ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [4/4] ambari git commit: AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)
Date Fri, 21 Oct 2016 20:02:00 GMT
AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/176c691e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/176c691e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/176c691e

Branch: refs/heads/trunk
Commit: 176c691eaed6dbf639617f6208f7fb117597c1ce
Parents: b90b286
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Fri Oct 21 16:01:44 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Fri Oct 21 16:01:44 2016 -0400

----------------------------------------------------------------------
 .../controllers/ambariViews/ViewsEditCtrl.js    |  16 +-
 .../ui/admin-web/app/scripts/i18n.config.js     |  10 +-
 .../app/scripts/services/PermissionLoader.js    |  11 +-
 .../app/scripts/services/PermissionsSaver.js    |   8 +-
 .../ui/admin-web/app/scripts/services/View.js   |  12 +-
 .../admin-web/app/views/ambariViews/edit.html   |   4 +-
 .../test/unit/services/PermissionSaver_test.js  |  16 +-
 ...ClusterPrivilegeChangeRequestAuditEvent.java |  21 +-
 .../ViewPrivilegeChangeRequestAuditEvent.java   |  18 +-
 .../eventcreator/PrivilegeEventCreator.java     |   4 +-
 .../eventcreator/ViewPrivilegeEventCreator.java |   4 +-
 .../ambari/server/controller/AmbariServer.java  |   2 +-
 .../AmbariPrivilegeResourceProvider.java        |   9 +-
 .../ClusterPrivilegeResourceProvider.java       |   3 +-
 .../GroupPrivilegeResourceProvider.java         |  18 +-
 .../internal/PrivilegeResourceProvider.java     | 114 +++++++---
 .../internal/UserPrivilegeResourceProvider.java |  49 ++---
 .../internal/ViewPrivilegeResourceProvider.java |   8 +-
 .../ambari/server/orm/dao/PermissionDAO.java    |  35 ++-
 .../ambari/server/orm/dao/PrincipalDAO.java     |  13 +-
 .../ambari/server/orm/dao/PrincipalTypeDAO.java |  29 ++-
 .../server/orm/entities/PermissionEntity.java   |   6 +
 .../orm/entities/PrincipalTypeEntity.java       |  17 +-
 .../authorization/AuthorizationHelper.java      |  56 +----
 .../ClusterInheritedPermissionHelper.java       | 213 -------------------
 .../server/security/authorization/Users.java    | 145 +++++++++++--
 .../server/upgrade/UpgradeCatalog242.java       | 100 +++++++++
 .../apache/ambari/server/view/ViewRegistry.java |  75 +++----
 .../view/configuration/AutoInstanceConfig.java  |  43 ++--
 .../main/resources/Ambari-DDL-Derby-CREATE.sql  |  10 -
 .../main/resources/Ambari-DDL-MySQL-CREATE.sql  |   5 -
 .../main/resources/Ambari-DDL-Oracle-CREATE.sql |  10 -
 .../resources/Ambari-DDL-Postgres-CREATE.sql    |   5 -
 .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql |  10 -
 .../resources/Ambari-DDL-SQLServer-CREATE.sql   |   5 -
 .../AbstractPrivilegeResourceProviderTest.java  |  38 ++++
 .../AmbariPrivilegeResourceProviderTest.java    |  21 +-
 .../ClusterPrivilegeResourceProviderTest.java   |   8 -
 .../GroupPrivilegeResourceProviderTest.java     |  67 +++---
 .../UserPrivilegeResourceProviderTest.java      | 113 ++++++----
 .../ViewPrivilegeResourceProviderTest.java      |   5 +-
 .../authorization/AuthorizationHelperTest.java  |  66 ------
 .../server/upgrade/UpgradeCatalog242Test.java   | 134 +++++++++++-
 .../configuration/AutoInstanceConfigTest.java   |  17 +-
 44 files changed, 857 insertions(+), 716 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
index bd74b16..834efdb 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js
@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
     $scope.identity = angular.identity;
     $scope.isConfigurationEmpty = true;
     $scope.isSettingsEmpty = true;
-    $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
+    $scope.permissionRoles = View.permissionRoles;
     $scope.constants = {
       instance: $t('views.instance'),
       props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
                 data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
               }
             });
-            $scope.clearClusterInheritedPermissions();
+            $scope.removeAllRolePermissions();
 
           }
 
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
         });
     };
 
-    $scope.clearClusterInheritedPermissions = function() {
-      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-        $scope.permissionsEdit["VIEW.USER"][key] = false;
+    $scope.removeAllRolePermissions = function() {
+      angular.forEach(View.permissionRoles, function(key) {
+        $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
       })
     };
 
@@ -510,11 +510,9 @@ angular.module('ambariAdminConsole')
     };
 
     function setAllViewRoles(value) {
-      var viewRoles = $scope.permissionsEdit["VIEW.USER"];
+      var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
       for (var role in viewRoles) {
-        if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
-          viewRoles[role] = value;
-        }
+        $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
       }
     }
   }]);

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
index af22d7f..cd9b922 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
@@ -234,11 +234,11 @@ angular.module('ambariAdminConsole')
 
       'clusterPermissions': {
         'label': 'Local Cluster Permissions',
-        'allclusteradministrator': 'Cluster Administrator',
-        'allclusteroperator': 'Cluster Operator',
-        'allclusteruser': 'Cluster User',
-        'allserviceadministrator': 'Service Administrator',
-        'allserviceoperator': 'Service Operator',
+        'clusteradministrator': 'Cluster Administrator',
+        'clusteroperator': 'Cluster Operator',
+        'clusteruser': 'Cluster User',
+        'serviceadministrator': 'Service Administrator',
+        'serviceoperator': 'Service Operator',
         'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
         'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
       },

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
index 988986b..9cc04e4 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js
@@ -28,8 +28,9 @@ angular.module('ambariAdminConsole')
       angular.forEach(permissions, function(permission) {
         permission.GROUP = [];
         permission.USER = [];
-        angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-          permission[key] = false;
+        permission.ROLE = {};
+        angular.forEach(View.permissionRoles, function(key) {
+          permission.ROLE[key] = false;
         });
         permissionsInner[permission.PermissionInfo.permission_name] = permission;
       });
@@ -37,10 +38,10 @@ angular.module('ambariAdminConsole')
       // Now we can get privileges
       resource.getPrivileges(params).then(function(privileges) {
         angular.forEach(privileges, function(privilege) {
-          if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
-            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+          if(privilege.PrivilegeInfo.principal_type == "ROLE") {
+            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
           } else {
-            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
+            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
           }
         });
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
index c7b9295..c170235 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js
@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
         }
       }));
 
-      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-        if(permission[key] === true) {
+      angular.forEach(View.permissionRoles, function(key) {
+        if(permission.ROLE[key] === true) {
           arr.push({
             'PrivilegeInfo': {
               'permission_name': 'VIEW.USER',
-              'principal_name': '*',
-              'principal_type': key
+              'principal_name': key,
+              'principal_type': 'ROLE'
             }
           });
         }

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
index 5bc0509..f549b29 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js
@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
     self.versionsList = item.versions;
   }
 
-  View.clusterInheritedPermissionKeys = [
-    "ALL.CLUSTER.ADMINISTRATOR",
-    "ALL.CLUSTER.OPERATOR",
-    "ALL.SERVICE.OPERATOR",
-    "ALL.SERVICE.ADMINISTRATOR",
-    "ALL.CLUSTER.USER"
+  View.permissionRoles = [
+    "CLUSTER.ADMINISTRATOR",
+    "CLUSTER.OPERATOR",
+    "SERVICE.OPERATOR",
+    "SERVICE.ADMINISTRATOR",
+    "CLUSTER.USER"
   ];
 
   View.getInstance = function(viewName, version, instanceName) {

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
index 69eb1c1..418c115 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html
@@ -287,10 +287,10 @@
         <span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
       </div>
       <div class="col-sm-offset-2 col-sm-10">
-        <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
+        <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
           <div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
             <label>
-              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
+              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
             </label>
           </div>
         </div>

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
index fa36d98..6c662f2 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js
@@ -178,11 +178,13 @@ describe('PermissionSaver Service', function () {
           'PermissionInfo': {
             permission_name: 'VIEW.USER'
           },
-          'ALL.CLUSTER.ADMINISTRATOR': true,
-          'ALL.CLUSTER.OPERATOR': false,
-          'ALL.SERVICE.OPERATOR': false,
-          'ALL.SERVICE.ADMINISTRATOR': false,
-          'ALL.CLUSTER.USER': false,
+          'ROLE': {
+            'CLUSTER.ADMINISTRATOR': true,
+            'CLUSTER.OPERATOR': false,
+            'SERVICE.OPERATOR': false,
+            'SERVICE.ADMINISTRATOR': false,
+            'CLUSTER.USER': false
+          },
           'USER': ['u0', 'u1', 'g0'],
           'GROUP': ['g0', 'g1', 'u0']
         }
@@ -233,8 +235,8 @@ describe('PermissionSaver Service', function () {
         {
           PrivilegeInfo: {
             permission_name: 'VIEW.USER',
-            principal_name: '*',
-            principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
+            principal_name: 'CLUSTER.ADMINISTRATOR',
+            principal_type: 'ROLE'
           }
         }
       ];

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
index b28bb2a..29fb7b4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
@@ -18,11 +18,9 @@
 
 package org.apache.ambari.server.audit.event.request;
 
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -47,10 +45,16 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
 
     /**
      * Roles for groups
-     * groupname -> list fo roles
+     * group name -> list of roles
      */
     private Map<String, List<String>> groups;
 
+    /**
+     * Roles for roles
+     * role name -> list of roles
+     */
+    private Map<String, List<String>> roles;
+
     public ClusterPrivilegeChangeRequestAuditEventBuilder() {
       super.withOperation("Role change");
     }
@@ -72,9 +76,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
+      roleSet.addAll(roles.keySet());
 
       builder.append(", Roles(");
-      if (!users.isEmpty() || !groups.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -88,6 +93,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
+        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
+        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -104,6 +112,11 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
+
+    public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+      this.roles = roles;
+      return this;
+    }
   }
 
   protected ClusterPrivilegeChangeRequestAuditEvent() {

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
index 11c558c..73c1aa6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
@@ -18,11 +18,9 @@
 
 package org.apache.ambari.server.audit.event.request;
 
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -50,6 +48,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
     private Map<String, List<String>> groups;
 
     /**
+     * Roles with their roles
+     */
+    private Map<String, List<String>> roles;
+
+    /**
      * View name
      */
     private String name;
@@ -94,9 +97,10 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
+      roleSet.addAll(roles.keySet());
 
       builder.append(", Permissions(");
-      if (!users.isEmpty() || !groups.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -110,6 +114,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
+        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
+        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -141,6 +148,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
+
+    public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+      this.roles = roles;
+      return this;
+    }
   }
 
   protected ViewPrivilegeChangeRequestAuditEvent() {

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
index 5c476c6..a7be8e1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
@@ -33,8 +33,6 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
 import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
@@ -88,6 +86,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     switch (request.getRequestType()) {
       case PUT:
@@ -99,6 +98,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
           .withRemoteIp(request.getRemoteAddress())
           .withUsers(users)
           .withGroups(groups)
+          .withRoles(roles)
           .build();
       case POST:
         String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
index 56d35c0..47983ff 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
@@ -32,8 +32,6 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
 import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 
@@ -87,6 +85,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     return ViewPrivilegeChangeRequestAuditEvent.builder()
       .withTimestamp(System.currentTimeMillis())
@@ -99,6 +98,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
       .withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
       .withUsers(users)
       .withGroups(groups)
+      .withRoles(roles)
       .build();
 
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 56e2398..68ee67f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -876,7 +876,7 @@ public class AmbariServer {
         injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
         injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
     UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
-        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
+        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
     ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
index e5c95cb..bd17b6a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -22,6 +22,7 @@ import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -148,8 +149,10 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, Object> resourceEntities, Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+                                Map<Long, PermissionEntity> roleEntities,
+                                Map<Long, Object> resourceEntities,
+                                Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ResourceEntity resourceEntity = privilegeEntity.getResource();
       ResourceTypeEntity type = resourceEntity.getResourceType();

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
index 8f37764..fb7bff3 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java
@@ -147,10 +147,11 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
+                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, ClusterEntity> resourceEntities,
                                 Set<String> requestedIds) {
 
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
       setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
index 94d1cad..4b71b47 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java
@@ -28,7 +28,6 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -38,6 +37,7 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.*;
 
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * Data access object used to obtain privilege entities.
+   * Users (helper) object used to obtain privilege entities.
    */
   @Inject
-  protected static PrivilegeDAO privilegeDAO;
+  protected static Users users;
 
   /**
    * The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    *  @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param privilegeDAO
+   * @param users           the users helper instance
    */
   public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+                          ViewInstanceDAO viewInstanceDAO, Users users) {
     GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
     GroupPrivilegeResourceProvider.groupDAO = groupDAO;
     GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
+    GroupPrivilegeResourceProvider.users = users;
   }
 
   @SuppressWarnings("serial")
@@ -180,11 +180,7 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("Group " + groupName + " was not found");
         }
 
-        final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
-
-        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
-          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
-        privileges.addAll(allViewPrivilegesWithClusterPermission);
+        final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, groupName, requestedIds));

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
index 34111df..07b98bd 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
+import org.apache.commons.lang.StringUtils;
 
 /**
  * Abstract resource provider for privilege resources.
@@ -195,35 +195,58 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
       resourceIds.addAll(resourceEntities.keySet());
 
-      Set<PrivilegeEntity>  entitySet     = new HashSet<PrivilegeEntity>();
-      List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
+      Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
+      List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+      List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+      List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
 
       List<PrivilegeEntity> entities = privilegeDAO.findAll();
 
       for(PrivilegeEntity privilegeEntity : entities){
         if (resourceIds.contains(privilegeEntity.getResource().getId())) {
           PrincipalEntity principal = privilegeEntity.getPrincipal();
+          String principalType = principal.getPrincipalType().getName();
+
           entitySet.add(privilegeEntity);
-          principalList.add(principal);
+
+          if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            userPrincipals.add(principal);
+          }
+          else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            groupPrincipals.add(principal);
+          }
+          else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            rolePrincipals.add(principal);
+          }
         }
       }
 
       Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
-      List<UserEntity>      userList     = userDAO.findUsersByPrincipal(principalList);
-
-      for (UserEntity userEntity : userList) {
-        userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+      if(!userPrincipals.isEmpty()) {
+        List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
+        for (UserEntity userEntity : userList) {
+          userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+        }
       }
 
       Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
-      List<GroupEntity>      groupList     = groupDAO.findGroupsByPrincipal(principalList);
+      if(!groupPrincipals.isEmpty()) {
+        List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
+        for (GroupEntity groupEntity : groupList) {
+          groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+        }
+      }
 
-      for (GroupEntity groupEntity : groupList) {
-        groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+      Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
+      if (!rolePrincipals.isEmpty()){
+        List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
+        for (PermissionEntity roleEntity : roleList) {
+          roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
+        }
       }
 
       for(PrivilegeEntity privilegeEntity : entitySet){
-        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
         if (resource != null && (predicate == null || predicate.evaluate(resource))) {
           resources.add(resource);
         }
@@ -281,6 +304,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
    * @param privilegeEntity   the privilege entity to be converted
    * @param userEntities      the map of user entities keyed by resource id
    * @param groupEntities     the map of group entities keyed by resource id
+   * @param roleEntities      the map of role entities keyed by resource id
    * @param resourceEntities  the map of resource entities keyed by resource id
    * @param requestedIds      the requested property ids
    *
@@ -289,29 +313,48 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
+                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, T> resourceEntities,
                                 Set<String> requestedIds) {
     Resource resource = new ResourceImpl(resourceType);
 
-    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
-        privilegeEntity.getId(), requestedIds);
-    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
-        privilegeEntity.getPermission().getPermissionName(), requestedIds);
-    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
-        privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
-
-    PrincipalEntity principal   = privilegeEntity.getPrincipal();
-    Long            principalId = principal.getId();
-
-    if (userEntities.containsKey(principalId)) {
-      UserEntity userEntity = userEntities.get(principalId);
-      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
-    } else if (groupEntities.containsKey(principalId)){
-      GroupEntity groupEntity = groupEntities.get(principalId);
-      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
+    PrincipalEntity principal = privilegeEntity.getPrincipal();
+    String principalTypeName = null;
+    String resourcePropertyName = null;
+
+    if(principal != null) {
+      PrincipalTypeEntity principalType = principal.getPrincipalType();
+
+      if (principalType != null) {
+        Long principalId = principal.getId();
+
+        principalTypeName = principalType.getName();
+
+        if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          GroupEntity groupEntity = groupEntities.get(principalId);
+          if (groupEntity != null) {
+            resourcePropertyName = groupEntity.getGroupName();
+          }
+        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          PermissionEntity roleEntity = roleEntities.get(principalId);
+          if (roleEntity != null) {
+            resourcePropertyName = roleEntity.getPermissionName();
+          }
+        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          UserEntity userEntity = userEntities.get(principalId);
+          if (userEntity != null) {
+            resourcePropertyName = userEntity.getUserName();
+          }
+        }
+      }
     }
 
-    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
+    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
+    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
+    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+    setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
+    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
+
     return resource;
   }
 
@@ -339,18 +382,21 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
     String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
     String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
-    if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+    if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
       GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
       if (groupEntity != null) {
         entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
       }
-    } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
+      PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
+      if (permissionEntity != null) {
+        entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
+      }
+    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
       UserEntity userEntity = userDAO.findUserByName(principalName);
       if (userEntity != null) {
         entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
       }
-    } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
-      entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
     } else {
       throw new AmbariException("Unknown principal type " + principalType);
     }

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index bdd73a6..009c38b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -17,8 +17,6 @@
  */
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
 import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
 import org.apache.ambari.server.controller.spi.NoSuchResourceException;
 import org.apache.ambari.server.controller.spi.Predicate;
@@ -28,26 +26,23 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.Users;
 
-import javax.annotation.Nullable;
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -59,17 +54,17 @@ import java.util.Set;
  */
 public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
 
-  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID    = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID       = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID    = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
-  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID   = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID    = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_TYPE_PROPERTY_ID            = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID       = "PrivilegeInfo/user_name";
+  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
 
   /**
    * Data access object used to obtain user entities.
@@ -92,9 +87,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * DAO used to obtain privilege entities.
+   * Helper to obtain privilege data for requested users
    */
-  protected static PrivilegeDAO privilegeDAO;
+  private static Users users;
 
   /**
    * The property ids for a privilege resource.
@@ -120,15 +115,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    * @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param privilegeDAO
+   * @param users           the Users helper object
    */
   public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+                          ViewInstanceDAO viewInstanceDAO, Users users) {
     UserPrivilegeResourceProvider.userDAO         = userDAO;
     UserPrivilegeResourceProvider.clusterDAO      = clusterDAO;
     UserPrivilegeResourceProvider.groupDAO        = groupDAO;
     UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    UserPrivilegeResourceProvider.privilegeDAO    = privilegeDAO;
+    UserPrivilegeResourceProvider.users           = users;
   }
 
   @SuppressWarnings("serial")
@@ -199,15 +194,7 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("User " + userName + " was not found");
         }
 
-        final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
-
-        for (MemberEntity membership : userEntity.getMemberEntities()) {
-          privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
-        }
-
-        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
-          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
-        privileges.addAll(allViewPrivilegesWithClusterPermission);
+        final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, userName, requestedIds));

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
index e5bd224..7182f4c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -191,8 +191,10 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+                                Map<Long, PermissionEntity> roleEntities,
+                                Map<Long, ViewInstanceEntity> resourceEntities,
+                                Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
 
       ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
index 88d9775..c844ab6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,6 +18,7 @@
 
 package org.apache.ambari.server.orm.dao;
 
+import java.util.Collections;
 import java.util.List;
 
 import javax.persistence.EntityManager;
@@ -25,6 +26,7 @@ import javax.persistence.TypedQuery;
 
 import org.apache.ambari.server.orm.RequiresSession;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
 
 import com.google.inject.Inject;
@@ -80,6 +82,37 @@ public class PermissionDAO {
   }
 
   /**
+   * Find a permission entity with the given name.
+   *
+   * @param name  permission name
+   *
+   * @return  a matching permission entity or null
+   */
+  @RequiresSession
+  public PermissionEntity findByName(String name) {
+    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
+    query.setParameter("permissionName", name);
+    return daoUtils.selectSingle(query);
+  }
+
+  /**
+   * Find the permission entities for the given list of principals
+   *
+   * @param principalList  the list of principal entities
+   *
+   * @return the list of permissions (or roles) matching the query
+   */
+  @RequiresSession
+  public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
+    if (principalList == null || principalList.isEmpty()) {
+      return Collections.emptyList();
+    }
+    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
+    query.setParameter("principalList", principalList);
+    return daoUtils.selectList(query);
+  }
+
+  /**
    * Find all permission entities.
    *
    * @return all entities or an empty List

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
index efbdfab..45a1658 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -121,4 +121,15 @@ public class PrincipalDAO {
   public PrincipalEntity merge(PrincipalEntity entity) {
     return entityManagerProvider.get().merge(entity);
   }
+
+  /**
+   * Remove the entity instance.
+   *
+   * @param entity  entity to remove
+   */
+  @Transactional
+  public void remove(PrincipalEntity entity) {
+    entityManagerProvider.get().remove(entity);
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
index 7823d56..17628c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -60,6 +60,20 @@ public class PrincipalTypeDAO {
   }
 
   /**
+   * Find a principal type entity with the given name.
+   *
+   * @param name  principal type name
+   *
+   * @return  a matching principal type entity or null
+   */
+  @RequiresSession
+  public PrincipalTypeEntity findByName(String name) {
+    TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
+    query.setParameter("name", name);
+    return daoUtils.selectSingle(query);
+  }
+
+  /**
    * Find all principal types.
    *
    * @return all principal types or an empty List
@@ -86,6 +100,16 @@ public class PrincipalTypeDAO {
   }
 
   /**
+   * Remove the entity instance.
+   *
+   * @param entity entity to remove
+   */
+  @Transactional
+  public void remove(PrincipalTypeEntity entity) {
+    entityManagerProvider.get().remove(entity);
+  }
+
+  /**
    * Creates and returns principal type if it wasn't persisted yet.
    *
    * @param principalType id of principal type
@@ -104,6 +128,9 @@ public class PrincipalTypeDAO {
         case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
           principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
           break;
+        case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
+          principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
+          break;
         default:
           throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
       }

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
index f091bab..b6f1557 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java
@@ -29,6 +29,8 @@ import javax.persistence.JoinColumns;
 import javax.persistence.JoinTable;
 import javax.persistence.ManyToMany;
 import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
@@ -44,6 +46,10 @@ import java.util.Collection;
     , pkColumnValue = "permission_id_seq"
     , initialValue = 100
 )
+@NamedQueries({
+    @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
+    @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
+})
 public class PermissionEntity {
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
index 716d4f7..31e11e6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -30,6 +30,9 @@ import javax.persistence.*;
     , pkColumnValue = "principal_type_id_seq"
     , initialValue = 100
 )
+@NamedQueries({
+    @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
+})
 public class PrincipalTypeEntity {
 
   /**
@@ -37,19 +40,11 @@ public class PrincipalTypeEntity {
    */
   public static final int USER_PRINCIPAL_TYPE  = 1;
   public static final int GROUP_PRINCIPAL_TYPE = 2;
-  public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
-  public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
-  public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
-  public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
-  public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
+  public static final int ROLE_PRINCIPAL_TYPE = 8;
 
   public static final String USER_PRINCIPAL_TYPE_NAME  = "USER";
   public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
-  public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
-  public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
-  public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
-  public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
-  public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
+  public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
 
   /**
    * The type id.

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index 8639a2f..e875e8a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -17,9 +17,6 @@
  */
 package org.apache.ambari.server.security.authorization;
 
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Lists;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -30,7 +27,6 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
@@ -47,10 +43,10 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
-@Singleton
 /**
  * Provides utility methods for authentication functionality
  */
+@Singleton
 public class AuthorizationHelper {
   private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
 
@@ -230,56 +226,8 @@ public class AuthorizationHelper {
         }
       }
 
-      // Check if the resourceId is a view.
-      // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
-      // type.
-      // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
-      // cluster resource with the permission.
-      // Then if the permission type matches the cluster/service type principal(names) then the user should have access
-      // to those views.
-
-      if(resourceId == null) {
-        return false;
-      }
-
-      ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
-
-      ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
-      if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
-        return false;
-      }
-
-      PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
-
-      final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
-        .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
-        .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
-        .toSet();
-
-      return FluentIterable.from(authentication.getAuthorities())
-        .filter(new Predicate<GrantedAuthority>() {
-          @Override
-          public boolean apply(GrantedAuthority grantedAuthority) {
-            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
-            PrivilegeEntity privilege = authority.getPrivilegeEntity();
-            String resourceTypeName = privilege.getResource().getResourceType().getName();
-            return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
-          }
-        }).transform(new Function<GrantedAuthority, PermissionEntity>() {
-          @Override
-          public PermissionEntity apply(GrantedAuthority grantedAuthority) {
-            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
-            PrivilegeEntity privilege = authority.getPrivilegeEntity();
-            return privilege.getPermission();
-          }
-        }).anyMatch(new Predicate<PermissionEntity>() {
-          @Override
-          public boolean apply(PermissionEntity input) {
-            return privilegeNames.contains(input.getPermissionName());
-          }
-        });
+      return false;
     }
-
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
deleted file mode 100644
index 9922bb2..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization;
-
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
-
-import javax.annotation.Nullable;
-import java.util.Collection;
-import java.util.Set;
-
-
-/**
- * Helper class to take care of the cluster inherited permission for any view.
- */
-public class ClusterInheritedPermissionHelper {
-
-  /**
-   * Predicate which validates if the principalType passed is valid or not.
-   */
-  public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
-    @Override
-    public boolean apply(String principalType) {
-      return isValidPrincipalType(principalType);
-    }
-  };
-
-  /**
-   * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
-   */
-  public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
-    @Override
-    public boolean apply(PrivilegeEntity privilegeEntity) {
-      String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
-      return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
-    }
-  };
-
-  /**
-   * Predicate which validates if view instance entity is cluster associated
-   */
-  public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
-    @Override
-    public boolean apply(ViewInstanceEntity viewInstanceEntity) {
-      return viewInstanceEntity.getClusterHandle() != null;
-    }
-  };
-
-  /**
-   * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
-   */
-  public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
-    @Override
-    public boolean apply(PrivilegeEntity privilegeEntity) {
-      String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
-      return principalTypeName.startsWith("ALL.");
-    }
-  };
-
-  /**
-   * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
-   */
-  public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
-    @Override
-    public String apply(PrivilegeEntity input) {
-      return input.getPrincipal().getPrincipalType().getName().substring(4);
-    }
-  };
-
-  /**
-   * Mapper to return resources from view instance entity.
-   */
-  public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
-    @Override
-    public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
-      return viewInstanceEntity.getResource();
-    }
-  };
-
-  /**
-   * Mapper to return all privileges from resource entity
-   */
-  public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
-    @Override
-    public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
-      return resourceEntity.getPrivileges();
-    }
-  };
-
-  /**
-   * Mapper to return permission name from privilege
-   */
-  public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
-    @Override
-    public String apply(PrivilegeEntity privilegeEntity) {
-      return privilegeEntity.getPermission().getPermissionName();
-    }
-  };
-
-  /**
-   * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
-   * @param validSet - valid set of permission types
-   * @return Predicate to check the condition
-   */
-  public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
-    return new Predicate<PrivilegeEntity>() {
-      @Override
-      public boolean apply(PrivilegeEntity privilegeEntity) {
-        String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
-        return validSet.contains(permissionName);
-      }
-    };
-  }
-
-  /**
-   * Predicate to filter out privileges which are already existing in the passed privileges set.
-   * @param existingPrivileges - Privileges set to which the comparison will be made
-   * @return Predicate to check the validation
-   */
-  public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
-    return new Predicate<PrivilegeEntity>() {
-      @Override
-      public boolean apply(final PrivilegeEntity privilegeEntity) {
-        return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
-          @Override
-          public boolean apply(PrivilegeEntity directPrivilegeEntity) {
-            return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
-              && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
-          }
-        });
-      }
-    };
-  }
-
-  /**
-   * Validates if the principal type is valid for cluster inherited permissions.
-   * @param principalType - Principal type
-   * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
-   * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
-   */
-  public static boolean isValidPrincipalType(String principalType) {
-    return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
-  }
-
-  /**
-   * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
-   * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
-   * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
-   * the user should have privilege.
-   * @param userDirectPrivileges - direct privileges for the user.
-   * @return - Filtered list of privileges for view resource for which the user should have access.
-   */
-  public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
-                                                                            final Set<PrivilegeEntity> userDirectPrivileges) {
-
-    final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
-      .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
-      .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
-      .toSet();
-
-    Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
-      .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
-      .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
-      .transform(new Function<ResourceEntity, Long>() {
-        @Nullable
-        @Override
-        public Long apply(@Nullable ResourceEntity input) {
-          return input.getId();
-        }
-      }).toSet();
-
-    Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
-      .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
-        @Nullable
-        @Override
-        public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
-          return privilegeDAO.findByResourceId(input);
-        }
-      }).toSet();
-
-    return FluentIterable.from(allPrivileges)
-      .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
-      .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
-      .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
-      .toSet();
-  }
-}

http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index a4f0031..eee721a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -705,6 +705,96 @@ public class Users {
   }
 
   /**
+   * Gets the explicit and implicit privileges for the given user.
+   * <p>
+   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+   * a user.  For example the Cluster Operator role on a given cluster gives that the ability to
+   * start and stop services in that cluster, among other privileges for that particular cluster.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the users that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all users who have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param userEntity the relevant user
+   * @return the collection of implicit and explicit privileges
+   */
+  public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
+    if (userEntity == null) {
+      return Collections.emptyList();
+    }
+
+    // get all of the privileges for the user
+    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+    principalEntities.add(userEntity.getPrincipal());
+
+    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+
+    for (MemberEntity memberEntity : memberEntities) {
+      principalEntities.add(memberEntity.getGroup().getPrincipal());
+    }
+
+    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+    List<PrivilegeEntity> privilegeEntities;
+
+    if(implicitPrivilegeEntities.isEmpty()) {
+      privilegeEntities = explicitPrivilegeEntities;
+    }
+    else {
+      privilegeEntities = new LinkedList<PrivilegeEntity>();
+      privilegeEntities.addAll(explicitPrivilegeEntities);
+      privilegeEntities.addAll(implicitPrivilegeEntities);
+    }
+
+    return privilegeEntities;
+  }
+
+  /**
+   * Gets the explicit and implicit privileges for the given group.
+   * <p>
+   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+   * a group.  For example the Cluster Operator role on a given cluster gives that the ability to
+   * start and stop services in that cluster, among other privileges for that particular cluster.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the groups that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param groupEntity the relevant group
+   * @return the collection of implicit and explicit privileges
+   */
+  public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
+    if (groupEntity == null) {
+      return Collections.emptyList();
+    }
+
+    // get all of the privileges for the group
+    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+    principalEntities.add(groupEntity.getPrincipal());
+
+    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+    List<PrivilegeEntity> privilegeEntities;
+
+    if(implicitPrivilegeEntities.isEmpty()) {
+      privilegeEntities = explicitPrivilegeEntities;
+    }
+    else {
+      privilegeEntities = new LinkedList<PrivilegeEntity>();
+      privilegeEntities.addAll(explicitPrivilegeEntities);
+      privilegeEntities.addAll(implicitPrivilegeEntities);
+    }
+
+    return privilegeEntities;
+  }
+
+  /**
    * Gets the explicit and implicit authorities for the given user.
    * <p>
    * The explicit authorities are the authorities that have be explicitly set by assigning roles to
@@ -727,50 +817,59 @@ public class Users {
       return Collections.emptyList();
     }
 
-    // get all of the privileges for the user
-    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+    Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
 
-    principalEntities.add(userEntity.getPrincipal());
+    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
 
-    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+    for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+    }
 
-    for (MemberEntity memberEntity : memberEntities) {
-      principalEntities.add(memberEntity.getGroup().getPrincipal());
+    return authorities;
+  }
+
+  /**
+   * Gets the implicit privileges based on the set of roles found in a collection of privileges.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the groups that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param privilegeEntities the relevant privileges
+   * @return the collection explicit privileges
+   */
+  private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+
+    if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
+      return Collections.emptyList();
     }
 
-    List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
 
     // A list of principals representing roles/permissions. This collection of roles will be used to
-    // find additional authorizations inherited by the authenticated user based on the assigned roles.
+    // find additional inherited privileges based on the assigned roles.
     // For example a File View instance may be set to be accessible to all authenticated user with
     // the Cluster User role.
     List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
 
-    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
     for (PrivilegeEntity privilegeEntity : privilegeEntities) {
       // Add the principal representing the role associated with this PrivilegeEntity to the collection
-      // of roles for the authenticated user.
+      // of roles.
       PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
-      if(rolePrincipal != null) {
+      if (rolePrincipal != null) {
         rolePrincipals.add(rolePrincipal);
       }
-
-      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
     }
 
-    // If the collections of assigned roles is not empty find the inherited authorizations that are
-    // give to the roles and add them to the collection of (Granted) authorities for the user.
-    if(!rolePrincipals.isEmpty()) {
+    // If the collections of assigned roles is not empty find the inherited priviliges.
+    if (!rolePrincipals.isEmpty()) {
       // For each "role" see if any privileges have been granted...
-      List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
-
-      for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
-        authorities.add(new AmbariGrantedAuthority(privilegeEntity));
-      }
+      implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
     }
 
-    return authorities;
+    return implicitPrivileges;
   }
 
 }


Mime
View raw message