Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B3B66200BA7 for ; Fri, 21 Oct 2016 22:02:00 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B263E160AF5; Fri, 21 Oct 2016 20:02:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9139C160AE8 for ; Fri, 21 Oct 2016 22:01:58 +0200 (CEST) Received: (qmail 22310 invoked by uid 500); 21 Oct 2016 20:01:57 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 22129 invoked by uid 99); 21 Oct 2016 20:01:57 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2016 20:01:57 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 6EC1AE93E5; Fri, 21 Oct 2016 20:01:57 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Date: Fri, 21 Oct 2016 20:02:00 -0000 Message-Id: <04bfa8ca1be54d2daa3f667ddf035571@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [4/4] ambari git commit: AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas) archived-at: Fri, 21 Oct 2016 20:02:00 -0000 AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/176c691e Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/176c691e Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/176c691e Branch: refs/heads/trunk Commit: 176c691eaed6dbf639617f6208f7fb117597c1ce Parents: b90b286 Author: Robert Levas Authored: Fri Oct 21 16:01:44 2016 -0400 Committer: Robert Levas Committed: Fri Oct 21 16:01:44 2016 -0400 ---------------------------------------------------------------------- .../controllers/ambariViews/ViewsEditCtrl.js | 16 +- .../ui/admin-web/app/scripts/i18n.config.js | 10 +- .../app/scripts/services/PermissionLoader.js | 11 +- .../app/scripts/services/PermissionsSaver.js | 8 +- .../ui/admin-web/app/scripts/services/View.js | 12 +- .../admin-web/app/views/ambariViews/edit.html | 4 +- .../test/unit/services/PermissionSaver_test.js | 16 +- ...ClusterPrivilegeChangeRequestAuditEvent.java | 21 +- .../ViewPrivilegeChangeRequestAuditEvent.java | 18 +- .../eventcreator/PrivilegeEventCreator.java | 4 +- .../eventcreator/ViewPrivilegeEventCreator.java | 4 +- .../ambari/server/controller/AmbariServer.java | 2 +- .../AmbariPrivilegeResourceProvider.java | 9 +- .../ClusterPrivilegeResourceProvider.java | 3 +- .../GroupPrivilegeResourceProvider.java | 18 +- .../internal/PrivilegeResourceProvider.java | 114 +++++++--- .../internal/UserPrivilegeResourceProvider.java | 49 ++--- .../internal/ViewPrivilegeResourceProvider.java | 8 +- .../ambari/server/orm/dao/PermissionDAO.java | 35 ++- .../ambari/server/orm/dao/PrincipalDAO.java | 13 +- .../ambari/server/orm/dao/PrincipalTypeDAO.java | 29 ++- .../server/orm/entities/PermissionEntity.java | 6 + .../orm/entities/PrincipalTypeEntity.java | 17 +- .../authorization/AuthorizationHelper.java | 56 +---- .../ClusterInheritedPermissionHelper.java | 213 ------------------- .../server/security/authorization/Users.java | 145 +++++++++++-- .../server/upgrade/UpgradeCatalog242.java | 100 +++++++++ .../apache/ambari/server/view/ViewRegistry.java | 75 +++---- .../view/configuration/AutoInstanceConfig.java | 43 ++-- .../main/resources/Ambari-DDL-Derby-CREATE.sql | 10 - .../main/resources/Ambari-DDL-MySQL-CREATE.sql | 5 - .../main/resources/Ambari-DDL-Oracle-CREATE.sql | 10 - .../resources/Ambari-DDL-Postgres-CREATE.sql | 5 - .../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 10 - .../resources/Ambari-DDL-SQLServer-CREATE.sql | 5 - .../AbstractPrivilegeResourceProviderTest.java | 38 ++++ .../AmbariPrivilegeResourceProviderTest.java | 21 +- .../ClusterPrivilegeResourceProviderTest.java | 8 - .../GroupPrivilegeResourceProviderTest.java | 67 +++--- .../UserPrivilegeResourceProviderTest.java | 113 ++++++---- .../ViewPrivilegeResourceProviderTest.java | 5 +- .../authorization/AuthorizationHelperTest.java | 66 ------ .../server/upgrade/UpgradeCatalog242Test.java | 134 +++++++++++- .../configuration/AutoInstanceConfigTest.java | 17 +- 44 files changed, 857 insertions(+), 716 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js index bd74b16..834efdb 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js +++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js @@ -23,7 +23,7 @@ angular.module('ambariAdminConsole') $scope.identity = angular.identity; $scope.isConfigurationEmpty = true; $scope.isSettingsEmpty = true; - $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys; + $scope.permissionRoles = View.permissionRoles; $scope.constants = { instance: $t('views.instance'), props: $t('views.properties'), @@ -352,7 +352,7 @@ angular.module('ambariAdminConsole') data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name]; } }); - $scope.clearClusterInheritedPermissions(); + $scope.removeAllRolePermissions(); } @@ -417,9 +417,9 @@ angular.module('ambariAdminConsole') }); }; - $scope.clearClusterInheritedPermissions = function() { - angular.forEach(View.clusterInheritedPermissionKeys, function(key) { - $scope.permissionsEdit["VIEW.USER"][key] = false; + $scope.removeAllRolePermissions = function() { + angular.forEach(View.permissionRoles, function(key) { + $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false; }) }; @@ -510,11 +510,9 @@ angular.module('ambariAdminConsole') }; function setAllViewRoles(value) { - var viewRoles = $scope.permissionsEdit["VIEW.USER"]; + var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"]; for (var role in viewRoles) { - if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) { - viewRoles[role] = value; - } + $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value; } } }]); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js index af22d7f..cd9b922 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js +++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js @@ -234,11 +234,11 @@ angular.module('ambariAdminConsole') 'clusterPermissions': { 'label': 'Local Cluster Permissions', - 'allclusteradministrator': 'Cluster Administrator', - 'allclusteroperator': 'Cluster Operator', - 'allclusteruser': 'Cluster User', - 'allserviceadministrator': 'Service Administrator', - 'allserviceoperator': 'Service Operator', + 'clusteradministrator': 'Cluster Administrator', + 'clusteroperator': 'Cluster Operator', + 'clusteruser': 'Cluster User', + 'serviceadministrator': 'Service Administrator', + 'serviceoperator': 'Service Operator', 'infoMessage': 'Grant Use permission for the following {{cluster}} Roles:', 'nonLocalClusterMessage': 'The ability to inherit view Use permission based on Cluster Roles is only available when using a Local Cluster configuration.' }, http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js index 988986b..9cc04e4 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js +++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js @@ -28,8 +28,9 @@ angular.module('ambariAdminConsole') angular.forEach(permissions, function(permission) { permission.GROUP = []; permission.USER = []; - angular.forEach(View.clusterInheritedPermissionKeys, function(key) { - permission[key] = false; + permission.ROLE = {}; + angular.forEach(View.permissionRoles, function(key) { + permission.ROLE[key] = false; }); permissionsInner[permission.PermissionInfo.permission_name] = permission; }); @@ -37,10 +38,10 @@ angular.module('ambariAdminConsole') // Now we can get privileges resource.getPrivileges(params).then(function(privileges) { angular.forEach(privileges, function(privilege) { - if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) { - permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name); + if(privilege.PrivilegeInfo.principal_type == "ROLE") { + permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true; } else { - permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true; + permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name); } }); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js index c7b9295..c170235 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js +++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js @@ -48,13 +48,13 @@ angular.module('ambariAdminConsole') } })); - angular.forEach(View.clusterInheritedPermissionKeys, function(key) { - if(permission[key] === true) { + angular.forEach(View.permissionRoles, function(key) { + if(permission.ROLE[key] === true) { arr.push({ 'PrivilegeInfo': { 'permission_name': 'VIEW.USER', - 'principal_name': '*', - 'principal_type': key + 'principal_name': key, + 'principal_type': 'ROLE' } }); } http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js index 5bc0509..f549b29 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js +++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js @@ -191,12 +191,12 @@ angular.module('ambariAdminConsole') self.versionsList = item.versions; } - View.clusterInheritedPermissionKeys = [ - "ALL.CLUSTER.ADMINISTRATOR", - "ALL.CLUSTER.OPERATOR", - "ALL.SERVICE.OPERATOR", - "ALL.SERVICE.ADMINISTRATOR", - "ALL.CLUSTER.USER" + View.permissionRoles = [ + "CLUSTER.ADMINISTRATOR", + "CLUSTER.OPERATOR", + "SERVICE.OPERATOR", + "SERVICE.ADMINISTRATOR", + "CLUSTER.USER" ]; View.getInstance = function(viewName, version, instanceName) { http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html index 69eb1c1..418c115 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html +++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html @@ -287,10 +287,10 @@
-
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js ---------------------------------------------------------------------- diff --git a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js index fa36d98..6c662f2 100644 --- a/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js +++ b/ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js @@ -178,11 +178,13 @@ describe('PermissionSaver Service', function () { 'PermissionInfo': { permission_name: 'VIEW.USER' }, - 'ALL.CLUSTER.ADMINISTRATOR': true, - 'ALL.CLUSTER.OPERATOR': false, - 'ALL.SERVICE.OPERATOR': false, - 'ALL.SERVICE.ADMINISTRATOR': false, - 'ALL.CLUSTER.USER': false, + 'ROLE': { + 'CLUSTER.ADMINISTRATOR': true, + 'CLUSTER.OPERATOR': false, + 'SERVICE.OPERATOR': false, + 'SERVICE.ADMINISTRATOR': false, + 'CLUSTER.USER': false + }, 'USER': ['u0', 'u1', 'g0'], 'GROUP': ['g0', 'g1', 'u0'] } @@ -233,8 +235,8 @@ describe('PermissionSaver Service', function () { { PrivilegeInfo: { permission_name: 'VIEW.USER', - principal_name: '*', - principal_type: 'ALL.CLUSTER.ADMINISTRATOR' + principal_name: 'CLUSTER.ADMINISTRATOR', + principal_type: 'ROLE' } } ]; http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java index b28bb2a..29fb7b4 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java @@ -18,11 +18,9 @@ package org.apache.ambari.server.audit.event.request; -import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Map; -import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; @@ -47,10 +45,16 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { /** * Roles for groups - * groupname -> list fo roles + * group name -> list of roles */ private Map> groups; + /** + * Roles for roles + * role name -> list of roles + */ + private Map> roles; + public ClusterPrivilegeChangeRequestAuditEventBuilder() { super.withOperation("Role change"); } @@ -72,9 +76,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { SortedSet roleSet = new TreeSet(); roleSet.addAll(users.keySet()); roleSet.addAll(groups.keySet()); + roleSet.addAll(roles.keySet()); builder.append(", Roles("); - if (!users.isEmpty() || !groups.isEmpty()) { + if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) { builder.append(System.lineSeparator()); } @@ -88,6 +93,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { if (groups.get(role) != null && !groups.get(role).isEmpty()) { lines.add(" Groups: " + StringUtils.join(groups.get(role), ", ")); } + if (roles.get(role) != null && !roles.get(role).isEmpty()) { + lines.add(" Roles: " + StringUtils.join(roles.get(role), ", ")); + } } builder.append(StringUtils.join(lines, System.lineSeparator())); @@ -104,6 +112,11 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { this.groups = groups; return this; } + + public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map> roles) { + this.roles = roles; + return this; + } } protected ClusterPrivilegeChangeRequestAuditEvent() { http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java index 11c558c..73c1aa6 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java @@ -18,11 +18,9 @@ package org.apache.ambari.server.audit.event.request; -import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Map; -import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; @@ -50,6 +48,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { private Map> groups; /** + * Roles with their roles + */ + private Map> roles; + + /** * View name */ private String name; @@ -94,9 +97,10 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { SortedSet roleSet = new TreeSet(); roleSet.addAll(users.keySet()); roleSet.addAll(groups.keySet()); + roleSet.addAll(roles.keySet()); builder.append(", Permissions("); - if (!users.isEmpty() || !groups.isEmpty()) { + if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) { builder.append(System.lineSeparator()); } @@ -110,6 +114,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { if (groups.get(role) != null && !groups.get(role).isEmpty()) { lines.add(" Groups: " + StringUtils.join(groups.get(role), ", ")); } + if (roles.get(role) != null && !roles.get(role).isEmpty()) { + lines.add(" Roles: " + StringUtils.join(roles.get(role), ", ")); + } } builder.append(StringUtils.join(lines, System.lineSeparator())); @@ -141,6 +148,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent { this.groups = groups; return this; } + + public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map> roles) { + this.roles = roles; + return this; + } } protected ViewPrivilegeChangeRequestAuditEvent() { http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java index 5c476c6..a7be8e1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java @@ -33,8 +33,6 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider; import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.orm.entities.PrincipalTypeEntity; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.userdetails.User; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Iterables; @@ -88,6 +86,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator { Map> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME); Map> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME); + Map> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME); switch (request.getRequestType()) { case PUT: @@ -99,6 +98,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator { .withRemoteIp(request.getRemoteAddress()) .withUsers(users) .withGroups(groups) + .withRoles(roles) .build(); case POST: String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java index 56d35c0..47983ff 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java @@ -32,8 +32,6 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider; import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.orm.entities.PrincipalTypeEntity; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.userdetails.User; import com.google.common.collect.ImmutableSet; @@ -87,6 +85,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator { Map> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME); Map> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME); + Map> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME); return ViewPrivilegeChangeRequestAuditEvent.builder() .withTimestamp(System.currentTimeMillis()) @@ -99,6 +98,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator { .withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID)) .withUsers(users) .withGroups(groups) + .withRoles(roles) .build(); } http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 56e2398..68ee67f 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -876,7 +876,7 @@ public class AmbariServer { injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class), injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class)); UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class), - injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class)); + injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class)); ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class)); AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class)); ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class)); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java index e5c95cb..bd17b6a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -22,6 +22,7 @@ import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.orm.dao.ClusterDAO; import org.apache.ambari.server.orm.entities.ClusterEntity; import org.apache.ambari.server.orm.entities.GroupEntity; +import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; import org.apache.ambari.server.orm.entities.ResourceEntity; import org.apache.ambari.server.orm.entities.ResourceTypeEntity; @@ -148,8 +149,10 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider userEntities, Map groupEntities, - Map resourceEntities, Set requestedIds) { - Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds); + Map roleEntities, + Map resourceEntities, + Set requestedIds) { + Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds); if (resource != null) { ResourceEntity resourceEntity = privilegeEntity.getResource(); ResourceTypeEntity type = resourceEntity.getResourceType(); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java index 8f37764..fb7bff3 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java @@ -147,10 +147,11 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider< protected Resource toResource(PrivilegeEntity privilegeEntity, Map userEntities, Map groupEntities, + Map roleEntities, Map resourceEntities, Set requestedIds) { - Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds); + Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds); if (resource != null) { ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId()); setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java index 94d1cad..4b71b47 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java @@ -28,7 +28,6 @@ import org.apache.ambari.server.controller.spi.SystemException; import org.apache.ambari.server.controller.spi.UnsupportedPropertyException; import org.apache.ambari.server.orm.dao.ClusterDAO; import org.apache.ambari.server.orm.dao.GroupDAO; -import org.apache.ambari.server.orm.dao.PrivilegeDAO; import org.apache.ambari.server.orm.dao.ViewInstanceDAO; import org.apache.ambari.server.orm.entities.ClusterEntity; import org.apache.ambari.server.orm.entities.GroupEntity; @@ -38,6 +37,7 @@ import org.apache.ambari.server.orm.entities.ViewEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.apache.ambari.server.security.authorization.*; +import java.util.Collection; import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; @@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider { protected static ViewInstanceDAO viewInstanceDAO; /** - * Data access object used to obtain privilege entities. + * Users (helper) object used to obtain privilege entities. */ @Inject - protected static PrivilegeDAO privilegeDAO; + protected static Users users; /** * The property ids for a privilege resource. @@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider { * @param clusterDAO the cluster data access object * @param groupDAO the group data access object * @param viewInstanceDAO the view instance data access object - * @param privilegeDAO + * @param users the users helper instance */ public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO, - ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) { + ViewInstanceDAO viewInstanceDAO, Users users) { GroupPrivilegeResourceProvider.clusterDAO = clusterDAO; GroupPrivilegeResourceProvider.groupDAO = groupDAO; GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO; - GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO; + GroupPrivilegeResourceProvider.users = users; } @SuppressWarnings("serial") @@ -180,11 +180,7 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider { throw new SystemException("Group " + groupName + " was not found"); } - final Set privileges = groupEntity.getPrincipal().getPrivileges(); - - Set allViewPrivilegesWithClusterPermission = - ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges); - privileges.addAll(allViewPrivilegesWithClusterPermission); + final Collection privileges = users.getGroupPrivileges(groupEntity); for (PrivilegeEntity privilegeEntity : privileges) { resources.add(toResource(privilegeEntity, groupName, requestedIds)); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java index 34111df..07b98bd 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; import org.apache.ambari.server.orm.entities.ResourceEntity; import org.apache.ambari.server.orm.entities.UserEntity; -import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper; +import org.apache.commons.lang.StringUtils; /** * Abstract resource provider for privilege resources. @@ -195,35 +195,58 @@ public abstract class PrivilegeResourceProvider extends AbstractAuthorizedRes resourceIds.addAll(resourceEntities.keySet()); - Set entitySet = new HashSet(); - List principalList = new LinkedList(); + Set entitySet = new HashSet(); + List userPrincipals = new LinkedList(); + List groupPrincipals = new LinkedList(); + List rolePrincipals = new LinkedList(); List entities = privilegeDAO.findAll(); for(PrivilegeEntity privilegeEntity : entities){ if (resourceIds.contains(privilegeEntity.getResource().getId())) { PrincipalEntity principal = privilegeEntity.getPrincipal(); + String principalType = principal.getPrincipalType().getName(); + entitySet.add(privilegeEntity); - principalList.add(principal); + + if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) { + userPrincipals.add(principal); + } + else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) { + groupPrincipals.add(principal); + } + else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) { + rolePrincipals.add(principal); + } } } Map userEntities = new HashMap(); - List userList = userDAO.findUsersByPrincipal(principalList); - - for (UserEntity userEntity : userList) { - userEntities.put(userEntity.getPrincipal().getId(), userEntity); + if(!userPrincipals.isEmpty()) { + List userList = userDAO.findUsersByPrincipal(userPrincipals); + for (UserEntity userEntity : userList) { + userEntities.put(userEntity.getPrincipal().getId(), userEntity); + } } Map groupEntities = new HashMap(); - List groupList = groupDAO.findGroupsByPrincipal(principalList); + if(!groupPrincipals.isEmpty()) { + List groupList = groupDAO.findGroupsByPrincipal(groupPrincipals); + for (GroupEntity groupEntity : groupList) { + groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity); + } + } - for (GroupEntity groupEntity : groupList) { - groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity); + Map roleEntities = new HashMap(); + if (!rolePrincipals.isEmpty()){ + List roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals); + for (PermissionEntity roleEntity : roleList) { + roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity); + } } for(PrivilegeEntity privilegeEntity : entitySet){ - Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds); + Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds); if (resource != null && (predicate == null || predicate.evaluate(resource))) { resources.add(resource); } @@ -281,6 +304,7 @@ public abstract class PrivilegeResourceProvider extends AbstractAuthorizedRes * @param privilegeEntity the privilege entity to be converted * @param userEntities the map of user entities keyed by resource id * @param groupEntities the map of group entities keyed by resource id + * @param roleEntities the map of role entities keyed by resource id * @param resourceEntities the map of resource entities keyed by resource id * @param requestedIds the requested property ids * @@ -289,29 +313,48 @@ public abstract class PrivilegeResourceProvider extends AbstractAuthorizedRes protected Resource toResource(PrivilegeEntity privilegeEntity, Map userEntities, Map groupEntities, + Map roleEntities, Map resourceEntities, Set requestedIds) { Resource resource = new ResourceImpl(resourceType); - setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, - privilegeEntity.getId(), requestedIds); - setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, - privilegeEntity.getPermission().getPermissionName(), requestedIds); - setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, - privilegeEntity.getPermission().getPermissionLabel(), requestedIds); - - PrincipalEntity principal = privilegeEntity.getPrincipal(); - Long principalId = principal.getId(); - - if (userEntities.containsKey(principalId)) { - UserEntity userEntity = userEntities.get(principalId); - setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds); - } else if (groupEntities.containsKey(principalId)){ - GroupEntity groupEntity = groupEntities.get(principalId); - setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds); + PrincipalEntity principal = privilegeEntity.getPrincipal(); + String principalTypeName = null; + String resourcePropertyName = null; + + if(principal != null) { + PrincipalTypeEntity principalType = principal.getPrincipalType(); + + if (principalType != null) { + Long principalId = principal.getId(); + + principalTypeName = principalType.getName(); + + if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) { + GroupEntity groupEntity = groupEntities.get(principalId); + if (groupEntity != null) { + resourcePropertyName = groupEntity.getGroupName(); + } + } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) { + PermissionEntity roleEntity = roleEntities.get(principalId); + if (roleEntity != null) { + resourcePropertyName = roleEntity.getPermissionName(); + } + } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) { + UserEntity userEntity = userEntities.get(principalId); + if (userEntity != null) { + resourcePropertyName = userEntity.getUserName(); + } + } + } } - setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds); + setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds); + setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds); + setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds); + setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds); + setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds); + return resource; } @@ -339,18 +382,21 @@ public abstract class PrivilegeResourceProvider extends AbstractAuthorizedRes String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID); String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID); - if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) { + if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) { GroupEntity groupEntity = groupDAO.findGroupByName(principalName); if (groupEntity != null) { entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId())); } - } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) { + } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) { + PermissionEntity permissionEntity = permissionDAO.findByName(principalName); + if (permissionEntity != null) { + entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId())); + } + } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) { UserEntity userEntity = userDAO.findUserByName(principalName); if (userEntity != null) { entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId())); } - } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) { - entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type } else { throw new AmbariException("Unknown principal type " + principalType); } http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java index bdd73a6..009c38b 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -17,8 +17,6 @@ */ package org.apache.ambari.server.controller.internal; -import com.google.common.base.Function; -import com.google.common.collect.FluentIterable; import org.apache.ambari.server.controller.spi.NoSuchParentResourceException; import org.apache.ambari.server.controller.spi.NoSuchResourceException; import org.apache.ambari.server.controller.spi.Predicate; @@ -28,26 +26,23 @@ import org.apache.ambari.server.controller.spi.SystemException; import org.apache.ambari.server.controller.spi.UnsupportedPropertyException; import org.apache.ambari.server.orm.dao.ClusterDAO; import org.apache.ambari.server.orm.dao.GroupDAO; -import org.apache.ambari.server.orm.dao.PrivilegeDAO; import org.apache.ambari.server.orm.dao.UserDAO; import org.apache.ambari.server.orm.dao.ViewInstanceDAO; import org.apache.ambari.server.orm.entities.ClusterEntity; import org.apache.ambari.server.orm.entities.GroupEntity; -import org.apache.ambari.server.orm.entities.MemberEntity; import org.apache.ambari.server.orm.entities.PrincipalTypeEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; -import org.apache.ambari.server.orm.entities.ResourceEntity; import org.apache.ambari.server.orm.entities.UserEntity; import org.apache.ambari.server.orm.entities.ViewEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.apache.ambari.server.security.authorization.AuthorizationException; import org.apache.ambari.server.security.authorization.AuthorizationHelper; -import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper; import org.apache.ambari.server.security.authorization.ResourceType; import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.security.authorization.UserType; +import org.apache.ambari.server.security.authorization.Users; -import javax.annotation.Nullable; +import java.util.Collection; import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; @@ -59,17 +54,17 @@ import java.util.Set; */ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider { - protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID; + protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID; protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID; protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID; - protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID; - protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID; - protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID; - protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID; - protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID; - protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID; - protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID; - protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name"; + protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID; + protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID; + protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID; + protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID; + protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID; + protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID; + protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID; + protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name"; /** * Data access object used to obtain user entities. @@ -92,9 +87,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider { protected static ViewInstanceDAO viewInstanceDAO; /** - * DAO used to obtain privilege entities. + * Helper to obtain privilege data for requested users */ - protected static PrivilegeDAO privilegeDAO; + private static Users users; /** * The property ids for a privilege resource. @@ -120,15 +115,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider { * @param clusterDAO the cluster data access object * @param groupDAO the group data access object * @param viewInstanceDAO the view instance data access object - * @param privilegeDAO + * @param users the Users helper object */ public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO, - ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) { + ViewInstanceDAO viewInstanceDAO, Users users) { UserPrivilegeResourceProvider.userDAO = userDAO; UserPrivilegeResourceProvider.clusterDAO = clusterDAO; UserPrivilegeResourceProvider.groupDAO = groupDAO; UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO; - UserPrivilegeResourceProvider.privilegeDAO = privilegeDAO; + UserPrivilegeResourceProvider.users = users; } @SuppressWarnings("serial") @@ -199,15 +194,7 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider { throw new SystemException("User " + userName + " was not found"); } - final Set privileges = userEntity.getPrincipal().getPrivileges(); - - for (MemberEntity membership : userEntity.getMemberEntities()) { - privileges.addAll(membership.getGroup().getPrincipal().getPrivileges()); - } - - Set allViewPrivilegesWithClusterPermission = - ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges); - privileges.addAll(allViewPrivilegesWithClusterPermission); + final Collection privileges = users.getUserPrivileges(userEntity); for (PrivilegeEntity privilegeEntity : privileges) { resources.add(toResource(privilegeEntity, userName, requestedIds)); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java index e5bd224..7182f4c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -191,8 +191,10 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider userEntities, Map groupEntities, - Map resourceEntities, Set requestedIds) { - Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds); + Map roleEntities, + Map resourceEntities, + Set requestedIds) { + Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds); if (resource != null) { ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId()); http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java index 88d9775..c844ab6 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -18,6 +18,7 @@ package org.apache.ambari.server.orm.dao; +import java.util.Collections; import java.util.List; import javax.persistence.EntityManager; @@ -25,6 +26,7 @@ import javax.persistence.TypedQuery; import org.apache.ambari.server.orm.RequiresSession; import org.apache.ambari.server.orm.entities.PermissionEntity; +import org.apache.ambari.server.orm.entities.PrincipalEntity; import org.apache.ambari.server.orm.entities.ResourceTypeEntity; import com.google.inject.Inject; @@ -80,6 +82,37 @@ public class PermissionDAO { } /** + * Find a permission entity with the given name. + * + * @param name permission name + * + * @return a matching permission entity or null + */ + @RequiresSession + public PermissionEntity findByName(String name) { + TypedQuery query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class); + query.setParameter("permissionName", name); + return daoUtils.selectSingle(query); + } + + /** + * Find the permission entities for the given list of principals + * + * @param principalList the list of principal entities + * + * @return the list of permissions (or roles) matching the query + */ + @RequiresSession + public List findPermissionsByPrincipal(List principalList) { + if (principalList == null || principalList.isEmpty()) { + return Collections.emptyList(); + } + TypedQuery query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class); + query.setParameter("principalList", principalList); + return daoUtils.selectList(query); + } + + /** * Find all permission entities. * * @return all entities or an empty List http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java index efbdfab..45a1658 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -121,4 +121,15 @@ public class PrincipalDAO { public PrincipalEntity merge(PrincipalEntity entity) { return entityManagerProvider.get().merge(entity); } + + /** + * Remove the entity instance. + * + * @param entity entity to remove + */ + @Transactional + public void remove(PrincipalEntity entity) { + entityManagerProvider.get().remove(entity); + } + } http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java index 7823d56..17628c6 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -60,6 +60,20 @@ public class PrincipalTypeDAO { } /** + * Find a principal type entity with the given name. + * + * @param name principal type name + * + * @return a matching principal type entity or null + */ + @RequiresSession + public PrincipalTypeEntity findByName(String name) { + TypedQuery query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class); + query.setParameter("name", name); + return daoUtils.selectSingle(query); + } + + /** * Find all principal types. * * @return all principal types or an empty List @@ -86,6 +100,16 @@ public class PrincipalTypeDAO { } /** + * Remove the entity instance. + * + * @param entity entity to remove + */ + @Transactional + public void remove(PrincipalTypeEntity entity) { + entityManagerProvider.get().remove(entity); + } + + /** * Creates and returns principal type if it wasn't persisted yet. * * @param principalType id of principal type @@ -104,6 +128,9 @@ public class PrincipalTypeDAO { case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE: principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME); break; + case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE: + principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME); + break; default: throw new IllegalArgumentException("Unknown principal type ID=" + principalType); } http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java index f091bab..b6f1557 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java @@ -29,6 +29,8 @@ import javax.persistence.JoinColumns; import javax.persistence.JoinTable; import javax.persistence.ManyToMany; import javax.persistence.ManyToOne; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.OneToOne; import javax.persistence.Table; import javax.persistence.TableGenerator; @@ -44,6 +46,10 @@ import java.util.Collection; , pkColumnValue = "permission_id_seq" , initialValue = 100 ) +@NamedQueries({ + @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"), + @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList") +}) public class PermissionEntity { /** http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java index 716d4f7..31e11e6 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -30,6 +30,9 @@ import javax.persistence.*; , pkColumnValue = "principal_type_id_seq" , initialValue = 100 ) +@NamedQueries({ + @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name") +}) public class PrincipalTypeEntity { /** @@ -37,19 +40,11 @@ public class PrincipalTypeEntity { */ public static final int USER_PRINCIPAL_TYPE = 1; public static final int GROUP_PRINCIPAL_TYPE = 2; - public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3; - public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4; - public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5; - public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6; - public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7; + public static final int ROLE_PRINCIPAL_TYPE = 8; public static final String USER_PRINCIPAL_TYPE_NAME = "USER"; public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP"; - public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR"; - public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR"; - public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER"; - public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR"; - public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR"; + public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE"; /** * The type id. http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java index 8639a2f..e875e8a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java @@ -17,9 +17,6 @@ */ package org.apache.ambari.server.security.authorization; -import com.google.common.base.Function; -import com.google.common.base.Predicate; -import com.google.common.collect.FluentIterable; import com.google.common.collect.Lists; import com.google.inject.Inject; import com.google.inject.Provider; @@ -30,7 +27,6 @@ import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; import org.apache.ambari.server.orm.entities.ResourceEntity; import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity; -import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.Authentication; @@ -47,10 +43,10 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -@Singleton /** * Provides utility methods for authentication functionality */ +@Singleton public class AuthorizationHelper { private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class); @@ -230,56 +226,8 @@ public class AuthorizationHelper { } } - // Check if the resourceId is a view. - // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service - // type. - // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to - // cluster resource with the permission. - // Then if the permission type matches the cluster/service type principal(names) then the user should have access - // to those views. - - if(resourceId == null) { - return false; - } - - ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get(); - - ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId); - if(instanceEntity == null || instanceEntity.getClusterHandle() == null) { - return false; - } - - PrivilegeDAO privilegeDAO = privilegeDAOProvider.get(); - - final Set privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId)) - .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate) - .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege) - .toSet(); - - return FluentIterable.from(authentication.getAuthorities()) - .filter(new Predicate() { - @Override - public boolean apply(GrantedAuthority grantedAuthority) { - AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority; - PrivilegeEntity privilege = authority.getPrivilegeEntity(); - String resourceTypeName = privilege.getResource().getResourceType().getName(); - return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER; - } - }).transform(new Function() { - @Override - public PermissionEntity apply(GrantedAuthority grantedAuthority) { - AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority; - PrivilegeEntity privilege = authority.getPrivilegeEntity(); - return privilege.getPermission(); - } - }).anyMatch(new Predicate() { - @Override - public boolean apply(PermissionEntity input) { - return privilegeNames.contains(input.getPermissionName()); - } - }); + return false; } - } /** http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java deleted file mode 100644 index 9922bb2..0000000 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.ambari.server.security.authorization; - -import com.google.common.base.Function; -import com.google.common.base.Predicate; -import com.google.common.collect.FluentIterable; -import org.apache.ambari.server.orm.dao.PrivilegeDAO; -import org.apache.ambari.server.orm.dao.ViewInstanceDAO; -import org.apache.ambari.server.orm.entities.PrincipalTypeEntity; -import org.apache.ambari.server.orm.entities.PrivilegeEntity; -import org.apache.ambari.server.orm.entities.ResourceEntity; -import org.apache.ambari.server.orm.entities.ViewInstanceEntity; - -import javax.annotation.Nullable; -import java.util.Collection; -import java.util.Set; - - -/** - * Helper class to take care of the cluster inherited permission for any view. - */ -public class ClusterInheritedPermissionHelper { - - /** - * Predicate which validates if the principalType passed is valid or not. - */ - public static final Predicate validPrincipalTypePredicate = new Predicate() { - @Override - public boolean apply(String principalType) { - return isValidPrincipalType(principalType); - } - }; - - /** - * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER} - */ - public static final Predicate clusterPrivilegesPredicate = new Predicate() { - @Override - public boolean apply(PrivilegeEntity privilegeEntity) { - String resourceTypeName = privilegeEntity.getResource().getResourceType().getName(); - return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER; - } - }; - - /** - * Predicate which validates if view instance entity is cluster associated - */ - public static final Predicate clusterAssociatedViewInstancePredicate = new Predicate() { - @Override - public boolean apply(ViewInstanceEntity viewInstanceEntity) { - return viewInstanceEntity.getClusterHandle() != null; - } - }; - - /** - * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type - */ - public static final Predicate privilegeWithClusterInheritedPermissionTypePredicate = new Predicate() { - @Override - public boolean apply(PrivilegeEntity privilegeEntity) { - String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName(); - return principalTypeName.startsWith("ALL."); - } - }; - - /** - * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER" - */ - public static final Function permissionNameFromClusterInheritedPrivilege = new Function() { - @Override - public String apply(PrivilegeEntity input) { - return input.getPrincipal().getPrincipalType().getName().substring(4); - } - }; - - /** - * Mapper to return resources from view instance entity. - */ - public static final Function resourceFromViewInstanceMapper = new Function() { - @Override - public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) { - return viewInstanceEntity.getResource(); - } - }; - - /** - * Mapper to return all privileges from resource entity - */ - public static final Function> allPrivilegesFromResoucesMapper = new Function>() { - @Override - public Iterable apply(ResourceEntity resourceEntity) { - return resourceEntity.getPrivileges(); - } - }; - - /** - * Mapper to return permission name from privilege - */ - public static final Function permissionNameFromPrivilegeMapper = new Function() { - @Override - public String apply(PrivilegeEntity privilegeEntity) { - return privilegeEntity.getPermission().getPermissionName(); - } - }; - - /** - * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed - * @param validSet - valid set of permission types - * @return Predicate to check the condition - */ - public static final Predicate principalTypeInSetFrom(final Collection validSet) { - return new Predicate() { - @Override - public boolean apply(PrivilegeEntity privilegeEntity) { - String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4); - return validSet.contains(permissionName); - } - }; - } - - /** - * Predicate to filter out privileges which are already existing in the passed privileges set. - * @param existingPrivileges - Privileges set to which the comparison will be made - * @return Predicate to check the validation - */ - public static Predicate removeIfExistingPrivilegePredicate(final Set existingPrivileges) { - return new Predicate() { - @Override - public boolean apply(final PrivilegeEntity privilegeEntity) { - return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate() { - @Override - public boolean apply(PrivilegeEntity directPrivilegeEntity) { - return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId()) - && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId()); - } - }); - } - }; - } - - /** - * Validates if the principal type is valid for cluster inherited permissions. - * @param principalType - Principal type - * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR", - * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER") - */ - public static boolean isValidPrincipalType(String principalType) { - return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType) - || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType) - || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType) - || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType) - || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType); - } - - /** - * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges - * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then - * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which - * the user should have privilege. - * @param userDirectPrivileges - direct privileges for the user. - * @return - Filtered list of privileges for view resource for which the user should have access. - */ - public static Set getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO, - final Set userDirectPrivileges) { - - final Set clusterPrivileges = FluentIterable.from(userDirectPrivileges) - .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate) - .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper) - .toSet(); - - Set resourceIds = FluentIterable.from(viewInstanceDAO.findAll()) - .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate) - .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper) - .transform(new Function() { - @Nullable - @Override - public Long apply(@Nullable ResourceEntity input) { - return input.getId(); - } - }).toSet(); - - Set allPrivileges = FluentIterable.from(resourceIds) - .transformAndConcat(new Function>() { - @Nullable - @Override - public Iterable apply(@Nullable Long input) { - return privilegeDAO.findByResourceId(input); - } - }).toSet(); - - return FluentIterable.from(allPrivileges) - .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate) - .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges)) - .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges)) - .toSet(); - } -} http://git-wip-us.apache.org/repos/asf/ambari/blob/176c691e/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java index a4f0031..eee721a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java @@ -705,6 +705,96 @@ public class Users { } /** + * Gets the explicit and implicit privileges for the given user. + *

+ * The explicit privileges are the privileges that have be explicitly set by assigning roles to + * a user. For example the Cluster Operator role on a given cluster gives that the ability to + * start and stop services in that cluster, among other privileges for that particular cluster. + *

+ * The implicit privileges are the privileges that have been given to the roles themselves which + * in turn are granted to the users that have been assigned those roles. For example if the + * Cluster User role for a given cluster has been given View User access on a specified File View + * instance, then all users who have the Cluster User role for that cluster will implicitly be + * granted View User access on that File View instance. + * + * @param userEntity the relevant user + * @return the collection of implicit and explicit privileges + */ + public Collection getUserPrivileges(UserEntity userEntity) { + if (userEntity == null) { + return Collections.emptyList(); + } + + // get all of the privileges for the user + List principalEntities = new LinkedList(); + + principalEntities.add(userEntity.getPrincipal()); + + List memberEntities = memberDAO.findAllMembersByUser(userEntity); + + for (MemberEntity memberEntity : memberEntities) { + principalEntities.add(memberEntity.getGroup().getPrincipal()); + } + + List explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities); + List implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities); + List privilegeEntities; + + if(implicitPrivilegeEntities.isEmpty()) { + privilegeEntities = explicitPrivilegeEntities; + } + else { + privilegeEntities = new LinkedList(); + privilegeEntities.addAll(explicitPrivilegeEntities); + privilegeEntities.addAll(implicitPrivilegeEntities); + } + + return privilegeEntities; + } + + /** + * Gets the explicit and implicit privileges for the given group. + *

+ * The explicit privileges are the privileges that have be explicitly set by assigning roles to + * a group. For example the Cluster Operator role on a given cluster gives that the ability to + * start and stop services in that cluster, among other privileges for that particular cluster. + *

+ * The implicit privileges are the privileges that have been given to the roles themselves which + * in turn are granted to the groups that have been assigned those roles. For example if the + * Cluster User role for a given cluster has been given View User access on a specified File View + * instance, then all groups that have the Cluster User role for that cluster will implicitly be + * granted View User access on that File View instance. + * + * @param groupEntity the relevant group + * @return the collection of implicit and explicit privileges + */ + public Collection getGroupPrivileges(GroupEntity groupEntity) { + if (groupEntity == null) { + return Collections.emptyList(); + } + + // get all of the privileges for the group + List principalEntities = new LinkedList(); + + principalEntities.add(groupEntity.getPrincipal()); + + List explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities); + List implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities); + List privilegeEntities; + + if(implicitPrivilegeEntities.isEmpty()) { + privilegeEntities = explicitPrivilegeEntities; + } + else { + privilegeEntities = new LinkedList(); + privilegeEntities.addAll(explicitPrivilegeEntities); + privilegeEntities.addAll(implicitPrivilegeEntities); + } + + return privilegeEntities; + } + + /** * Gets the explicit and implicit authorities for the given user. *

* The explicit authorities are the authorities that have be explicitly set by assigning roles to @@ -727,50 +817,59 @@ public class Users { return Collections.emptyList(); } - // get all of the privileges for the user - List principalEntities = new LinkedList(); + Collection privilegeEntities = getUserPrivileges(userEntity); - principalEntities.add(userEntity.getPrincipal()); + Set authorities = new HashSet<>(privilegeEntities.size()); - List memberEntities = memberDAO.findAllMembersByUser(userEntity); + for (PrivilegeEntity privilegeEntity : privilegeEntities) { + authorities.add(new AmbariGrantedAuthority(privilegeEntity)); + } - for (MemberEntity memberEntity : memberEntities) { - principalEntities.add(memberEntity.getGroup().getPrincipal()); + return authorities; + } + + /** + * Gets the implicit privileges based on the set of roles found in a collection of privileges. + *

+ * The implicit privileges are the privileges that have been given to the roles themselves which + * in turn are granted to the groups that have been assigned those roles. For example if the + * Cluster User role for a given cluster has been given View User access on a specified File View + * instance, then all groups that have the Cluster User role for that cluster will implicitly be + * granted View User access on that File View instance. + * + * @param privilegeEntities the relevant privileges + * @return the collection explicit privileges + */ + private List getImplicitPrivileges(List privilegeEntities) { + + if ((privilegeEntities == null) || privilegeEntities.isEmpty()) { + return Collections.emptyList(); } - List privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities); + List implicitPrivileges = new LinkedList(); // A list of principals representing roles/permissions. This collection of roles will be used to - // find additional authorizations inherited by the authenticated user based on the assigned roles. + // find additional inherited privileges based on the assigned roles. // For example a File View instance may be set to be accessible to all authenticated user with // the Cluster User role. List rolePrincipals = new ArrayList(); - Set authorities = new HashSet<>(privilegeEntities.size()); - for (PrivilegeEntity privilegeEntity : privilegeEntities) { // Add the principal representing the role associated with this PrivilegeEntity to the collection - // of roles for the authenticated user. + // of roles. PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal(); - if(rolePrincipal != null) { + if (rolePrincipal != null) { rolePrincipals.add(rolePrincipal); } - - authorities.add(new AmbariGrantedAuthority(privilegeEntity)); } - // If the collections of assigned roles is not empty find the inherited authorizations that are - // give to the roles and add them to the collection of (Granted) authorities for the user. - if(!rolePrincipals.isEmpty()) { + // If the collections of assigned roles is not empty find the inherited priviliges. + if (!rolePrincipals.isEmpty()) { // For each "role" see if any privileges have been granted... - List rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals); - - for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) { - authorities.add(new AmbariGrantedAuthority(privilegeEntity)); - } + implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals)); } - return authorities; + return implicitPrivileges; } }