ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <>
Subject [jira] [Updated] (AMBARI-16246) Allow roles to be treated like principals in Ambari DB
Date Tue, 10 May 2016 03:40:12 GMT


Robert Levas updated AMBARI-16246:
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

Committed to trunk
commit 6ea2cc1dffb9b45a4e7f43a4eb97dd8ae14b70da
Author: Robert Levas <>
Date:   Mon May 9 23:39:03 2016 -0400

> Allow roles to be treated like principals in Ambari DB
> ------------------------------------------------------
>                 Key: AMBARI-16246
>                 URL:
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.4.0
>         Attachments: AMBARI-16246_trunk_01.patch, AMBARI-16246_trunk_02.patch
> To support assigning privileges to users based on their roles provide support in the
Ambari database to allow a {{role}} to be referenced as a {{principal}} similar in the way
a {{user}} and a {{group}} a referenced as a {principal}}.
> A use-case to support the need for this is to assign access to a view to all users with
some specific role. Currently we can assign access to a view to a specific user or group by
assigning that user or group the {{VIEW.USER}} role applied to the specific view.  To assign
access a view to users who have a specific role, a {{role}} will need to behave like a {{principal}}.
> The following changes need to be made to the database:
> * Add {{principal_id}} column to the {{adminpermission}} table
> * Create a {{principaltype}} record where the {{principal_type_name}} is '{{ROLE}}'
> * Add records to the {{adminprincpal}} table to represent each role in {{adminpermission}}
> * Update {{adminpermission.principal_id}} to match the relevant records from {{adminprincipal}}
> After this is complete, {{adminprivilege}} records can be created using roles as principals.

> NOTE: special handling will need to be done in the authorization logic to dereference
the role associations with the authenticated user, similar in the way this is done for groups.

This message was sent by Atlassian JIRA

View raw message