Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8E01C200C85 for ; Tue, 30 May 2017 19:18:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 8C8AB160BB1; Tue, 30 May 2017 17:18:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D3D34160BDC for ; Tue, 30 May 2017 19:18:08 +0200 (CEST) Received: (qmail 85549 invoked by uid 500); 30 May 2017 17:18:08 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 85540 invoked by uid 99); 30 May 2017 17:18:08 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 May 2017 17:18:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9B9771802CA for ; Tue, 30 May 2017 17:18:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ryesoLRDE7eB for ; Tue, 30 May 2017 17:18:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 8CF2E60E2E for ; Tue, 30 May 2017 17:18:05 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 01F62E0D6A for ; Tue, 30 May 2017 17:18:05 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6205921B5C for ; Tue, 30 May 2017 17:18:04 +0000 (UTC) Date: Tue, 30 May 2017 17:18:04 +0000 (UTC) From: "Robert Levas (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (AMBARI-20769) Recommission fails for Cluster Operators, Service Adminstrators and Service Operators MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 30 May 2017 17:18:09 -0000 [ https://issues.apache.org/jira/browse/AMBARI-20769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029772#comment-16029772 ] Robert Levas edited comment on AMBARI-20769 at 5/30/17 5:17 PM: ---------------------------------------------------------------- [~patelket@us.ibm.com]... Thanks for the clarification on this. I didn't know about the {{/clusters/:CLUSTER_NAME/request_schedules}} entry point. My guess is that this was missed when adding the new RBAC features. So what needs to be done is to add this URL pattern to the list tested in {{org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter#authorizationPerformedInternally}}. Then add the correct authorization logic to {{org.apache.ambari.server.controller.internal.RequestScheduleResourceProvider}}. Unfortunately, this resource provider handles generic requests, so logic will need to be implemented to determine what is being asked for and then perform the appropriate authorization check. was (Author: rlevas): [~patelket@us.ibm.com]... Thanks for the clarification on this. I didn't know about the {{/clusters/:CLUSTER_NAME/request_schedules'}} entry point. My guess is that this was missed when adding the new RBAC features. So what needs to be done is to add this URL pattern to the list tested in {{org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter#authorizationPerformedInternally}}. Then add the correct authorization logic to {{org.apache.ambari.server.controller.internal.RequestScheduleResourceProvider}}. Unfortunately, this resource provider handles generic requests, so logic will need to be implemented to determine what is being asked for and then perform the appropriate authorization check. > Recommission fails for Cluster Operators, Service Adminstrators and Service Operators > ------------------------------------------------------------------------------------- > > Key: AMBARI-20769 > URL: https://issues.apache.org/jira/browse/AMBARI-20769 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: trunk, 2.5.0 > Reporter: Keta Patel > Assignee: Keta Patel > Attachments: AMBARI-20769-codeSnippet-for-error.png, AMBARI-20769-codeSnippet.png, cluster_operator_1_recommission.png, cluster_operator_2_recommission.png > > > Steps to reproduce: > 1. Create 4 local users assign one to each of the following roles: > - Cluster Administrator > - Cluster Operator > - Service Administrator > - Service Operator > 2. Logout and login back as one of the above created users. > 3. Decommission a node, the operation is successful with the Background Operation pop-up showing the decommissioning operation being performed. > 4. Recommission that node. Only the Ambari Admin and Cluster Administrator is able to successfully perform this step. For the rest of the roles mentioned in step-1, you will see the following behavior: > - The background operation pop-up shows up with "0 Operations" in progress. > - The background operation pop-up disappears and you see the login page momentarily. > - The main Dashboard is seen immediately after that and the node is still in the "Decommissioned" state. > Desired Behavior: > All the roles mentioned in step-1 must be able to successfully recommission the nodes. -- This message was sent by Atlassian JIRA (v6.3.15#6346)