ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Swapan Shridhar" <sshrid...@hortonworks.com>
Subject Re: Review Request 41107: Role Based Access Control support for Metrics.
Date Wed, 16 Dec 2015 00:59:24 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41107/
-----------------------------------------------------------

(Updated Dec. 16, 2015, 12:59 a.m.)


Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole, Robert Levas,
Sumit Mohanty, and Sid Wagle.


Changes
-------

- Updated the code based on Jonathan and Nate's comments.


Bugs: AMBARI-14192
    https://issues.apache.org/jira/browse/AMBARI-14192


Repository: ambari


Description (updated)
-------

Role Based Access Control support for Metrics.


* With the base infrastructure already in place for "Role Based Access Control(RBAC)", this
change introduces the RBAC support for AMbari Metrics. Before the doing the metrics population,
to be send back, it does an authorization check for the current user in consideration for
the VIEW METRICE permissoions.
  

* The mapping is as follows :

Resource.InternalType.Cluster -> CLUSTER_VIEW_METRICS
Resource.InternalType.HOST -> HOST_VIEW_METRICS
Resource.InternalType.Component -> SERVICE_VIEW_METRICS
Resource.InternalType.HostComponent -> SERVICE_VIEW_METRICS

* For a user requesting Metrics and not having Au`thorization, AuthorizationException is raised.


NOTE : 
----
As of now the below exist (Will be creating a JIRA for them). 

- when the VIEW USER logs in, it sees the VIEW listed for which it is entitled for, but clicking
on the CAPACITY SCHEDULER (YARN) VIEW results in ERROR :

"Couldn't connect to the cluster
RA040 I/O error while requesting Ambari". 
REASON : This view internally calls meytrics for which it doesn't have the permissions.


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractPropertyProvider.java
4a0c44f 
  ambari-server/src/main/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProvider.java
a1b4f3f 
  ambari-server/src/main/java/org/apache/ambari/server/controller/jmx/JMXPropertyProvider.java
2748dd4 
  ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProvider.java
f1c5c81 
  ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsPropertyProviderProxy.java
ac11556 
  ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/MetricsReportPropertyProviderProxy.java
4d2ce01 
  ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProvider.java
b32adda 
  ambari-server/src/main/java/org/apache/ambari/server/controller/metrics/ThreadPoolEnabledPropertyProvider.java
8a35636 
  ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
0c675b8 
  ambari-server/src/test/java/org/apache/ambari/server/controller/internal/StackDefinedPropertyProviderTest.java
bb6673c 
  ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/JMXPropertyProviderTest.java
f0c1280 
  ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/RestMetricsPropertyProviderTest.java
82b42f2 
  ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/ganglia/GangliaPropertyProviderTest.java
6fefffe 
  ambari-server/src/test/java/org/apache/ambari/server/controller/metrics/timeline/AMSPropertyProviderTest.java
6b5926b 

Diff: https://reviews.apache.org/r/41107/diff/


Testing (updated)
-------

- Ambari Server Deployment and tested for "View USER (only view permissions)", 'admin' login
(all permissions) and SERVICE OPERATOR role.
- UT : PASSES.
- UNIT tests modified as part of this change, tested : Success.
- 
- API :


View User :
---------

[root@c6401 ambari-server]# curl -u viewUser:aaa "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]"
{
  "status" : 403,
  "message" : "The authenticated user does not have authorization to view Host metrics"
}


Cluster Administrator Role:
--------------------------

[root@c6401 ambari-server]# curl -u clusAdmin:aaa "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]"
{
  "href" : "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]",
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }
}


Service Operator:
----------------

[root@c6401 ambari-server]# curl -u servOp:aaa "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]"
{
  "href" : "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]",
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }


Non-existing User:
-----------------

[root@c6401 ambari-server]# curl -u a:aaa "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]"
{
  "status": 403,
  "message": "Full authentication is required to access this resource"
}


Admin User:
----------

[root@c6401 ambari-server]# curl -u admin:admin "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]"
{
  "href" : "http://c6401:8080/api/v1/clusters/c1/hosts/c6401.ambari.apache.org?fields=metrics/network/bytes_in[1449532831,1449534631,15],metrics/network/bytes_out[1449532831,1449534631,15]",
  "Hosts" : {
    "cluster_name" : "c1",
    "host_name" : "c6401.ambari.apache.org"
  }
}


Thanks,

Swapan Shridhar


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message