ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <>
Subject [jira] [Commented] (AMBARI-20769) Recommission fails for Cluster Operators, Service Adminstrators and Service Operators
Date Tue, 09 May 2017 13:27:04 GMT


Robert Levas commented on AMBARI-20769:


{{}} is an older
class that we have been slowly phasing out due to its rather coarse level of authorization.
It only knows about URLs and in some cases, a few role checks.  The more granular control
needs to access the payload data and works off of lower-level permissions... where as a role
is a group of permissions. We can see that this older mechanism can be skipped by using {{}}
to check if the URL matches one where the provider can perform the more granular authorization

In the case of Decommission/Recommission, the logic to determine authorization should be in
the block of code near {{org/apache/ambari/server/controller/internal/}}.
 However there seems to only be a clause for {{DECOMMISSION}}:
          } else if (commandName.equals("DECOMMISSION")) {
            if (!AuthorizationHelper.isAuthorized(resourceType, resourceId, RoleAuthorization.SERVICE_DECOMMISSION_RECOMMISSION))
              throw new AuthorizationException("The authenticated user is not authorized to
decommission services.");

Maybe this is correct or maybe there is a missing clause for "RECOMMISSION" - I am not sure
how this mechanism works.  In any case, the following roles should have this permission:

Have to walked through the code to make sure the code you pointed out is being executed or
not?  In any case, that code block,

            } else if (requestURI.matches(API_CLUSTERS_ALL_PATTERN)) {
              if (permissionId.equals(PermissionEntity.CLUSTER_USER_PERMISSION) ||
                authorized = true;

Seems to be a hack to allow some logic to fall through given the user has some role. In this
case I do not think this block of code is involved. 

So any issue you may be seeing might be related to the code in {{org.apache.ambari.server.controller.internal.RequestResourceProvider}}.

> Recommission fails for Cluster Operators, Service Adminstrators and Service Operators
> -------------------------------------------------------------------------------------
>                 Key: AMBARI-20769
>                 URL:
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: trunk, 2.5.0
>            Reporter: Keta Patel
>            Assignee: Keta Patel
>         Attachments: AMBARI-20769-codeSnippet-for-error.png, AMBARI-20769-codeSnippet.png
> Steps to reproduce:
> 1. Create 4 local users assign one to each of the following roles:
>  - Cluster Administrator
>  - Cluster Operator
>  - Service Administrator
>  - Service Operator
> 2. Logout and login back as one of the above created users.
> 3. Decommission a node, the operation is successful with the Background Operation pop-up
showing the decommissioning operation being performed.
> 4. Recommission that node. Only the Ambari Admin and Cluster Administrator is able to
successfully perform this step. For the rest of the roles mentioned in step-1, you will see
the following behavior:
>  - The background operation pop-up shows up with "0 Operations" in progress.
>  - The background operation pop-up disappears and you see the login page momentarily.
>  - The main Dashboard is seen immediately after that and the node is still in the "Decommissioned"
> Desired Behavior:
> All the roles mentioned in step-1 must be able to successfully recommission the nodes.

This message was sent by Atlassian JIRA

View raw message