ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keta Patel (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-15552) Role selection in List view of Manage Ambari page does not work correctly
Date Mon, 25 Apr 2016 23:50:12 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-15552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15257268#comment-15257268
] 

Keta Patel commented on AMBARI-15552:
-------------------------------------

The issue can be divided into 2 parts:
1. List View
2. Block View

Since we are able to add multiple privileges for the same user/group on the Block View page,
the List View page
does not give a complete understanding of what privileges the user/group has. Though the List
view shows the effective
privilege for a user/group, it is not clear for the Ambari user why the other privileges are
overridden by the current
one or why he can not assign a lower privilege to the user/group.

LIST VIEW:
=========
ISSUE:
A group containing a few members is assigned some privilege. In the List View, the Ambari
user is able to see the
group's privilege for every user it contains. This is correct behavior. But if the Ambari
user tries to change the
privilege of one of the group users, then that user gets updated with the new privilege but
all the other group members
loose their privilege and show "None" as their current privilege. Even the group looses it's
privilege and shows "None"
as its current privilege.

CAUSE:
A group member has the same privileges as the group to which it belongs to. As a result, the
Database stores only
1 entry for a group privilege and doesn't add new entries for the group members. As a result,
the database contained
only one entry for the group privilege in the table "adminprivilege". When the Ambari user
selected a different
privilege for the group member, the entry that belonged to the group was deleted from the
table and a new entry for the
new privilege was added. This new entry belonged to the group member. As a result of these
steps, the group and all the
remaining group members lost their privilege and showed "None" as their effective privilege.

FIX:
Since this issue is observed for users alone, the groups are updated in the same original
way with a few changes to
address some other issue as explained below.
For Users in the List View, whenever the the privilege is updated, a check is made to see
if this update is for a
user or a group. If it is for a user, then a server call is made to retrieve all the privileges
of this user. This
includes all the privileges the user has individually as well as the privileges from the groups
it belongs to.

NOTE: We do not want to keep multiple individual privileges for the user in the database.
This is because the higher 
privileges themselves are inclusive of all the privileges lower than itself. There is no need
for some user "abc" to 
have both "Cluster User" and "Cluster Administrator" privileges as "Cluster Administrator"
covers all "Cluster User" 
privilege also. Regarding the privileges the user gets from the groups it belongs to, we can
not control that number.
So, a user will ultimately have one effective privilege coming from the individual and all
the group privileges taken 
into account. This effective privilege will be the highest of all its privileges.

Now, there are 2 cases that can arise:
1. The Ambari user wants to assign a privilege to the user that is greater than or equal to
its current effective privilege coming from its groups.
2. The Ambari user wants to assign a privilege that is lower than the effective privilege
coming from its groups.
Note: The reason we are comparing the effective privilege from its groups in the 2 cases is
that even if the user had
some individual privilege, on selecting some other privilege in the List view, we would be
replacing that individual 
privilege since we want to keep only one individual privilege. Hence, the comparison now would
be between the chosen 
privilege and the effective privilege from its groups.

The 1st case is handled by allowing the new privilege to be assigned as the individual user
privilege. This would also 
be the user's effective privilege as it is greater than the group's effective privilege. Any
individual privileges the
user had are deleted from the database.

The 2nd case is handled by not allowing the update to go through. This is because the Ambari
use wants to assign a
privilege that would be lower than the group's effective privilege. Even if we had gone through
with the update, we 
would have deleted any individual privileges the user had, and added the new selected privilege
which would still be
lower than the effective privilege coming from its groups. The List view would still show
the groups' effective 
privilege instead of what the Ambari user had selected. So, the fix simply shows an Alert
saying that that this
change was not successful due to the effective privilege from groups being higher than the
selected privilege.


> Role selection in List view of Manage Ambari page does not work correctly
> -------------------------------------------------------------------------
>
>                 Key: AMBARI-15552
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15552
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-admin
>            Reporter: Keta Patel
>            Assignee: Keta Patel
>         Attachments: block_view_after_step3.tiff, block_view_original.tiff, list_view_add_role_to_user_step1.tiff,
list_view_add_role_to_user_step2.tiff, list_view_add_role_to_user_step3.tiff, list_view_users.tiff,
mygroup.tiff, user1.tiff
>
>
> Reproduction Steps:
> 1. Go to Admin->Manage Ambari
> 2. Create a group with a few users belonging to it. 
>     (I have created "mygroup" with "user1", "user2", "user3") 
>     (attachments "user1.tiff", "mygroup.tiff" shows samples)
> 3. Go to Clusters->Roles on the left navigation menu.
> 4. The default view is the "Block" view for the roles. Assign "mygroup" a role, say "Cluster
User". 
>     (attachment "block_view_original.tiff")
> 5. Click on "List" view, it will show Users by default. It correctly shows the role "Cluster
User" for each user in "mygroup". 
>     (attachment "list_view_users.tiff")
> 6. Now, try adding a new Role, say "Service Operator", to one of the users, say "user3".

>     (attachments "list_view_add_role_to_user_step1.tiff", "list_view_add_role_to_user_step2.tiff")
> 7. After making this change, the role gets added for that user (in our case "user3"),
but the roles from other users in its group gets removed. Also, the previous role for the
user ("user3") is replaced by the new Role.
>     (attachment "list_view_add_role_to_user_step3.tiff")
> 8. You can confirm this from the the "Block" view. 
>     (attachment "block_view_after_step3.tiff")
> So, the problem here lies with the List view where it is not able to process the changes
in the Roles correctly.
> There is no provision to add a role. Any change in the Roles of the User from the List
view only replaces the role that was displayed in the selection box while also removing all
the Roles for the remaining users in its group.
> Expected results:
> 1. The selection box must be able to show all the selected Roles for Users/Groups.
> 2. Adding a Role must not replace existing Role of the user.
> 3. Adding a Role to a user must not affect the Roles of other users in its group.
> 4. Multiple Role selection must be allowed from the selection box in the List view.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message