> On Sept. 30, 2015, 11:20 a.m., Jonathan Hurley wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java, > > lines 67-68 > > <https://reviews.apache.org/r/38865/diff/1/?file=1087425#file1087425line67> > > > > Wouldn't this be taken care of by your `hasPermission(...);` calls > > inside of ClusterService ?
`hasPermission(...)` appears to only validate that an authenticated user can perform any operation on a cluster. There is no way to determine if the user has permissions to perform a _specific_ operation. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/38865/#review101117 ----------------------------------------------------------- On Sept. 30, 2015, 8:28 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/38865/ > ----------------------------------------------------------- > > (Updated Sept. 30, 2015, 8:28 a.m.) > > > Review request for Ambari, Jonathan Hurley, John Speidel, and Robert > Nettleton. > > > Bugs: AMBARI-13214 > https://issues.apache.org/jira/browse/AMBARI-13214 > > > Repository: ambari > > > Description > ------- > > Storage of the credentials is to be done using the existing _secure_ > credentials provider API which already exits within Ambari. > > Credential may be stored in either Ambari's persistent or temporary secure > storage facilities. > > # Testing capabilities > > * Request > ``` > GET api/v1/clusters/{CLUSTER_NAME} > ``` > > * Responses > ``` > 200 OK > { > ... > "credential_store_properties" : { > "storage.persistent" : "true", > "storage.temporary" : "true" > }, > ... > } > ``` > > # Creating credentials > > * Request > ``` > POST /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS} > { > "Credential" : { > "principal" : "USERNAME", > "key" : "SECRET", > "persist" : true > } > } > > Where: > ** principal: the principal (or username) part of the credential to store > ** key: the secret key part of the credential to store > ** persist: a boolean value indicating whether to store this credential in a > persisted (true) or temporary (false) secure credential store > ``` > > * Responses > ``` > 200 OK > ``` > ``` > 400 Bad Request > { > "status": 400, > "message": "Cannot persist credential in Ambari's secure credential store > since secure storage has not yet be configured. Use ambari-server > setup-security to enable this feature." > } > ``` > ``` > 403 Forbidden > { > "status": 403, > "message": "You do not have permissions to access this resource." > } > ``` > > # Updating credentials > > * Request > ``` > PUT /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS} > { > "Credential" : { > "principal" : "USERNAME", > "key" : "SECRET1", > "persist" : true > } > } > > Where: > ** principal: the principal (or username) part of the credential to store > ** key: the secret key part of the credential to store > ** persist: a boolean value indicating whether to store this credential in a > persisted (true) or temporary (false) secure credential store > ``` > > * Responses > ``` > 200 OK > ``` > ``` > 400 Bad Request > { > "status": 400, > "message": "Cannot persist credential in Ambari's secure credential store > since secure storage has not yet be configured. Use ambari-server > setup-security to enable this feature." > } > ``` > ``` > 403 Forbidden > { > "status": 403, > "message": "You do not have permissions to access this resource." > } > ``` > > # Removing credentials > > * Request > ``` > DELETE /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS} > ``` > > * Responses > ``` > 200 OK > ``` > ``` > 404 Not Found > { > "status": 404, > "message": "Not Found" > } > ``` > ```403 Forbidden > { > "status": 403, > "message": "You do not have permissions to access this resource." > } > ``` > > # Listing credentials > > * Request > ``` > GET /api/v1/clusters/{CLUSTER_NAME}/credentials > ``` > > * Responses > ``` > 200 OK > { > "href" : "http://host:8080/api/v1/clusters/c1/credentials";, > "items" : [ > { > "href" : > "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials";, > "Credential" : { > "alias" : "kdc.admin.credentials", > "cluster_name" : "c1" > } > }, > { > "href" : > "http://host:8080/api/v1/clusters/c1/credentials/service.admin.credentials";, > "Credential" : { > "alias" : "service.admin.credentials", > "cluster_name" : "c1" > } > } > ] > } > ``` > ``` > 404 Not Found > { > "status": 404, > "message": "Not Found" > } > ``` > ``` > 403 Forbidden > { > "status": 403, > "message": "You do not have permissions to access this resource." > } > ``` > > # Retrieving credentials > > * Request > ``` > GET /api/v1/clusters/{CLUSTER_NAME}/credentials/{ALIAS} > ``` > > * Responses > ``` > 200 OK > { > "href" : > "http://host:8080/api/v1/clusters/c1/credentials/kdc.admin.credentials";, > "Credential" : { > "alias" : "kdc.admin.credentials", > "cluster_name" : "c1", > "persist" : true > } > } > ``` > ``` > 404 Not Found > { > "status": 404, > "message": "Not Found" > } > ``` > ``` > 403 Forbidden > { > "status": 403, > "message": "You do not have permissions to access this resource." > } > ``` > > > Diffs > ----- > > ambari-server/docs/api/v1/credential-create.md PRE-CREATION > ambari-server/docs/api/v1/credential-delete.md PRE-CREATION > ambari-server/docs/api/v1/credential-get.md PRE-CREATION > ambari-server/docs/api/v1/credential-list.md PRE-CREATION > ambari-server/docs/api/v1/credential-resources.md PRE-CREATION > ambari-server/docs/api/v1/credential-update.md PRE-CREATION > ambari-server/docs/api/v1/index.md c1e464c > > ambari-server/src/main/java/org/apache/ambari/server/api/resources/CredentialResourceDefinition.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/api/resources/ResourceInstanceFactoryImpl.java > 1e219ff > > ambari-server/src/main/java/org/apache/ambari/server/api/services/ClusterService.java > 7bb0a72 > > ambari-server/src/main/java/org/apache/ambari/server/api/services/CredentialService.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > e3686ac > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > 6ba6bac > > ambari-server/src/main/java/org/apache/ambari/server/controller/ClusterResponse.java > bb6d88e > > ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java > a40fae6 > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > a1cd5b8 > > ambari-server/src/main/java/org/apache/ambari/server/controller/ResourceProviderFactory.java > 5d1143a > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractControllerResourceProvider.java > 9163656 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterResourceProvider.java > 7e75a75 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/CredentialResourceProvider.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/controller/spi/Resource.java > 1b208fb > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java > 44c9613 > > ambari-server/src/main/java/org/apache/ambari/server/security/credential/Credential.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/credential/CredentialFactory.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/credential/GenericKeyCredential.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/credential/InvalidCredentialValueException.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/credential/PrincipalKeyCredential.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/AbstractCredentialStore.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialProvider.java > b812337 > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStore.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreService.java > 4aa3b0a > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImpl.java > 968e96a > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStore.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/FileBasedCredentialStoreService.java > 41ff71b > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStore.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/encryption/InMemoryCredentialStoreService.java > 08d84fc > > ambari-server/src/test/java/org/apache/ambari/server/api/resources/CredentialResourceDefinitionTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/api/services/CredentialServiceTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java > 074fbb4 > > ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java > 23ce914 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/CredentialResourceProviderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java > b0e1018 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java > 1824486 > > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialProviderTest.java > ef1a9c8 > > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceImplTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreServiceTest.java > 9725746 > > ambari-server/src/test/java/org/apache/ambari/server/security/encryption/CredentialStoreTest.java > PRE-CREATION > > Diff: https://reviews.apache.org/r/38865/diff/ > > > Testing > ------- > > Units tests updated and passed > Manually testing in existing cluster (upgrade scenario) and new cluster > > # Local test results: > > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 54:46.952s > [INFO] Finished at: Tue Sep 29 18:02:43 EDT 2015 > [INFO] Final Memory: 66M/1534M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: > > Tests run: 3231, Failures: 0, Errors: 0, Skipped: 25 > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 01:15 h > [INFO] Finished at: 2015-09-30T04:19:21+00:00 > [INFO] Final Memory: 48M/564M > [INFO] > ------------------------------------------------------------------------ > > > Thanks, > > Robert Levas > >
