[
https://issues.apache.org/jira/browse/AMBARI-15552?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keta Patel updated AMBARI-15552:
--------------------------------
Description:
Reproduction Steps:
1. Go to Admin->Manage Ambari
2. Create a group with a few users belonging to it.
(I have created "mygroup" with "user1", "user2", "user3")
(attachments "user1.tiff", "mygroup.tiff" shows samples)
3. Go to Clusters->Roles on the left navigation menu.
4. The default view is the "Block" view for the roles. Assign "mygroup" a role,
say "Cluster User".
(attachment "block_view_original.tiff")
5. Click on "List" view, it will show Users by default. It correctly shows the
role "Cluster User" for each user in "mygroup".
(attachment "list_view_users.tiff")
6. Now, try adding a new Role, say "Service Operator", to one of the users, say
"user3".
(attachments "list_view_add_role_to_user_step1.tiff",
"list_view_add_role_to_user_step2.tiff")
7. After making this change, the role gets added for that user (in our case
"user3"), but the roles from other users in its group gets removed. Also, the
previous role for the user ("user3") is replaced by the new Role.
(attachment "list_view_add_role_to_user_step3.tiff")
8. You can confirm this from the the "Block" view.
(attachment "block_view_after_step3.tiff")
So, the problem here lies with the List view where it is not able to process
the changes in the Roles correctly. A change in the Role of a user causes the
following:
CASE-1: The displayed role (effective privilege) comes from an explicitly
assigned role to the user.
1.1) The new selected role correctly replaces the existing privilege that was
explicitly assigned to the user.
1.2) But if the user was assigned multiple roles explicilty (before the fix for
AMBARI-16102 got pushed in), then all the other roles, which are of lower
privilege than the role that got replaced, are still displayed in the Block
view (because those roles are still in the database). So, if the new selected
role happened to be of a lower privilege than and existing role of the user,
then even though the user sees a success Alert message, the effective privileg
he sees is different. For the Ambari user, this behavior is not easily
understandable.
CASE-2: The displayed role (effective privilege) comes from a group the user
belongs to.
2.1) If the new selected privilege is higher than the effective privilege
coming from the user's group(s), then the newly selected role replaces this
"group" privilege in the database, insetad of creating a new entry.
2.2) As a result of losing the group privilege, all the group members also lose
their privileges and they show "None" as their effective privilege.
2.3) If the newly selected privilege is lower than effective group privilege,
the Alert message shows a success of role change but the effective privilge is
still not the one that the Ambari user selected.
Expected results:
1. Updating a Role of a user must replace any/all of the explicit roles it has
been assigned through the Block View. (this addresses 1.2)
Note: Even though AMBARI-16102 has attempted to fix the Block view by allowing
only a user to have just one role assigned to it, there could be cases where
the earlier version of Block view has already allowed users to have multiple
roles. So, taking this into consideration, the fix must address removing any or
all of the roles the user was assigned explicitly.
2. Adding a Role to a user must not affect the Roles of other users in its
group. (addressing 2.1 and 2.2)
3. Selecting a "NONE" for a user role shows the Alert "User's role chnaged to
None". This may not reflect the correct privilege status as the user might
have some effective privilege coming from its group(s). In the fix, the Alert
must show the relevant message.
4. Alert messages must show more informative messages of what is happening with
the user's privileges and why. (addressing 1.2 and 2.3)
was:
Reproduction Steps:
1. Go to Admin->Manage Ambari
2. Create a group with a few users belonging to it.
(I have created "mygroup" with "user1", "user2", "user3")
(attachments "user1.tiff", "mygroup.tiff" shows samples)
3. Go to Clusters->Roles on the left navigation menu.
4. The default view is the "Block" view for the roles. Assign "mygroup" a role,
say "Cluster User".
(attachment "block_view_original.tiff")
5. Click on "List" view, it will show Users by default. It correctly shows the
role "Cluster User" for each user in "mygroup".
(attachment "list_view_users.tiff")
6. Now, try adding a new Role, say "Service Operator", to one of the users, say
"user3".
(attachments "list_view_add_role_to_user_step1.tiff",
"list_view_add_role_to_user_step2.tiff")
7. After making this change, the role gets added for that user (in our case
"user3"), but the roles from other users in its group gets removed. Also, the
previous role for the user ("user3") is replaced by the new Role.
(attachment "list_view_add_role_to_user_step3.tiff")
8. You can confirm this from the the "Block" view.
(attachment "block_view_after_step3.tiff")
So, the problem here lies with the List view where it is not able to process
the changes in the Roles correctly.
There is no provision to add a role. Any change in the Roles of the User from
the List view only replaces the role that was displayed in the selection box
while also removing all the Roles for the remaining users in its group.
Expected results:
1. The selection box must be able to show all the selected Roles for
Users/Groups.
2. Adding a Role must not replace existing Role of the user.
3. Adding a Role to a user must not affect the Roles of other users in its
group.
4. Multiple Role selection must be allowed from the selection box in the List
view.
> Role selection in List view of Manage Ambari page does not work correctly
> -------------------------------------------------------------------------
>
> Key: AMBARI-15552
> URL: https://issues.apache.org/jira/browse/AMBARI-15552
> Project: Ambari
> Issue Type: Bug
> Components: ambari-admin
> Reporter: Keta Patel
> Assignee: Keta Patel
> Attachments: AMBARI-15552.patch, block_view_after_step3.tiff,
> block_view_original.tiff, list_view_add_role_to_user_step1.tiff,
> list_view_add_role_to_user_step2.tiff, list_view_add_role_to_user_step3.tiff,
> list_view_users.tiff, mygroup.tiff, user1.tiff
>
>
> Reproduction Steps:
> 1. Go to Admin->Manage Ambari
> 2. Create a group with a few users belonging to it.
> (I have created "mygroup" with "user1", "user2", "user3")
> (attachments "user1.tiff", "mygroup.tiff" shows samples)
> 3. Go to Clusters->Roles on the left navigation menu.
> 4. The default view is the "Block" view for the roles. Assign "mygroup" a
> role, say "Cluster User".
> (attachment "block_view_original.tiff")
> 5. Click on "List" view, it will show Users by default. It correctly shows
> the role "Cluster User" for each user in "mygroup".
> (attachment "list_view_users.tiff")
> 6. Now, try adding a new Role, say "Service Operator", to one of the users,
> say "user3".
> (attachments "list_view_add_role_to_user_step1.tiff",
> "list_view_add_role_to_user_step2.tiff")
> 7. After making this change, the role gets added for that user (in our case
> "user3"), but the roles from other users in its group gets removed. Also, the
> previous role for the user ("user3") is replaced by the new Role.
> (attachment "list_view_add_role_to_user_step3.tiff")
> 8. You can confirm this from the the "Block" view.
> (attachment "block_view_after_step3.tiff")
> So, the problem here lies with the List view where it is not able to process
> the changes in the Roles correctly. A change in the Role of a user causes the
> following:
> CASE-1: The displayed role (effective privilege) comes from an explicitly
> assigned role to the user.
> 1.1) The new selected role correctly replaces the existing privilege that was
> explicitly assigned to the user.
> 1.2) But if the user was assigned multiple roles explicilty (before the fix
> for AMBARI-16102 got pushed in), then all the other roles, which are of lower
> privilege than the role that got replaced, are still displayed in the Block
> view (because those roles are still in the database). So, if the new selected
> role happened to be of a lower privilege than and existing role of the user,
> then even though the user sees a success Alert message, the effective
> privileg he sees is different. For the Ambari user, this behavior is not
> easily understandable.
> CASE-2: The displayed role (effective privilege) comes from a group the user
> belongs to.
> 2.1) If the new selected privilege is higher than the effective privilege
> coming from the user's group(s), then the newly selected role replaces this
> "group" privilege in the database, insetad of creating a new entry.
> 2.2) As a result of losing the group privilege, all the group members also
> lose their privileges and they show "None" as their effective privilege.
> 2.3) If the newly selected privilege is lower than effective group privilege,
> the Alert message shows a success of role change but the effective privilge
> is still not the one that the Ambari user selected.
> Expected results:
> 1. Updating a Role of a user must replace any/all of the explicit roles it
> has been assigned through the Block View. (this addresses 1.2)
> Note: Even though AMBARI-16102 has attempted to fix the Block view by
> allowing only a user to have just one role assigned to it, there could be
> cases where the earlier version of Block view has already allowed users to
> have multiple roles. So, taking this into consideration, the fix must address
> removing any or all of the roles the user was assigned explicitly.
> 2. Adding a Role to a user must not affect the Roles of other users in its
> group. (addressing 2.1 and 2.2)
> 3. Selecting a "NONE" for a user role shows the Alert "User's role chnaged to
> None". This may not reflect the correct privilege status as the user might
> have some effective privilege coming from its group(s). In the fix, the Alert
> must show the relevant message.
> 4. Alert messages must show more informative messages of what is happening
> with the user's privileges and why. (addressing 1.2 and 2.3)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
