HUE-7407 [useradmin] Added superuser group priv to useradmin

Review Request #13139 - Created July 2, 2018 and submitted

Chris Conner
hue
master
HUE-7407
hue
enricoberti, jgauthier, johan, ranade, romain, roohi, weixia, yingc
commit 7c57ee8e69d1bbcf4bf1b1d9422632f4d0a3f30f
Author: Chris Conner <cconner@cloudera.com>
Date:   Mon Jul 2 15:06:10 2018 -0400

    HUE-7407 [useradmin] Added superuser group priv to useradmin

:100644 100644 e9dce96ff5... d494948112... M	apps/about/src/about/templates/admin_wizard.mako
:100644 100644 14bcb6f324... 5f511d8b04... M	apps/about/src/about/views.py
:100644 100644 71dc4421ac... cebf5a24ce... M	apps/beeswax/src/beeswax/api.py
:100644 100644 f1fd37a881... 572c7eb81d... M	apps/beeswax/src/beeswax/views.py
:100644 100644 a48abc5e33... 1a065078bc... M	apps/filebrowser/src/filebrowser/views.py
:100644 100644 d7d9a6f9a6... 8f28112773... M	apps/hbase/src/hbase/views.py
:100644 100644 bd59e96be4... 599440e74b... M	apps/jobbrowser/src/jobbrowser/api.py
:100644 100644 5ffad3ed69... 0b2edc033f... M	apps/jobbrowser/src/jobbrowser/models.py
:100644 100644 ea2710eab4... 020b74cb39... M	apps/jobbrowser/src/jobbrowser/views.py
:100644 100644 4e8bf7f2e7... b86a7c70c4... M	apps/jobsub/src/jobsub/views.py
:100644 100644 bc3a22b144... 73c7aef660... M	apps/metastore/src/metastore/views.py
:100644 100644 24d464a9e0... 5e60a562e7... M	apps/oozie/src/oozie/decorators.py
:100644 100644 67fc7239b7... 867835378f... M	apps/oozie/src/oozie/models.py
:100644 100644 b447966dd3... 2f5e26b5f3... M	apps/oozie/src/oozie/views/dashboard.py
:100644 100644 7292c0ef20... 37c17e9288... M	apps/oozie/src/oozie/views/editor.py
:100644 100644 331948101d... 3480f25e51... M	apps/pig/src/pig/api.py
:100644 100644 84f2f9fca4... c3dcd1f100... M	apps/pig/src/pig/models.py
:100644 100644 362a81652b... 0f6531d05a... M	apps/search/src/search/views.py
:100644 100644 d07fbc7c6a... 84550d95e9... M	apps/security/src/security/views.py
:100644 100644 6592002438... c6fa5a8306... M	apps/useradmin/src/useradmin/models.py
:100644 100644 9bd9b97f14... 4972d17d1e... M	apps/useradmin/src/useradmin/settings.py
:100644 100644 f15f76e0c7... b2c476864f... M	apps/useradmin/src/useradmin/templates/edit_user.mako
:100644 100644 577f2d4354... 956e95b49e... M	apps/useradmin/src/useradmin/templates/layout.mako
:100644 100644 fb22156197... c9991d68d5... M	apps/useradmin/src/useradmin/templates/list_groups.mako
:100644 100644 c567e3869f... f120c387b3... M	apps/useradmin/src/useradmin/templates/list_permissions.mako
:100644 100644 e418e20b08... 8bae7dd2f1... M	apps/useradmin/src/useradmin/templates/list_users.mako
:100644 100644 2827137e03... c627c337fd... M	apps/useradmin/src/useradmin/tests.py
:100644 100644 61316468ee... 25a1816f31... M	apps/useradmin/src/useradmin/views.py
:100644 100644 ff57c7c0bf... 93f3cc4f46... M	apps/zookeeper/src/zookeeper/templates/tree.mako
:100644 100644 f24d9f7fcd... 0a951a1708... M	apps/zookeeper/src/zookeeper/views.py
:100644 100644 3594a25b32... 0d84e48d3d... M	desktop/core/src/desktop/auth/forms.py
:100644 100644 fb88584ec8... 726db4863c... M	desktop/core/src/desktop/decorators.py
:100644 100644 ad99c05e78... 35bfffe84e... M	desktop/core/src/desktop/lib/fs/proxyfs.py
:100644 100644 560586dfba... 63b9d559bf... M	desktop/core/src/desktop/middleware.py
:100644 100644 5635911f71... 14ca879119... M	desktop/core/src/desktop/models.py
:000000 100644 0000000000... 3c900e420d... A	desktop/core/src/desktop/permissions.py
:100644 100644 78e405eb95... 93b86402bb... M	desktop/core/src/desktop/templates/500.mako
:100644 100644 61fa876baf... dc06f0e22d... M	desktop/core/src/desktop/templates/about_layout.mako
:100644 100644 04e250e11b... 28d699269d... M	desktop/core/src/desktop/templates/common_header.mako
:100644 100644 4e702a34c8... ca93254a21... M	desktop/core/src/desktop/templates/common_home.mako
:100644 100644 0ac27f9c78... d46b38f4f6... M	desktop/core/src/desktop/templates/error.mako
:100644 100644 7572ec8de3... 9544091696... M	desktop/core/src/desktop/templates/hue.mako
:100644 100644 3f199c809b... 9531a2b9f1... M	desktop/core/src/desktop/templates/popup_error.mako
:100644 100644 e500aa719c... c5eb216a57... M	desktop/core/src/desktop/views.py
:100644 100644 da689b758a... c23bcd8466... M	desktop/libs/aws/src/aws/conf.py
:100644 100644 07bbd08f0e... 904f6ce573... M	desktop/libs/azure/src/azure/conf.py
:100644 100644 c5ae985991... 01efb9a7ec... M	desktop/libs/dashboard/src/dashboard/controller.py
:100644 100644 a155f85cb3... a7ef48e141... M	desktop/libs/dashboard/src/dashboard/templates/no_collections.mako
:100644 100644 fe718dceee... 7c57007eac... M	desktop/libs/liboozie/src/liboozie/types.py
:100644 100644 08218d86e2... 1a8ed435ae... M	desktop/libs/metadata/src/metadata/conf.py
:100644 100644 f7d29ac73f... f903df7133... M	desktop/libs/metadata/src/metadata/optimizer_api.py
:100644 100644 db3b90f7b6... be16f9ea9c... M	desktop/libs/metadata/src/metadata/optimizer_client.py
:100644 100644 3d20f86acc... 5ee1d40861... M	desktop/libs/notebook/src/notebook/connectors/hiveserver2.py
:100644 100644 af4163e06b... 20d2f270ca... M	desktop/libs/notebook/src/notebook/templates/editor_components.mako

Made sure the tests were successful for useradmin.
Tested on a kerberized nightly cluster:
- Logged in as superuser and confirmed overall access was correct, jobbrowser, useradmin, add/delete users, groups. Hue Administration.
- Logged in as non-superuser and did the same, confirmed accss was restricted.
- Created a user that did not have superuser checked, added superuser to a group, added this user to that group. Confirmed new access to the above.

  • 0
  • 1
  • 13
  • 0
  • 14
Description From Last Updated
  1. Ship It!
  2. 
      
  1. 
      
  2. apps/useradmin/src/useradmin/models.py (Diff revision 2)
     
     

    Can I just double-check that this doesn't mean that the default role will get superuser privileges?

    1. Yup, those not calls are exclusions from what goes in the default group. For example security impersonate is also something we don't want to give:

      not (new_dp.app == 'security' and new_dp.action == 'impersonate') and \

      That's in the same code chunk.

  3. 
      
  1. Nice! One main comment!

    Would it work to augment the default user with: is_admin

    https://github.com/cloudera/hue/blob/master/desktop/core/src/desktop/auth/backend.py#L89

    def is_admin():
    return user.is_superuser or user.has_hue_permission(action="superuser", app="useradmin")

    and then we rename all the user.is_superuser to user.is_admin? (that way we keep it more objects and we don't need permissions.py?)

    1. Yeah, let me make the change and tet it!

  2. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     

    nit:
    assert_equal(..., 2)

  3. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     

    nit: assert_false(supertest.is_superuser)

  4. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     
    nit: double #
  5. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     

    nit: assert_equal(..., 1)

  6. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     

    nit: remove?

  7. apps/useradmin/src/useradmin/tests.py (Diff revision 2)
     
     

    nit: assert_equal(...count(), 1)

  8. desktop/core/src/desktop/permissions.py (Diff revision 2)
     
     

    nit:

    if not is_superuser:

  9. desktop/core/src/desktop/permissions.py (Diff revision 2)
     
     

    This call should be cached normally by the Django ORM, if not we are going to see a bunch of extra calls

    1. So it seems that has_hue_permission is automatically cached, is that right? So I don't really need to do anything here?

      def _lookup_permission(self, app, action):
      # We cache it instead of doing HuePermission.objects.get(app=app, action=action). To revert with Django 1.6
      perms = cache.get('perms')
      if not perms:
      perms = dict([('%s:%s' % (p.app, p.action), p) for p in HuePermission.objects.all()])
      cache.set('perms', perms, 60 * 60)
      return perms.get('%s:%s' % (app, action))

      def has_hue_permission(self, action=None, app=None, perm=None):
      if perm is None:
      try:
      perm = self._lookup_permission(app, action)
      except HuePermission.DoesNotExist:
      LOG.exception("Permission object %s - %s not available. Was syncdb run after installation?" % (app, action))
      return self.user.is_superuser
      if self.user.is_superuser:
      return True

  10. desktop/core/src/desktop/permissions.py (Diff revision 2)
     
     
     

    nit: can remove reference to e as automatically logged when using LOG.exception, e.g.:

    except:
    LOG.exception("Could not validate if %s is a superuser assuming False. % user)

  11. desktop/core/src/desktop/permissions.py (Diff revision 2)
     
     

    nit: probably not needed

  12. 
      
  1. 
      
  2. Should uncomment? (or could get not defined on line 105)

  3. note: will be slower has not just a boolean field like before, but should be fine in practice

    1. Is there anything I should do to improve this?

  4. 
      
Review request changed

Status: Closed (submitted)

Loading...