEntity viewInstanceEntity) {
+      return viewInstanceEntity.getClusterHandle() != null;
+    }
+  };
+
+  /**
+   * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
+   */
+  public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
+    @Override
+    public boolean apply(PrivilegeEntity privilegeEntity) {
+      String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
+      return principalTypeName.startsWith("ALL.");
+    }
+  };
+
+  /**
+   * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
+   */
+  public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
+    @Override
+    public String apply(PrivilegeEntity input) {
+      return input.getPrincipal().getPrincipalType().getName().substring(4);
+    }
+  };
+
+  /**
+   * Mapper to return resources from view instance entity.
+   */
+  public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
+    @Override
+    public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
+      return viewInstanceEntity.getResource();
+    }
+  };
+
+  /**
+   * Mapper to return all privileges from resource entity
+   */
+  public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
+    @Override
+    public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
+      return resourceEntity.getPrivileges();
+    }
+  };
+
+  /**
+   * Mapper to return permission name from privilege
+   */
+  public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
+    @Override
+    public String apply(PrivilegeEntity privilegeEntity) {
+      return privilegeEntity.getPermission().getPermissionName();
+    }
+  };
+
+  /**
+   * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
+   * @param validSet - valid set of permission types
+   * @return Predicate to check the condition
+   */
+  public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
+    return new Predicate<PrivilegeEntity>() {
+      @Override
+      public boolean apply(PrivilegeEntity privilegeEntity) {
+        String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
+        return validSet.contains(permissionName);
+      }
+    };
+  }
+
+  /**
+   * Predicate to filter out privileges which are already existing in the passed privileges set.
+   * @param existingPrivileges - Privileges set to which the comparison will be made
+   * @return Predicate to check the validation
+   */
+  public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
+    return new Predicate<PrivilegeEntity>() {
+      @Override
+      public boolean apply(final PrivilegeEntity privilegeEntity) {
+        return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
+          @Override
+          public boolean apply(PrivilegeEntity directPrivilegeEntity) {
+            return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
+              && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
+          }
+        });
+      }
+    };
+  }
+
+  /**
+   * Validates if the principal type is valid for cluster inherited permissions.
+   * @param principalType - Principal type
+   * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
+   * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
+   */
+  public static boolean isValidPrincipalType(String principalType) {
+    return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+      || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+      || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+      || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
+      || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
+  }
+
+  /**
+   * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
+   * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
+   * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
+   * the user should have privilege.
+   * @param userDirectPrivileges - direct privileges for the user.
+   * @return - Filtered list of privileges for view resource for which the user should have access.
+   */
+  public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
+                                                                            final Set<PrivilegeEntity> userDirectPrivileges) {
+
+    final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
+      .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
+      .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
+      .toSet();
+
+    Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
+      .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
+      .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
+      .transform(new Function<ResourceEntity, Long>() {
+        @Nullable
+        @Override
+        public Long apply(@Nullable ResourceEntity input) {
+          return input.getId();
+        }
+      }).toSet();
+
+    Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
+      .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
+        @Nullable
+        @Override
+        public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
+          return privilegeDAO.findByResourceId(input);
+        }
+      }).toSet();
+
+    return FluentIterable.from(allPrivileges)
+      .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
+      .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
+      .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
+      .toSet();
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/b90b2863/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index eee721a..a4f0031 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -705,96 +705,6 @@ public class Users {
   }
 
   /**
-   * Gets the explicit and implicit privileges for the given user.
-   * <p>
-   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
-   * a user.  For example the Cluster Operator role on a given cluster gives that the ability to
-   * start and stop services in that cluster, among other privileges for that particular cluster.
-   * <p>
-   * The implicit privileges are the privileges that have been given to the roles themselves which
-   * in turn are granted to the users that have been assigned those roles. For example if the
-   * Cluster User role for a given cluster has been given View User access on a specified File View
-   * instance, then all users who have the Cluster User role for that cluster will implicitly be
-   * granted View User access on that File View instance.
-   *
-   * @param userEntity the relevant user
-   * @return the collection of implicit and explicit privileges
-   */
-  public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
-    if (userEntity == null) {
-      return Collections.emptyList();
-    }
-
-    // get all of the privileges for the user
-    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
-    principalEntities.add(userEntity.getPrincipal());
-
-    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
-
-    for (MemberEntity memberEntity : memberEntities) {
-      principalEntities.add(memberEntity.getGroup().getPrincipal());
-    }
-
-    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
-    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
-    List<PrivilegeEntity> privilegeEntities;
-
-    if(implicitPrivilegeEntities.isEmpty()) {
-      privilegeEntities = explicitPrivilegeEntities;
-    }
-    else {
-      privilegeEntities = new LinkedList<PrivilegeEntity>();
-      privilegeEntities.addAll(explicitPrivilegeEntities);
-      privilegeEntities.addAll(implicitPrivilegeEntities);
-    }
-
-    return privilegeEntities;
-  }
-
-  /**
-   * Gets the explicit and implicit privileges for the given group.
-   * <p>
-   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
-   * a group.  For example the Cluster Operator role on a given cluster gives that the ability to
-   * start and stop services in that cluster, among other privileges for that particular cluster.
-   * <p>
-   * The implicit privileges are the privileges that have been given to the roles themselves which
-   * in turn are granted to the groups that have been assigned those roles. For example if the
-   * Cluster User role for a given cluster has been given View User access on a specified File View
-   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
-   * granted View User access on that File View instance.
-   *
-   * @param groupEntity the relevant group
-   * @return the collection of implicit and explicit privileges
-   */
-  public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
-    if (groupEntity == null) {
-      return Collections.emptyList();
-    }
-
-    // get all of the privileges for the group
-    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
-    principalEntities.add(groupEntity.getPrincipal());
-
-    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
-    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
-    List<PrivilegeEntity> privilegeEntities;
-
-    if(implicitPrivilegeEntities.isEmpty()) {
-      privilegeEntities = explicitPrivilegeEntities;
-    }
-    else {
-      privilegeEntities = new LinkedList<PrivilegeEntity>();
-      privilegeEntities.addAll(explicitPrivilegeEntities);
-      privilegeEntities.addAll(implicitPrivilegeEntities);
-    }
-
-    return privilegeEntities;
-  }
-
-  /**
    * Gets the explicit and implicit authorities for the given user.
    * <p>
    * The explicit authorities are the authorities that have be explicitly set by assigning roles to
@@ -817,59 +727,50 @@ public class Users {
       return Collections.emptyList();
     }
 
-    Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
-
-    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
-    for (PrivilegeEntity privilegeEntity : privilegeEntities) {
-      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
-    }
+    // get all of the privileges for the user
+    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
 
-    return authorities;
-  }
+    principalEntities.add(userEntity.getPrincipal());
 
-  /**
-   * Gets the implicit privileges based on the set of roles found in a collection of privileges.
-   * <p>
-   * The implicit privileges are the privileges that have been given to the roles themselves which
-   * in turn are granted to the groups that have been assigned those roles. For example if the
-   * Cluster User role for a given cluster has been given View User access on a specified File View
-   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
-   * granted View User access on that File View instance.
-   *
-   * @param privilegeEntities the relevant privileges
-   * @return the collection explicit privileges
-   */
-  private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
 
-    if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
-      return Collections.emptyList();
+    for (MemberEntity memberEntity : memberEntities) {
+      principalEntities.add(memberEntity.getGroup().getPrincipal());
     }
 
-    List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
+    List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
 
     // A list of principals representing roles/permissions. This collection of roles will be used to
-    // find additional inherited privileges based on the assigned roles.
+    // find additional authorizations inherited by the authenticated user based on the assigned roles.
     // For example a File View instance may be set to be accessible to all authenticated user with
     // the Cluster User role.
     List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
 
+    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
+
     for (PrivilegeEntity privilegeEntity : privilegeEntities) {
       // Add the principal representing the role associated with this PrivilegeEntity to the collection
-      // of roles.
+      // of roles for the authenticated user.
       PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
-      if (rolePrincipal != null) {
+      if(rolePrincipal != null) {
         rolePrincipals.add(rolePrincipal);
       }
+
+      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
     }
 
-    // If the collections of assigned roles is not empty find the inherited priviliges.
-    if (!rolePrincipals.isEmpty()) {
+    // If the collections of assigned roles is not empty find the inherited authorizations that are
+    // give to the roles and add them to the collection of (Granted) authorities for the user.
+    if(!rolePrincipals.isEmpty()) {
       // For each "role" see if any privileges have been granted...
-      implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
+      List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
+
+      for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
+        authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+      }
     }
 
-    return implicitPrivileges;
+    return authorities;
   }
 
 }


Mime
View raw message