ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject [1/2] ambari git commit: AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)
Date Fri, 21 Oct 2016 22:38:17 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 7b1a00416 -> b632b33bc


http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
index a5276c2..980b651 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java
@@ -19,10 +19,23 @@
 package org.apache.ambari.server.upgrade;
 
 import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -106,6 +119,7 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
   @Override
   protected void executeDMLUpdates() throws AmbariException, SQLException {
     addNewConfigurationsFromXml();
+    convertRolePrincipals();
   }
 
   protected void updateTablesForMysql() throws SQLException {
@@ -141,4 +155,90 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
     }
   }
 
+  /**
+   * Convert the previously set inherited privileges to the more generic inherited privileges model
+   * based on role-based principals rather than specialized principal types.
+   */
+  protected void convertRolePrincipals() {
+    LOG.info("Converting pseudo principle types to role principals");
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+    PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+    PrincipalTypeDAO principalTypeDAO = injector.getInstance(PrincipalTypeDAO.class);
+
+    Map<String, String> principalTypeToRole = new HashMap<String, String>();
+    principalTypeToRole.put("ALL.CLUSTER.ADMINISTRATOR", "CLUSTER.ADMINISTRATOR");
+    principalTypeToRole.put("ALL.CLUSTER.OPERATOR", "CLUSTER.OPERATOR");
+    principalTypeToRole.put("ALL.CLUSTER.USER", "CLUSTER.USER");
+    principalTypeToRole.put("ALL.SERVICE.ADMINISTRATOR", "SERVICE.ADMINISTRATOR");
+    principalTypeToRole.put("ALL.SERVICE.OPERATOR", "SERVICE.OPERATOR");
+
+    // Handle a typo introduced in org.apache.ambari.server.upgrade.UpgradeCatalog240.updateClusterInheritedPermissionsConfig
+    principalTypeToRole.put("ALL.SERVICE.OPERATIOR", "SERVICE.OPERATOR");
+
+    for (Map.Entry<String, String> entry : principalTypeToRole.entrySet()) {
+      String principalTypeName = entry.getKey();
+      String roleName = entry.getValue();
+
+      PermissionEntity role = permissionDAO.findByName(roleName);
+      PrincipalEntity rolePrincipalEntity = (role == null) ? null : role.getPrincipal();
+
+      // Convert Privilege Records
+      PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findByName(principalTypeName);
+
+      if (principalTypeEntity != null) {
+        List<PrincipalEntity> principalEntities = principalDAO.findByPrincipalType(principalTypeName);
+
+        for (PrincipalEntity principalEntity : principalEntities) {
+          Set<PrivilegeEntity> privilegeEntities = principalEntity.getPrivileges();
+
+          for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+            if (rolePrincipalEntity == null) {
+              LOG.info("Removing privilege (id={}) since no role principle was found for {}:\n{}",
+                  privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+              // Remove this privilege
+              privilegeDAO.remove(privilegeEntity);
+            } else {
+              LOG.info("Updating privilege (id={}) to use role principle for {}:\n{}",
+                  privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+
+              // Set the principal to the updated principal value
+              privilegeEntity.setPrincipal(rolePrincipalEntity);
+              privilegeDAO.merge(privilegeEntity);
+            }
+          }
+
+          // Remove the obsolete principal
+          principalDAO.remove(principalEntity);
+        }
+
+        // Remove the obsolete principal type
+        principalTypeDAO.remove(principalTypeEntity);
+      }
+    }
+
+    LOG.info("Converting pseudo principle types to role principals - complete.");
+  }
+
+  private String formatPrivilegeEntityDetails(PrivilegeEntity privilegeEntity) {
+    if (privilegeEntity == null) {
+      return "";
+    } else {
+      ResourceEntity resource = privilegeEntity.getResource();
+      PrincipalEntity principal = privilegeEntity.getPrincipal();
+      PermissionEntity permission = privilegeEntity.getPermission();
+
+      return String.format("" +
+              "\tPrivilege ID: %d" +
+              "\n\tResource ID: %d" +
+              "\n\tPrincipal ID: %d" +
+              "\n\tPermission ID: %d",
+          privilegeEntity.getId(),
+          resource.getId(),
+          principal.getId(),
+          permission.getId()
+      );
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
index 455b4f1..7f58485 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -86,7 +86,6 @@ import org.apache.ambari.server.orm.entities.ViewParameterEntity;
 import org.apache.ambari.server.orm.entities.ViewResourceEntity;
 import org.apache.ambari.server.security.SecurityHelper;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.state.Clusters;
@@ -122,7 +121,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 
-import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Sets;
 import com.google.common.eventbus.AllowConcurrentEvents;
 import com.google.common.eventbus.Subscribe;
@@ -1796,7 +1794,7 @@ public class ViewRegistry {
     }
 
     List<String> services = autoInstanceConfig.getServices();
-    List<String> permissions = autoInstanceConfig.getPermissions();
+    Collection<String> roles = autoInstanceConfig.getRoles();
 
     Map<String, org.apache.ambari.server.state.Cluster> allClusters = clustersProvider.get().getClusters();
     for (org.apache.ambari.server.state.Cluster cluster : allClusters.values()) {
@@ -1814,7 +1812,7 @@ public class ViewRegistry {
             ViewInstanceEntity viewInstanceEntity = createViewInstanceEntity(viewEntity, viewConfig, autoInstanceConfig);
             viewInstanceEntity.setClusterHandle(clusterId);
             installViewInstance(viewInstanceEntity);
-            addClusterInheritedPermissions(viewInstanceEntity, permissions);
+            setViewInstanceRoleAccess(viewInstanceEntity, roles);
           }
         } catch (Exception e) {
           LOG.error("Can't auto create instance of view " + viewName + " for cluster " + clusterName +
@@ -1825,40 +1823,45 @@ public class ViewRegistry {
   }
 
   /**
-   * Validates principalTypes and creates privilege entities for each permission type for the view instance entity
-   * resource.
-   * @param viewInstanceEntity - view instance entity for which permission has to be set.
-   * @param principalTypes - list of cluster inherited principal types
+   * Set access to the a particular view instance based on a set of roles.
+   * <p>
+   * View access to the specified view instances will be granted to anyone directly or indirectly
+   * assigned to one of the roles in the suppled set of role names.
+   *
+   * @param viewInstanceEntity a view instance entity
+   * @param roles the set of roles to use to for granting access
    */
   @Transactional
-  private void addClusterInheritedPermissions(ViewInstanceEntity viewInstanceEntity, List<String> principalTypes) {
-    List<String> validPermissions = FluentIterable.from(principalTypes)
-      .filter(ClusterInheritedPermissionHelper.validPrincipalTypePredicate)
-      .toList();
-
-    for(String permission: validPermissions) {
-      addClusterInheritedPermission(viewInstanceEntity, permission);
-    }
-  }
-
-  private void addClusterInheritedPermission(ViewInstanceEntity viewInstanceEntity, String principalType) {
-    ResourceEntity resource = viewInstanceEntity.getResource();
-    List<PrincipalEntity> principals = principalDAO.findByPrincipalType(principalType);
-    if (principals.size() == 0) {
-      LOG.error("Failed to find principal for principal type '{}'", principalType);
-      return;
-    }
+  protected void setViewInstanceRoleAccess(ViewInstanceEntity viewInstanceEntity, Collection<String> roles) {
+    if ((roles != null) && !roles.isEmpty()) {
+      PermissionEntity permissionViewUser = permissionDAO.findViewUsePermission();
 
-    PrincipalEntity principal = principals.get(0); // There will be only one principal associated with the principal type
-    PermissionEntity permission = permissionDAO.findViewUsePermission();
-
-    if (!privilegeDAO.exists(principal, resource, permission)) {
-      PrivilegeEntity privilege = new PrivilegeEntity();
-      privilege.setPrincipal(principal);
-      privilege.setResource(resource);
-      privilege.setPermission(permission);
-
-      privilegeDAO.create(privilege);
+      if (permissionViewUser == null) {
+        LOG.error("Missing the {} role.  Access to view cannot be set.",
+            PermissionEntity.VIEW_USER_PERMISSION_NAME, viewInstanceEntity.getName());
+      } else {
+        for (String role : roles) {
+          PermissionEntity permissionRole = permissionDAO.findByName(role);
+
+          if (permissionRole == null) {
+            LOG.warn("Invalid role {} encountered while setting access to view {}, Ignoring.",
+                role, viewInstanceEntity.getName());
+          } else {
+            PrincipalEntity principalRole = permissionRole.getPrincipal();
+
+            if (principalRole == null) {
+              LOG.warn("Missing principal ID for role {} encountered while setting access to view {}. Ignoring.",
+                  role, viewInstanceEntity.getName());
+            } else {
+              PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+              privilegeEntity.setPermission(permissionViewUser);
+              privilegeEntity.setPrincipal(principalRole);
+              privilegeEntity.setResource(viewInstanceEntity.getResource());
+              privilegeDAO.create(privilegeEntity);
+            }
+          }
+        }
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
index 11efc76..f934ed5 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,16 +18,14 @@
 
 package org.apache.ambari.server.view.configuration;
 
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
-import com.google.common.collect.Lists;
-
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlElementWrapper;
-import java.util.Arrays;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 import java.util.List;
+import java.util.Set;
 
 /**
  * View auto instance configuration.
@@ -48,14 +46,25 @@ public class AutoInstanceConfig extends InstanceConfig {
    */
   @XmlElementWrapper
   @XmlElement(name="service")
+  @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
   private List<String> services;
 
   /**
-   * Cluster Inherited permissions. Comma separated strings for multiple values
-   * Possible values: ALL.CLUSTER.ADMINISTRATOR, ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER,
-   * ALL.SERVICE.OPERATOR, ALL.SERVICE.ADMINISTRATOR
+   * A list of roles that should have access to this view.
+   * <p>
+   * Example values:
+   * <ul>
+   * <li>CLUSTER.ADMINISTRATOR</li>
+   * <li>CLUSTER.OPERATOR</li>
+   * <li>SERVICE.ADMINISTRATOR</li>
+   * <li>SERVICE.OPERATOR</li>
+   * <li>CLUSTER.USER</li>
+   * </ul>
    */
-  private String permissions;
+  @XmlElementWrapper
+  @XmlElement(name="role")
+  @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+  private Set<String> roles;
 
   /**
    * Get the stack id used for auto instance creation.
@@ -76,17 +85,9 @@ public class AutoInstanceConfig extends InstanceConfig {
   }
 
   /**
-   * @return the list of configured cluster inherited permissions
+   * @return the set of roles that should have access to this view
    */
-  public List<String> getPermissions() {
-    if(permissions == null) {
-      return Lists.newArrayList();
-    }
-    return FluentIterable.from(Arrays.asList(permissions.split(","))).transform(new Function<String, String>() {
-      @Override
-      public String apply(String permission) {
-        return permission.trim();
-      }
-    }).toList();
+  public Set<String> getRoles() {
+    return roles;
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
index 9e14d2f..88d0bd7 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql
@@ -1159,16 +1159,6 @@ INSERT INTO adminprincipaltype (principal_type_id, principal_type_name)
   UNION ALL
   SELECT 2, 'GROUP' FROM SYSIBM.SYSDUMMY1
   UNION ALL
-  SELECT 3, 'ALL.CLUSTER.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 4, 'ALL.CLUSTER.OPERATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 5, 'ALL.CLUSTER.USER' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 6, 'ALL.SERVICE.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 7, 'ALL.SERVICE.OPERRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
   SELECT 8, 'ROLE' FROM SYSIBM.SYSDUMMY1;
 
 INSERT INTO adminprincipal (principal_id, principal_type_id)

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index 5fb7ac1..762b2d8 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -1109,11 +1109,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
 INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
   (1, 'USER'),
   (2, 'GROUP'),
-  (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-  (4, 'ALL.CLUSTER.OPERATOR'),
-  (5, 'ALL.CLUSTER.USER'),
-  (6, 'ALL.SERVICE.ADMINISTRATOR'),
-  (7, 'ALL.SERVICE.OPERATOR'),
   (8, 'ROLE');
 
 INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index ff30eef..6071869 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -1105,16 +1105,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
   union all
   select 2, 'GROUP' from dual
   union all
-  select 3, 'ALL.CLUSTER.ADMINISTRATOR' from dual
-  union all
-  select 4, 'ALL.CLUSTER.OPERATOR' from dual
-  union all
-  select 5, 'ALL.CLUSTER.USER' from dual
-  union all
-  select 6, 'ALL.SERVICE.ADMINISTRATOR' from dual
-  union all
-  select 7, 'ALL.SERVICE.OPERATOR' from dual
-  union all
   select 8, 'ROLE' from dual;
 
 insert into adminprincipal (principal_id, principal_type_id)

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 19a531a..15f00b6 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -1100,11 +1100,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
 INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
   (1, 'USER'),
   (2, 'GROUP'),
-  (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-  (4, 'ALL.CLUSTER.OPERATOR'),
-  (5, 'ALL.CLUSTER.USER'),
-  (6, 'ALL.SERVICE.ADMINISTRATOR'),
-  (7, 'ALL.SERVICE.OPERATOR'),
   (8, 'ROLE');
 
 INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
index 43bdef9..5b9315f 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
@@ -1264,11 +1264,6 @@ INSERT INTO ambari.adminresource (resource_id, resource_type_id) VALUES
 INSERT INTO ambari.adminprincipaltype (principal_type_id, principal_type_name) VALUES
   (1, 'USER'),
   (2, 'GROUP'),
-  (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-  (4, 'ALL.CLUSTER.OPERATOR'),
-  (5, 'ALL.CLUSTER.USER'),
-  (6, 'ALL.SERVICE.ADMINISTRATOR'),
-  (7, 'ALL.SERVICE.OPERATOR'),
   (8, 'ROLE');
 
 INSERT INTO ambari.adminprincipal (principal_id, principal_type_id) VALUES

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index d2cd985..24af3d4 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -1102,16 +1102,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
   union all
   select 2, 'GROUP'
   union all
-  select 3, 'ALL.CLUSTER.ADMINISTRATOR'
-  union all
-  select 4, 'ALL.CLUSTER.OPERATOR'
-  union all
-  select 5, 'ALL.CLUSTER.USER'
-  union all
-  select 6, 'ALL.SERVICE.ADMINISTRATOR'
-  union all
-  select 7, 'ALL.SERVICE.OPERATOR'
-  union all
   select 8, 'ROLE';
 
 insert into adminprincipal (principal_id, principal_type_id)

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index 275b4ab..d174c73 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -1126,11 +1126,6 @@ BEGIN TRANSACTION
   values
     (1, 'USER'),
     (2, 'GROUP'),
-    (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-    (4, 'ALL.CLUSTER.OPERATOR'),
-    (5, 'ALL.CLUSTER.USER'),
-    (6, 'ALL.SERVICE.ADMINISTRATOR'),
-    (7, 'ALL.SERVICE.OPERATOR'),
     (8, 'ROLE');
 
   insert into adminprincipal (principal_id, principal_type_id)

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
new file mode 100644
index 0000000..547bba5
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
+
+class AbstractPrivilegeResourceProviderTest extends EasyMockSupport {
+
+  static class TestUsers extends Users {
+
+    void setPrivilegeDAO(PrivilegeDAO privilegeDAO) {
+      this.privilegeDAO = privilegeDAO;
+    }
+
+    public void setMemberDAO(MemberDAO memberDAO) {
+      this.memberDAO = memberDAO;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
index 99962ee..7702fd0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java
@@ -270,9 +270,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
@@ -356,10 +353,11 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals(ResourceType.AMBARI.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
 
@@ -399,12 +397,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), clusterEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("TestCluster", resource.getPropertyValue(ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID));
     Assert.assertEquals(ResourceType.CLUSTER.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -450,12 +449,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
     Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -503,12 +503,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
     Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -608,9 +609,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
     expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -664,9 +662,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
     expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
index f00a21a..976dd34 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java
@@ -38,7 +38,6 @@ import org.apache.ambari.server.orm.dao.ResourceDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -61,7 +60,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
 
 import javax.persistence.EntityManager;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
@@ -251,9 +249,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -306,9 +301,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
index c3510a8..145f6d0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java
@@ -18,7 +18,6 @@
 
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.collect.Lists;
 import junit.framework.Assert;
 import org.apache.ambari.server.controller.spi.Predicate;
 import org.apache.ambari.server.controller.spi.Request;
@@ -31,7 +30,6 @@ import org.apache.ambari.server.orm.dao.GroupDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -44,13 +42,15 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
 import org.junit.Test;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Set;
 
 import static org.easymock.EasyMock.anyObject;
@@ -59,7 +59,7 @@ import static org.easymock.EasyMock.expect;
 /**
  * GroupPrivilegeResourceProvider tests.
  */
-public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
+public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
 
   @Test(expected = SystemException.class)
   public void testCreateResources() throws Exception {
@@ -124,11 +124,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     ClusterDAO clusterDAO = createMock(ClusterDAO.class);
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -175,11 +175,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -233,11 +233,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -292,11 +292,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -320,30 +320,32 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
     final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
     final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
     final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-    final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
-    expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).anyTimes();
-    expect(groupEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-    expect(groupEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
-    expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).anyTimes();
-    expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
-      {
-        add(privilegeEntity);
-      }
-    }).anyTimes();
-    expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    expect(groupEntity.getGroupName()).andReturn(requestedGroupName).anyTimes();
-    expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
-    expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+
+    List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+    groupPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(groupPrincipals)).
+        andReturn(Collections.singletonList(privilegeEntity))
+        .once();
+    expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).atLeastOnce();
+    expect(groupEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
+    expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).atLeastOnce();
+    expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).atLeastOnce();
+    expect(groupEntity.getGroupName()).andReturn(requestedGroupName).atLeastOnce();
+    expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+    expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).atLeastOnce();
     expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
-    expect(viewInstanceDAO.findAll()).andReturn(Lists.<ViewInstanceEntity>newArrayList()).anyTimes();
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
 
     final Set<String> propertyIds = new HashSet<String>();
     propertyIds.add(GroupPrivilegeResourceProvider.PRIVILEGE_GROUP_NAME_PROPERTY_ID);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
index 1f3cb52..ddb510d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,8 +18,6 @@
 
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import junit.framework.Assert;
 import org.apache.ambari.server.controller.spi.Predicate;
 import org.apache.ambari.server.controller.spi.Request;
@@ -29,6 +27,7 @@ import org.apache.ambari.server.controller.utilities.PredicateBuilder;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
@@ -46,7 +45,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
 import org.junit.Test;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -54,6 +53,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Set;
 
 import static org.easymock.EasyMock.anyObject;
@@ -62,7 +63,7 @@ import static org.easymock.EasyMock.expect;
 /**
  * UserPrivilegeResourceProvider tests.
  */
-public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
+public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
 
   @Test(expected = SystemException.class)
   public void testCreateResources() throws Exception {
@@ -134,11 +135,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     GroupDAO groupDAO = createMock(GroupDAO.class);
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -187,11 +188,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -246,11 +247,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -307,11 +308,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -327,7 +328,14 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
   public void testToResource_SpecificVIEW_WithClusterInheritedPermission() throws Exception {
     SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L));
 
+    PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
+    expect(rolePrincipalTypeEntity.getName()).andReturn("ROLE").atLeastOnce();
+
+    PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
+    expect(rolePrincipalEntity.getPrincipalType()).andReturn(rolePrincipalTypeEntity).atLeastOnce();
+
     PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+    expect(permissionEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
     expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").atLeastOnce();
     expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").atLeastOnce();
 
@@ -337,19 +345,10 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
     expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
 
-
-    PrincipalTypeEntity principalTypeWithAllClusterAdministrator = createNiceMock(PrincipalTypeEntity.class);
-    expect(principalTypeWithAllClusterAdministrator.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").atLeastOnce();
-
-    PrincipalEntity principalEntityWithAllClusterAdministrator = createNiceMock(PrincipalEntity.class);
-    expect(principalEntityWithAllClusterAdministrator.getPrincipalType()).andReturn(principalTypeWithAllClusterAdministrator).atLeastOnce();
-
     ViewEntity viewEntity = createMock(ViewEntity.class);
     expect(viewEntity.getCommonName()).andReturn("TestView").atLeastOnce();
     expect(viewEntity.getVersion()).andReturn("1.2.3.4").atLeastOnce();
 
-
-
     ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
     expect(resourceTypeEntity.getName()).andReturn("TestView{1.2.3.4}").atLeastOnce();
 
@@ -360,38 +359,56 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
     expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).atLeastOnce();
     expect(viewInstanceEntity.getName()).andReturn("Test View").atLeastOnce();
-    expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).atLeastOnce();
-    expect(viewInstanceEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
-    PrivilegeEntity privilegeEntityViewWithClusterAdminAccess = createMock(PrivilegeEntity.class);
-    expect(privilegeEntityViewWithClusterAdminAccess.getPrincipal()).andReturn(principalEntityWithAllClusterAdministrator).atLeastOnce();
+    PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+    expect(explicitPrivilegeEntity.getId()).andReturn(1).atLeastOnce();
+    expect(explicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(explicitPrivilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(explicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
-    PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
-    expect(privilegeEntity.getId()).andReturn(1).atLeastOnce();
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
-    expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
-
-    expect(principalEntity.getPrivileges()).andReturn(Sets.newHashSet(privilegeEntity)).atLeastOnce();
+    PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+    expect(implicitPrivilegeEntity.getId()).andReturn(2).atLeastOnce();
+    expect(implicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(implicitPrivilegeEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
+    expect(implicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
     UserEntity userEntity = createMock(UserEntity.class);
     expect(userEntity.getUserName()).andReturn("jdoe").atLeastOnce();
     expect(userEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
-    expect(userEntity.getMemberEntities()).andReturn(Sets.<MemberEntity>newHashSet()).atLeastOnce();
 
     ClusterDAO clusterDAO = createMock(ClusterDAO.class);
     GroupDAO groupDAO = createMock(GroupDAO.class);
 
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
     expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
-    expect(viewInstanceDAO.findAll()).andReturn(Lists.newArrayList(viewInstanceEntity)).atLeastOnce();
 
     final UserDAO userDAO = createNiceMock(UserDAO.class);
     expect(userDAO.findLocalUserByName("jdoe")).andReturn(userEntity).anyTimes();
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-    expect(privilegeDAO.findByResourceId(1L)).andReturn(Lists.newArrayList(privilegeEntity, privilegeEntityViewWithClusterAdminAccess)).anyTimes();
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+    final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+    users.setMemberDAO(memberDAO);
+
+    List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+    rolePrincipals.add(rolePrincipalEntity);
+
+    List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+    userPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+        andReturn(Collections.singletonList(explicitPrivilegeEntity))
+        .once();
+    // Implicit privileges...
+    expect(privilegeDAO.findAllByPrincipal(rolePrincipals)).
+        andReturn(Collections.singletonList(implicitPrivilegeEntity))
+        .once();
+    expect(memberDAO.findAllMembersByUser(userEntity)).
+        andReturn(Collections.<MemberEntity>emptyList())
+        .atLeastOnce();
 
     replayAll();
 
@@ -404,7 +421,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L);
     Request request = PropertyHelper.getReadRequest(propertyIds);
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Set<Resource> resources = provider.getResources(request, predicate);
 
@@ -424,7 +441,6 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
     final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
     final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
-    final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
     final UserEntity userEntity = createNiceMock(UserEntity.class);
     final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
     final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
@@ -432,7 +448,22 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
     final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
     final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+    final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+    users.setMemberDAO(memberDAO);
+
+    List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+    userPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+        andReturn(Collections.singletonList(privilegeEntity))
+        .atLeastOnce();
+    expect(memberDAO.findAllMembersByUser(userEntity)).
+        andReturn(Collections.<MemberEntity>emptyList())
+        .atLeastOnce();
     expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
     expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
     expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
@@ -454,7 +485,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
 
     final Set<String> propertyIds = new HashSet<String>();
     propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
index d85b37b..20ecc88 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -30,7 +30,6 @@ import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -53,7 +52,6 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
@@ -146,7 +144,6 @@ public class ViewPrivilegeResourceProviderTest {
     expect(permissionDAO.findById(PermissionEntity.VIEW_USER_PERMISSION)).andReturn(permissionEntity);
 
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
 
     replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
         userEntity, principalEntity, permissionEntity, principalTypeEntity);

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
index 47211ef..d376d4b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
@@ -362,72 +362,6 @@ public class AuthorizationHelperTest  extends EasyMockSupport {
   }
 
   @Test
-  public void testIsAuthorizedForClusterInheritedPermission() {
-
-    ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
-    clusterResourceTypeEntity.setId(1);
-    clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
-
-    ResourceEntity clusterResourceEntity = new ResourceEntity();
-    clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
-    clusterResourceEntity.setId(1L);
-
-    PermissionEntity clusterPermissionEntity = new PermissionEntity();
-    clusterPermissionEntity.setPermissionName("CLUSTER.ADMINISTRATOR");
-
-    RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
-    readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
-
-    RoleAuthorizationEntity privilegedRoleAuthorizationEntity = new RoleAuthorizationEntity();
-    privilegedRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS.getId());
-
-
-    clusterPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
-      privilegedRoleAuthorizationEntity));
-
-    PrivilegeEntity clusterPrivilegeEntity = new PrivilegeEntity();
-    clusterPrivilegeEntity.setPermission(clusterPermissionEntity);
-    clusterPrivilegeEntity.setResource(clusterResourceEntity);
-
-    GrantedAuthority clusterAuthority = new AmbariGrantedAuthority(clusterPrivilegeEntity);
-    Authentication clusterUser = new TestAuthentication(Collections.singleton(clusterAuthority));
-
-
-    Provider viewInstanceDAOProvider = createNiceMock(Provider.class);
-    Provider privilegeDAOProvider = createNiceMock(Provider.class);
-
-    ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
-    ViewInstanceEntity viewInstanceEntity = createNiceMock(ViewInstanceEntity.class);
-    expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).anyTimes();
-
-    PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
-    PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
-    PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
-
-    expect(viewInstanceDAOProvider.get()).andReturn(viewInstanceDAO).anyTimes();
-    expect(privilegeDAOProvider.get()).andReturn(privilegeDAO).anyTimes();
-
-    expect(viewInstanceDAO.findByResourceId(2L)).andReturn(viewInstanceEntity).anyTimes();
-
-    expect(privilegeDAO.findByResourceId(2L)).andReturn(Lists.newArrayList(privilegeEntity)).anyTimes();
-
-    expect(principalTypeEntity.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").anyTimes();
-    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-
-    replayAll();
-
-    AuthorizationHelper.viewInstanceDAOProvider = viewInstanceDAOProvider;
-    AuthorizationHelper.privilegeDAOProvider = privilegeDAOProvider;
-
-    SecurityContext context = SecurityContextHolder.getContext();
-    context.setAuthentication(clusterUser);
-
-    assertTrue(AuthorizationHelper.isAuthorized(ResourceType.VIEW, 2L, EnumSet.of(RoleAuthorization.VIEW_USE)));
-  }
-
   public void testIsAuthorizedForSpecificView() {
     RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
     readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
index 4457858..5e1967b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java
@@ -21,6 +21,8 @@ package org.apache.ambari.server.upgrade;
 import javax.persistence.EntityManager;
 import junit.framework.Assert;
 import static org.easymock.EasyMock.aryEq;
+
+import static org.easymock.EasyMock.anyString;
 import static org.easymock.EasyMock.capture;
 import static org.easymock.EasyMock.createMockBuilder;
 import static org.easymock.EasyMock.createNiceMock;
@@ -34,7 +36,13 @@ import static org.easymock.EasyMock.reset;
 import static org.easymock.EasyMock.verify;
 
 import java.lang.reflect.Method;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.api.services.AmbariMetaInfo;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.AmbariManagementController;
@@ -44,12 +52,22 @@ import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.ClusterVersionDAO;
 import org.apache.ambari.server.orm.dao.HostVersionDAO;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.RepositoryVersionDAO;
 import org.apache.ambari.server.orm.dao.StackDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.StackEntity;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
+import org.easymock.EasyMockSupport;
 import org.easymock.IMocksControl;
 import org.junit.After;
 import org.junit.Before;
@@ -219,16 +237,19 @@ public class UpgradeCatalog242Test {
   @Test
   public void testExecuteDMLUpdates() throws Exception {
     Method addNewConfigurationsFromXml = AbstractUpgradeCatalog.class.getDeclaredMethod("addNewConfigurationsFromXml");
-
+    Method convertRolePrincipals = UpgradeCatalog242.class.getDeclaredMethod("convertRolePrincipals");
 
     UpgradeCatalog242 upgradeCatalog242 = createMockBuilder(UpgradeCatalog242.class)
-            .addMockedMethod(addNewConfigurationsFromXml)
-            .createMock();
+        .addMockedMethod(addNewConfigurationsFromXml)
+        .addMockedMethod(convertRolePrincipals)
+        .createMock();
 
 
     upgradeCatalog242.addNewConfigurationsFromXml();
     expectLastCall().once();
 
+    upgradeCatalog242.convertRolePrincipals();
+    expectLastCall().once();
 
     replay(upgradeCatalog242);
 
@@ -236,4 +257,111 @@ public class UpgradeCatalog242Test {
 
     verify(upgradeCatalog242);
   }
+
+  @Test
+  public void testConvertRolePrincipals() throws AmbariException, SQLException {
+
+    EasyMockSupport easyMockSupport = new EasyMockSupport();
+
+    PrincipalEntity clusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+
+    PermissionEntity clusterAdministratorPermissionEntity = easyMockSupport.createMock(PermissionEntity.class);
+    expect(clusterAdministratorPermissionEntity.getPrincipal())
+        .andReturn(clusterAdministratorPrincipalEntity)
+        .once();
+
+    PrincipalTypeEntity allClusterAdministratorPrincipalTypeEntity = easyMockSupport.createMock(PrincipalTypeEntity.class);
+
+    PermissionDAO permissionDAO = easyMockSupport.createMock(PermissionDAO.class);
+    expect(permissionDAO.findByName("CLUSTER.ADMINISTRATOR"))
+        .andReturn(clusterAdministratorPermissionEntity)
+        .once();
+    expect(permissionDAO.findByName(anyString()))
+        .andReturn(null)
+        .anyTimes();
+
+    PrincipalTypeDAO principalTypeDAO = easyMockSupport.createMock(PrincipalTypeDAO.class);
+    expect(principalTypeDAO.findByName("ALL.CLUSTER.ADMINISTRATOR"))
+        .andReturn(allClusterAdministratorPrincipalTypeEntity)
+        .once();
+    expect(principalTypeDAO.findByName(anyString()))
+        .andReturn(null)
+        .anyTimes();
+    principalTypeDAO.remove(allClusterAdministratorPrincipalTypeEntity);
+    expectLastCall().once();
+
+    ResourceEntity allClusterAdministratorPrivilege1Resource = easyMockSupport.createMock(ResourceEntity.class);
+    expect(allClusterAdministratorPrivilege1Resource.getId()).andReturn(1L).once();
+
+    PrincipalEntity allClusterAdministratorPrivilege1Principal = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrivilege1Principal.getId()).andReturn(1L).once();
+
+    PermissionEntity allClusterAdministratorPrivilege1Permission = easyMockSupport.createMock(PermissionEntity.class);
+    expect(allClusterAdministratorPrivilege1Permission.getId()).andReturn(1).once();
+
+    PrivilegeEntity allClusterAdministratorPrivilege1  = easyMockSupport.createMock(PrivilegeEntity.class);
+    expect(allClusterAdministratorPrivilege1.getId()).andReturn(1).atLeastOnce();
+    expect(allClusterAdministratorPrivilege1.getResource()).andReturn(allClusterAdministratorPrivilege1Resource).once();
+    expect(allClusterAdministratorPrivilege1.getPrincipal()).andReturn(allClusterAdministratorPrivilege1Principal).once();
+    expect(allClusterAdministratorPrivilege1.getPermission()).andReturn(allClusterAdministratorPrivilege1Permission).once();
+    allClusterAdministratorPrivilege1.setPrincipal(clusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+    ResourceEntity allClusterAdministratorPrivilege2Resource = easyMockSupport.createMock(ResourceEntity.class);
+    expect(allClusterAdministratorPrivilege2Resource.getId()).andReturn(2L).once();
+
+    PrincipalEntity allClusterAdministratorPrivilege2Principal = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrivilege2Principal.getId()).andReturn(2L).once();
+
+    PermissionEntity allClusterAdministratorPrivilege2Permission = easyMockSupport.createMock(PermissionEntity.class);
+    expect(allClusterAdministratorPrivilege2Permission.getId()).andReturn(2).once();
+
+    PrivilegeEntity allClusterAdministratorPrivilege2  = easyMockSupport.createMock(PrivilegeEntity.class);
+    expect(allClusterAdministratorPrivilege2.getId()).andReturn(2).atLeastOnce();
+    expect(allClusterAdministratorPrivilege2.getResource()).andReturn(allClusterAdministratorPrivilege2Resource).once();
+    expect(allClusterAdministratorPrivilege2.getPrincipal()).andReturn(allClusterAdministratorPrivilege2Principal).once();
+    expect(allClusterAdministratorPrivilege2.getPermission()).andReturn(allClusterAdministratorPrivilege2Permission).once();
+    allClusterAdministratorPrivilege2.setPrincipal(clusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+    Set<PrivilegeEntity> allClusterAdministratorPrivileges = new HashSet<PrivilegeEntity>();
+    allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege1);
+    allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege2);
+
+    PrincipalEntity allClusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrincipalEntity.getPrivileges())
+        .andReturn(allClusterAdministratorPrivileges)
+        .once();
+
+    List<PrincipalEntity> allClusterAdministratorPrincipals = new ArrayList<PrincipalEntity>();
+    allClusterAdministratorPrincipals.add(allClusterAdministratorPrincipalEntity);
+
+    PrincipalDAO principalDAO = easyMockSupport.createMock(PrincipalDAO.class);
+    expect(principalDAO.findByPrincipalType("ALL.CLUSTER.ADMINISTRATOR"))
+        .andReturn(allClusterAdministratorPrincipals)
+        .once();
+    principalDAO.remove(allClusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+
+    PrivilegeDAO privilegeDAO = easyMockSupport.createMock(PrivilegeDAO.class);
+    expect(privilegeDAO.merge(allClusterAdministratorPrivilege1))
+        .andReturn(allClusterAdministratorPrivilege1)
+        .once();
+    expect(privilegeDAO.merge(allClusterAdministratorPrivilege2))
+        .andReturn(allClusterAdministratorPrivilege2)
+        .once();
+
+    Injector injector = easyMockSupport.createNiceMock(Injector.class);
+    expect(injector.getInstance(PrincipalTypeDAO.class)).andReturn(principalTypeDAO).atLeastOnce();
+    expect(injector.getInstance(PrincipalDAO.class)).andReturn(principalDAO).atLeastOnce();
+    expect(injector.getInstance(PermissionDAO.class)).andReturn(permissionDAO).atLeastOnce();
+    expect(injector.getInstance(PrivilegeDAO.class)).andReturn(privilegeDAO).atLeastOnce();
+
+    easyMockSupport.replayAll();
+    UpgradeCatalog242 upgradeCatalog = new UpgradeCatalog242(injector);
+    injector.injectMembers(upgradeCatalog);
+    upgradeCatalog.convertRolePrincipals();
+    easyMockSupport.verifyAll();
+  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/b632b33b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
index 3c4a440..a24f041 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java
@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -22,9 +22,8 @@ import junit.framework.Assert;
 import org.junit.Test;
 
 import javax.xml.bind.JAXBException;
-import java.util.LinkedList;
+import java.util.Collection;
 import java.util.List;
-import java.util.Set;
 
 import static org.junit.Assert.*;
 
@@ -75,7 +74,7 @@ public class AutoInstanceConfigTest {
       "        </property>\n" +
       "        <stack-id>HDP-2.0</stack-id>\n" +
       "        <services><service>HIVE</service><service>HDFS</service></services>\n" +
-      "        <permissions>ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER</permissions>\n" +
+      "        <roles><role>CLUSTER.OPERATOR </role><role> CLUSTER.USER</role></roles>\n" +
       "    </auto-instance>\n" +
       "</view>";
 
@@ -113,13 +112,13 @@ public class AutoInstanceConfigTest {
   @Test
   public void shouldParseClusterInheritedPermissions() throws Exception {
     AutoInstanceConfig config = getAutoInstanceConfigs(VIEW_XML);
-    List<String> permissions = config.getPermissions();
-    assertEquals(2, permissions.size());
-    assertTrue(permissions.contains("ALL.CLUSTER.OPERATOR"));
-    assertTrue(permissions.contains("ALL.CLUSTER.USER"));
+    Collection<String> roles = config.getRoles();
+    assertEquals(2, roles.size());
+    assertTrue(roles.contains("CLUSTER.OPERATOR"));
+    assertTrue(roles.contains("CLUSTER.USER"));
   }
 
-  public static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
+  private static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
     ViewConfig config = ViewConfigTest.getConfig(xml);
     return config.getAutoInstance();
   }


Mime
View raw message