ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Fernandez" <afernan...@hortonworks.com>
Subject Re: Review Request 26519: Upgrade: Admin gets unnecessary READ permissions
Date Thu, 09 Oct 2014 22:18:33 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26519/
-----------------------------------------------------------

(Updated Oct. 9, 2014, 10:18 p.m.)


Review request for Ambari, Jonathan Hurley, Srimanth Gunturi, Sid Wagle, and Tom Beerbower.


Bugs: AMBARI-7717
    https://issues.apache.org/jira/browse/AMBARI-7717


Repository: ambari


Description
-------

During upgrade to Ambari 1.7.0, local users and admins get migrated fine, however, Ambari
is explicitly giving CLUSTER.READ to admins.
The admins really don't need this READ, they just need CLUSTER.OPERATE (which they already
have).

This is inteded for both trunk and release candidate branch 1.7.0, so it needs two +1s.


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java f5f6297

  ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog170Test.java
0c92f44 

Diff: https://reviews.apache.org/r/26519/diff/


Testing
-------

Installed a cluster with Ambari 1.6.1.
An admin had roles of both admin and user.

$ psql -U ambari -d ambari
ambari=> select u.user_id, u.user_name, ur.role_name from users as u join user_roles as
ur on u.user_id = ur.user_id ORDER BY u.user_id;
 user_id | user_name | role_name
---------+-----------+-----------
       1 | admin     | admin
       3 | admin1    | user
       3 | admin1    | admin
       4 | admin2    | user
       4 | admin2    | admin
       5 | user1     | user
       6 | user2     | user
(7 rows)

After the upgrade,

ambari=> select u.user_name, u.principal_id, priv.permission_id, permission_name, t.resource_type_name
from adminprivilege as priv join users as u on u.principal_id = priv.principal_id join adminpermission
as perm on priv.permission_id = perm.permission_id join adminresourcetype as t on perm.resource_type_id
= t.resource_type_id WHERE t.resource_type_name IN ('CLUSTER', 'AMBARI') ORDER BY u.user_name
asc;
 user_name | principal_id | permission_id | permission_name | resource_type_name
-----------+--------------+---------------+-----------------+--------------------
 admin     |            3 |             3 | CLUSTER.OPERATE | CLUSTER
 admin     |            3 |             1 | AMBARI.ADMIN    | AMBARI
 admin1    |            4 |             3 | CLUSTER.OPERATE | CLUSTER
 admin1    |            4 |             1 | AMBARI.ADMIN    | AMBARI
 admin2    |            5 |             3 | CLUSTER.OPERATE | CLUSTER
 admin2    |            5 |             1 | AMBARI.ADMIN    | AMBARI
 user1     |            6 |             2 | CLUSTER.READ    | CLUSTER
 user2     |            7 |             2 | CLUSTER.READ    | CLUSTER
 
 
 Also, ran unit tests.
 ----------------------------------------------------------------------
Total run:641
Total errors:0
Total failures:0
OK
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 28:41.374s
[INFO] Finished at: Thu Oct 09 14:13:30 PDT 2014
[INFO] Final Memory: 62M/1564M
[INFO] ------------------------------------------------------------------------
 


Thanks,

Alejandro Fernandez


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message