AMBARI-18365. Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals (rlevas)

ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/ambariViews/ViewsEditCtrl.js

@@ -23,7 +23,7 @@ angular.module('ambariAdminConsole')
     $scope.identity = angular.identity;
     $scope.isConfigurationEmpty = true;
     $scope.isSettingsEmpty = true;
-    $scope.clusterInheritedPermissionKeys = View.clusterInheritedPermissionKeys;
+    $scope.permissionRoles = View.permissionRoles;
     $scope.constants = {
       instance: $t('views.instance'),
       props: $t('views.properties'),
@@ -352,7 +352,7 @@ angular.module('ambariAdminConsole')
                 data.ViewInstanceInfo.properties[element.name] = $scope.configuration[element.name];
               }
             });
-            $scope.clearClusterInheritedPermissions();
+            $scope.removeAllRolePermissions();
 
           }
 
@@ -417,9 +417,9 @@ angular.module('ambariAdminConsole')
         });
     };
 
-    $scope.clearClusterInheritedPermissions = function() {
-      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-        $scope.permissionsEdit["VIEW.USER"][key] = false;
+    $scope.removeAllRolePermissions = function() {
+      angular.forEach(View.permissionRoles, function(key) {
+        $scope.permissionsEdit["VIEW.USER"]["ROLE"][key] = false;
       })
     };
 
@@ -510,11 +510,9 @@ angular.module('ambariAdminConsole')
     };
 
     function setAllViewRoles(value) {
-      var viewRoles = $scope.permissionsEdit["VIEW.USER"];
+      var viewRoles = $scope.permissionsEdit["VIEW.USER"]["ROLE"];
       for (var role in viewRoles) {
-        if ($scope.clusterInheritedPermissionKeys.indexOf(role) !== -1) {
-          viewRoles[role] = value;
-        }
+        $scope.permissionsEdit["VIEW.USER"]["ROLE"][role] = value;
       }
     }
   }]);

ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js

@@ -229,11 +229,11 @@ angular.module('ambariAdminConsole')
 
       'clusterPermissions': {
         'label': 'Local Cluster Permissions',
-        'allclusteradministrator': 'Cluster Administrator',
-        'allclusteroperator': 'Cluster Operator',
-        'allclusteruser': 'Cluster User',
-        'allserviceadministrator': 'Service Administrator',
-        'allserviceoperator': 'Service Operator',
+        'clusteradministrator': 'Cluster Administrator',
+        'clusteroperator': 'Cluster Operator',
+        'clusteruser': 'Cluster User',
+        'serviceadministrator': 'Service Administrator',
+        'serviceoperator': 'Service Operator',
         'infoMessage': 'Grant <strong>Use</strong> permission for the following <strong>{{cluster}}</strong> Roles:',
         'nonLocalClusterMessage': 'The ability to inherit view <strong>Use</strong> permission based on Cluster Roles is only available when using a Local Cluster configuration.'
       },

ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionLoader.js

@@ -28,8 +28,9 @@ angular.module('ambariAdminConsole')
       angular.forEach(permissions, function(permission) {
         permission.GROUP = [];
         permission.USER = [];
-        angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-          permission[key] = false;
+        permission.ROLE = {};
+        angular.forEach(View.permissionRoles, function(key) {
+          permission.ROLE[key] = false;
         });
         permissionsInner[permission.PermissionInfo.permission_name] = permission;
       });
@@ -37,10 +38,10 @@ angular.module('ambariAdminConsole')
       // Now we can get privileges
       resource.getPrivileges(params).then(function(privileges) {
         angular.forEach(privileges, function(privilege) {
-          if(!privilege.PrivilegeInfo.principal_type.startsWith("ALL.")) {
-            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
+          if(privilege.PrivilegeInfo.principal_type == "ROLE") {
+            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type][privilege.PrivilegeInfo.principal_name] = true;
           } else {
-            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type] = true;
+            permissionsInner[privilege.PrivilegeInfo.permission_name][privilege.PrivilegeInfo.principal_type].push(privilege.PrivilegeInfo.principal_name);
           }
         });
 

ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/PermissionsSaver.js

@@ -48,13 +48,13 @@ angular.module('ambariAdminConsole')
         }
       }));
 
-      angular.forEach(View.clusterInheritedPermissionKeys, function(key) {
-        if(permission[key] === true) {
+      angular.forEach(View.permissionRoles, function(key) {
+        if(permission.ROLE[key] === true) {
           arr.push({
             'PrivilegeInfo': {
               'permission_name': 'VIEW.USER',
-              'principal_name': '*',
-              'principal_type': key
+              'principal_name': key,
+              'principal_type': 'ROLE'
             }
           });
         }

ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/View.js

@@ -191,12 +191,12 @@ angular.module('ambariAdminConsole')
     self.versionsList = item.versions;
   }
 
-  View.clusterInheritedPermissionKeys = [
-    "ALL.CLUSTER.ADMINISTRATOR",
-    "ALL.CLUSTER.OPERATOR",
-    "ALL.SERVICE.OPERATOR",
-    "ALL.SERVICE.ADMINISTRATOR",
-    "ALL.CLUSTER.USER"
+  View.permissionRoles = [
+    "CLUSTER.ADMINISTRATOR",
+    "CLUSTER.OPERATOR",
+    "SERVICE.OPERATOR",
+    "SERVICE.ADMINISTRATOR",
+    "CLUSTER.USER"
   ];
 
   View.getInstance = function(viewName, version, instanceName) {

ambari-admin/src/main/resources/ui/admin-web/app/views/ambariViews/edit.html

@@ -287,10 +287,10 @@
         <span translate="views.clusterPermissions.infoMessage" translate-values="{cluster: cluster.name}"></span>
       </div>
       <div class="col-sm-offset-2 col-sm-10">
-        <div class="checkbox col-sm-12" ng-repeat="key in clusterInheritedPermissionKeys">
+        <div class="checkbox col-sm-12" ng-repeat="key in permissionRoles">
           <div ng-init="i18nKey = 'views.clusterPermissions.' + key.split('.').join('').toLowerCase()">
             <label>
-              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER'][key]"> {{i18nKey | translate}}
+              <input type="checkbox" ng-model="permissionsEdit['VIEW.USER']['ROLE'][key]"> {{i18nKey | translate}}
             </label>
           </div>
         </div>

ambari-admin/src/main/resources/ui/admin-web/test/unit/services/PermissionSaver_test.js

@@ -178,11 +178,13 @@ describe('PermissionSaver Service', function () {
           'PermissionInfo': {
             permission_name: 'VIEW.USER'
           },
-          'ALL.CLUSTER.ADMINISTRATOR': true,
-          'ALL.CLUSTER.OPERATOR': false,
-          'ALL.SERVICE.OPERATOR': false,
-          'ALL.SERVICE.ADMINISTRATOR': false,
-          'ALL.CLUSTER.USER': false,
+          'ROLE': {
+            'CLUSTER.ADMINISTRATOR': true,
+            'CLUSTER.OPERATOR': false,
+            'SERVICE.OPERATOR': false,
+            'SERVICE.ADMINISTRATOR': false,
+            'CLUSTER.USER': false
+          },
           'USER': ['u0', 'u1', 'g0'],
           'GROUP': ['g0', 'g1', 'u0']
         }
@@ -233,8 +235,8 @@ describe('PermissionSaver Service', function () {
         {
           PrivilegeInfo: {
             permission_name: 'VIEW.USER',
-            principal_name: '*',
-            principal_type: 'ALL.CLUSTER.ADMINISTRATOR'
+            principal_name: 'CLUSTER.ADMINISTRATOR',
+            principal_type: 'ROLE'
           }
         }
       ];

ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java

@@ -18,11 +18,9 @@
 
 package org.apache.ambari.server.audit.event.request;
 
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -47,10 +45,16 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
 
     /**
      * Roles for groups
-     * groupname -> list fo roles
+     * group name -> list of roles
      */
     private Map<String, List<String>> groups;
 
+    /**
+     * Roles for roles
+     * role name -> list of roles
+     */
+    private Map<String, List<String>> roles;
+
     public ClusterPrivilegeChangeRequestAuditEventBuilder() {
       super.withOperation("Role change");
     }
@@ -72,9 +76,10 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
+      roleSet.addAll(roles.keySet());
 
       builder.append(", Roles(");
-      if (!users.isEmpty() || !groups.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty()|| !roles.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -88,6 +93,9 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
+        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
+        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -104,6 +112,11 @@ public class ClusterPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
+
+    public ClusterPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+      this.roles = roles;
+      return this;
+    }
   }
 
   protected ClusterPrivilegeChangeRequestAuditEvent() {

ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java

@@ -18,11 +18,9 @@
 
 package org.apache.ambari.server.audit.event.request;
 
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 
@@ -49,6 +47,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
      */
     private Map<String, List<String>> groups;
 
+    /**
+     * Roles with their roles
+     */
+    private Map<String, List<String>> roles;
+
     /**
      * View name
      */
@@ -94,9 +97,10 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       SortedSet<String> roleSet = new TreeSet<String>();
       roleSet.addAll(users.keySet());
       roleSet.addAll(groups.keySet());
+      roleSet.addAll(roles.keySet());
 
       builder.append(", Permissions(");
-      if (!users.isEmpty() || !groups.isEmpty()) {
+      if (!users.isEmpty() || !groups.isEmpty() || !roles.isEmpty()) {
         builder.append(System.lineSeparator());
       }
 
@@ -110,6 +114,9 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
         if (groups.get(role) != null && !groups.get(role).isEmpty()) {
           lines.add("  Groups: " + StringUtils.join(groups.get(role), ", "));
         }
+        if (roles.get(role) != null && !roles.get(role).isEmpty()) {
+          lines.add("  Roles: " + StringUtils.join(roles.get(role), ", "));
+        }
       }
 
       builder.append(StringUtils.join(lines, System.lineSeparator()));
@@ -141,6 +148,11 @@ public class ViewPrivilegeChangeRequestAuditEvent extends RequestAuditEvent {
       this.groups = groups;
       return this;
     }
+
+    public ViewPrivilegeChangeRequestAuditEventBuilder withRoles(Map<String, List<String>> roles) {
+      this.roles = roles;
+      return this;
+    }
   }
 
   protected ViewPrivilegeChangeRequestAuditEvent() {

ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java

@@ -33,8 +33,6 @@ import org.apache.ambari.server.audit.event.request.PrivilegeChangeRequestAuditE
 import org.apache.ambari.server.controller.internal.PrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
@@ -88,6 +86,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     switch (request.getRequestType()) {
       case PUT:
@@ -99,6 +98,7 @@ public class PrivilegeEventCreator implements RequestAuditEventCreator {
           .withRemoteIp(request.getRemoteAddress())
           .withUsers(users)
           .withGroups(groups)
+          .withRoles(roles)
           .build();
       case POST:
         String role = users.isEmpty() ? Iterables.getFirst(groups.keySet(), null) : Iterables.getFirst(users.keySet(), null);

ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java

@@ -32,8 +32,6 @@ import org.apache.ambari.server.audit.event.request.ViewPrivilegeChangeRequestAu
 import org.apache.ambari.server.controller.internal.ViewPrivilegeResourceProvider;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 
 import com.google.common.collect.ImmutableSet;
 
@@ -87,6 +85,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
 
     Map<String, List<String>> users = getEntities(request, PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
     Map<String, List<String>> groups = getEntities(request, PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
+    Map<String, List<String>> roles = getEntities(request, PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
 
     return ViewPrivilegeChangeRequestAuditEvent.builder()
       .withTimestamp(System.currentTimeMillis())
@@ -99,6 +98,7 @@ public class ViewPrivilegeEventCreator implements RequestAuditEventCreator {
       .withName(RequestAuditEventCreatorHelper.getProperty(request, ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
       .withUsers(users)
       .withGroups(groups)
+      .withRoles(roles)
       .build();
 
   }

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -858,7 +858,7 @@ public class AmbariServer {
         injector.getInstance(GroupDAO.class), injector.getInstance(PrincipalDAO.class),
         injector.getInstance(PermissionDAO.class), injector.getInstance(ResourceDAO.class));
     UserPrivilegeResourceProvider.init(injector.getInstance(UserDAO.class), injector.getInstance(ClusterDAO.class),
-        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(PrivilegeDAO.class));
+        injector.getInstance(GroupDAO.class), injector.getInstance(ViewInstanceDAO.class), injector.getInstance(Users.class));
     ClusterPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     AmbariPrivilegeResourceProvider.init(injector.getInstance(ClusterDAO.class));
     ActionManager.setTopologyManager(injector.getInstance(TopologyManager.class));

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -22,6 +22,7 @@ import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
@@ -148,8 +149,10 @@ public class AmbariPrivilegeResourceProvider extends PrivilegeResourceProvider<O
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, Object> resourceEntities, Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+                                Map<Long, PermissionEntity> roleEntities,
+                                Map<Long, Object> resourceEntities,
+                                Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ResourceEntity resourceEntity = privilegeEntity.getResource();
       ResourceTypeEntity type = resourceEntity.getResourceType();

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java

@@ -147,10 +147,11 @@ public class ClusterPrivilegeResourceProvider extends PrivilegeResourceProvider<
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
+                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, ClusterEntity> resourceEntities,
                                 Set<String> requestedIds) {
 
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
       ClusterEntity clusterEntity = resourceEntities.get(privilegeEntity.getResource().getId());
       setResourceProperty(resource, PRIVILEGE_CLUSTER_NAME_PROPERTY_ID, clusterEntity.getClusterName(), requestedIds);

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProvider.java

@@ -28,7 +28,6 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
@@ -38,6 +37,7 @@ import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.*;
 
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -81,10 +81,10 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * Data access object used to obtain privilege entities.
+   * Users (helper) object used to obtain privilege entities.
    */
   @Inject
-  protected static PrivilegeDAO privilegeDAO;
+  protected static Users users;
 
   /**
    * The property ids for a privilege resource.
@@ -110,14 +110,14 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    *  @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param privilegeDAO
+   * @param users           the users helper instance
    */
   public static void init(ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+                          ViewInstanceDAO viewInstanceDAO, Users users) {
     GroupPrivilegeResourceProvider.clusterDAO = clusterDAO;
     GroupPrivilegeResourceProvider.groupDAO = groupDAO;
     GroupPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    GroupPrivilegeResourceProvider.privilegeDAO = privilegeDAO;
+    GroupPrivilegeResourceProvider.users = users;
   }
 
   @SuppressWarnings("serial")
@@ -180,11 +180,7 @@ public class GroupPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("Group " + groupName + " was not found");
         }
 
-        final Set<PrivilegeEntity> privileges = groupEntity.getPrincipal().getPrivileges();
-
-        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
-          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
-        privileges.addAll(allViewPrivilegesWithClusterPermission);
+        final Collection<PrivilegeEntity> privileges = users.getGroupPrivileges(groupEntity);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, groupName, requestedIds));

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -51,7 +51,7 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
+import org.apache.commons.lang.StringUtils;
 
 /**
  * Abstract resource provider for privilege resources.
@@ -195,35 +195,58 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
       resourceIds.addAll(resourceEntities.keySet());
 
-      Set<PrivilegeEntity>  entitySet     = new HashSet<PrivilegeEntity>();
-      List<PrincipalEntity> principalList = new LinkedList<PrincipalEntity>();
+      Set<PrivilegeEntity> entitySet = new HashSet<PrivilegeEntity>();
+      List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+      List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+      List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
 
       List<PrivilegeEntity> entities = privilegeDAO.findAll();
 
       for(PrivilegeEntity privilegeEntity : entities){
         if (resourceIds.contains(privilegeEntity.getResource().getId())) {
           PrincipalEntity principal = privilegeEntity.getPrincipal();
+          String principalType = principal.getPrincipalType().getName();
+
           entitySet.add(privilegeEntity);
-          principalList.add(principal);
+
+          if(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            userPrincipals.add(principal);
+          }
+          else if(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            groupPrincipals.add(principal);
+          }
+          else if(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME.equals(principalType)) {
+            rolePrincipals.add(principal);
+          }
         }
       }
 
       Map<Long, UserEntity> userEntities = new HashMap<Long, UserEntity>();
-      List<UserEntity>      userList     = userDAO.findUsersByPrincipal(principalList);
-
-      for (UserEntity userEntity : userList) {
-        userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+      if(!userPrincipals.isEmpty()) {
+        List<UserEntity> userList = userDAO.findUsersByPrincipal(userPrincipals);
+        for (UserEntity userEntity : userList) {
+          userEntities.put(userEntity.getPrincipal().getId(), userEntity);
+        }
       }
 
       Map<Long, GroupEntity> groupEntities = new HashMap<Long, GroupEntity>();
-      List<GroupEntity>      groupList     = groupDAO.findGroupsByPrincipal(principalList);
+      if(!groupPrincipals.isEmpty()) {
+        List<GroupEntity> groupList = groupDAO.findGroupsByPrincipal(groupPrincipals);
+        for (GroupEntity groupEntity : groupList) {
+          groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+        }
+      }
 
-      for (GroupEntity groupEntity : groupList) {
-        groupEntities.put(groupEntity.getPrincipal().getId(), groupEntity);
+      Map<Long, PermissionEntity> roleEntities = new HashMap<Long, PermissionEntity>();
+      if (!rolePrincipals.isEmpty()){
+        List<PermissionEntity> roleList = permissionDAO.findPermissionsByPrincipal(rolePrincipals);
+        for (PermissionEntity roleEntity : roleList) {
+          roleEntities.put(roleEntity.getPrincipal().getId(), roleEntity);
+        }
       }
 
       for(PrivilegeEntity privilegeEntity : entitySet){
-        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+        Resource resource = toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
         if (resource != null && (predicate == null || predicate.evaluate(resource))) {
           resources.add(resource);
         }
@@ -281,6 +304,7 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
    * @param privilegeEntity   the privilege entity to be converted
    * @param userEntities      the map of user entities keyed by resource id
    * @param groupEntities     the map of group entities keyed by resource id
+   * @param roleEntities      the map of role entities keyed by resource id
    * @param resourceEntities  the map of resource entities keyed by resource id
    * @param requestedIds      the requested property ids
    *
@@ -289,29 +313,48 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
+                                Map<Long, PermissionEntity> roleEntities,
                                 Map<Long, T> resourceEntities,
                                 Set<String> requestedIds) {
     Resource resource = new ResourceImpl(resourceType);
 
-    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID,
-        privilegeEntity.getId(), requestedIds);
-    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID,
-        privilegeEntity.getPermission().getPermissionName(), requestedIds);
-    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID,
-        privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
-
-    PrincipalEntity principal   = privilegeEntity.getPrincipal();
-    Long            principalId = principal.getId();
-
-    if (userEntities.containsKey(principalId)) {
-      UserEntity userEntity = userEntities.get(principalId);
-      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, userEntity.getUserName(), requestedIds);
-    } else if (groupEntities.containsKey(principalId)){
-      GroupEntity groupEntity = groupEntities.get(principalId);
-      setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, groupEntity.getGroupName(), requestedIds);
+    PrincipalEntity principal = privilegeEntity.getPrincipal();
+    String principalTypeName = null;
+    String resourcePropertyName = null;
+
+    if(principal != null) {
+      PrincipalTypeEntity principalType = principal.getPrincipalType();
+
+      if (principalType != null) {
+        Long principalId = principal.getId();
+
+        principalTypeName = principalType.getName();
+
+        if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          GroupEntity groupEntity = groupEntities.get(principalId);
+          if (groupEntity != null) {
+            resourcePropertyName = groupEntity.getGroupName();
+          }
+        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          PermissionEntity roleEntity = roleEntities.get(principalId);
+          if (roleEntity != null) {
+            resourcePropertyName = roleEntity.getPermissionName();
+          }
+        } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalTypeName)) {
+          UserEntity userEntity = userEntities.get(principalId);
+          if (userEntity != null) {
+            resourcePropertyName = userEntity.getUserName();
+          }
+        }
+      }
     }
 
-    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principal.getPrincipalType().getName(), requestedIds);
+    setResourceProperty(resource, PRIVILEGE_ID_PROPERTY_ID, privilegeEntity.getId(), requestedIds);
+    setResourceProperty(resource, PERMISSION_NAME_PROPERTY_ID, privilegeEntity.getPermission().getPermissionName(), requestedIds);
+    setResourceProperty(resource, PERMISSION_LABEL_PROPERTY_ID, privilegeEntity.getPermission().getPermissionLabel(), requestedIds);
+    setResourceProperty(resource, PRINCIPAL_NAME_PROPERTY_ID, resourcePropertyName, requestedIds);
+    setResourceProperty(resource, PRINCIPAL_TYPE_PROPERTY_ID, principalTypeName, requestedIds);
+
     return resource;
   }
 
@@ -339,18 +382,21 @@ public abstract class PrivilegeResourceProvider<T> extends AbstractAuthorizedRes
 
     String principalName = (String) properties.get(PRINCIPAL_NAME_PROPERTY_ID);
     String principalType = (String) properties.get(PRINCIPAL_TYPE_PROPERTY_ID);
-    if (PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+    if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME, principalType)) {
       GroupEntity groupEntity = groupDAO.findGroupByName(principalName);
       if (groupEntity != null) {
         entity.setPrincipal(principalDAO.findById(groupEntity.getPrincipal().getId()));
       }
-    } else if (PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)) {
+    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME, principalType)) {
+      PermissionEntity permissionEntity = permissionDAO.findByName(principalName);
+      if (permissionEntity != null) {
+        entity.setPrincipal(principalDAO.findById(permissionEntity.getPrincipal().getId()));
+      }
+    } else if (StringUtils.equalsIgnoreCase(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME, principalType)) {
       UserEntity userEntity = userDAO.findUserByName(principalName);
       if (userEntity != null) {
         entity.setPrincipal(principalDAO.findById(userEntity.getPrincipal().getId()));
       }
-    } else if (ClusterInheritedPermissionHelper.isValidPrincipalType(principalType)) {
-      entity.setPrincipal(principalDAO.findByPrincipalType(principalType).get(0)); // There will be only one principal for that type
     } else {
       throw new AmbariException("Unknown principal type " + principalType);
     }

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -17,8 +17,6 @@
  */
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
 import org.apache.ambari.server.controller.spi.NoSuchParentResourceException;
 import org.apache.ambari.server.controller.spi.NoSuchResourceException;
 import org.apache.ambari.server.controller.spi.Predicate;
@@ -28,26 +26,23 @@ import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
 import org.apache.ambari.server.orm.entities.GroupEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.security.authorization.UserType;
+import org.apache.ambari.server.security.authorization.Users;
 
-import javax.annotation.Nullable;
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -59,17 +54,17 @@ import java.util.Set;
  */
 public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
 
-  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID    = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRIVILEGE_ID_PROPERTY_ID = PrivilegeResourceProvider.PRIVILEGE_ID_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_NAME_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_NAME_PROPERTY_ID;
   protected static final String PRIVILEGE_PERMISSION_LABEL_PROPERTY_ID = PrivilegeResourceProvider.PERMISSION_LABEL_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID  = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID       = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID    = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
-  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID   = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID    = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
-  protected static final String PRIVILEGE_TYPE_PROPERTY_ID            = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
-  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID       = "PrivilegeInfo/user_name";
+  protected static final String PRIVILEGE_PRINCIPAL_NAME_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_PRINCIPAL_TYPE_PROPERTY_ID = PrivilegeResourceProvider.PRINCIPAL_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_VIEW_VERSION_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID;
+  protected static final String PRIVILEGE_INSTANCE_NAME_PROPERTY_ID = ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_CLUSTER_NAME_PROPERTY_ID = ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID;
+  protected static final String PRIVILEGE_TYPE_PROPERTY_ID = AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID;
+  protected static final String PRIVILEGE_USER_NAME_PROPERTY_ID = "PrivilegeInfo/user_name";
 
   /**
    * Data access object used to obtain user entities.
@@ -92,9 +87,9 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
   protected static ViewInstanceDAO viewInstanceDAO;
 
   /**
-   * DAO used to obtain privilege entities.
+   * Helper to obtain privilege data for requested users
    */
-  protected static PrivilegeDAO privilegeDAO;
+  private static Users users;
 
   /**
    * The property ids for a privilege resource.
@@ -120,15 +115,15 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
    * @param clusterDAO      the cluster data access object
    * @param groupDAO        the group data access object
    * @param viewInstanceDAO the view instance data access object
-   * @param privilegeDAO
+   * @param users           the Users helper object
    */
   public static void init(UserDAO userDAO, ClusterDAO clusterDAO, GroupDAO groupDAO,
-                          ViewInstanceDAO viewInstanceDAO, PrivilegeDAO privilegeDAO) {
+                          ViewInstanceDAO viewInstanceDAO, Users users) {
     UserPrivilegeResourceProvider.userDAO         = userDAO;
     UserPrivilegeResourceProvider.clusterDAO      = clusterDAO;
     UserPrivilegeResourceProvider.groupDAO        = groupDAO;
     UserPrivilegeResourceProvider.viewInstanceDAO = viewInstanceDAO;
-    UserPrivilegeResourceProvider.privilegeDAO    = privilegeDAO;
+    UserPrivilegeResourceProvider.users           = users;
   }
 
   @SuppressWarnings("serial")
@@ -199,15 +194,7 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
           throw new SystemException("User " + userName + " was not found");
         }
 
-        final Set<PrivilegeEntity> privileges = userEntity.getPrincipal().getPrivileges();
-
-        for (MemberEntity membership : userEntity.getMemberEntities()) {
-          privileges.addAll(membership.getGroup().getPrincipal().getPrivileges());
-        }
-
-        Set<PrivilegeEntity> allViewPrivilegesWithClusterPermission =
-          ClusterInheritedPermissionHelper.getViewPrivilegesWithClusterPermission(viewInstanceDAO, privilegeDAO, privileges);
-        privileges.addAll(allViewPrivilegesWithClusterPermission);
+        final Collection<PrivilegeEntity> privileges = users.getUserPrivileges(userEntity);
 
         for (PrivilegeEntity privilegeEntity : privileges) {
           resources.add(toResource(privilegeEntity, userName, requestedIds));

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -191,8 +191,10 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider<Vie
   protected Resource toResource(PrivilegeEntity privilegeEntity,
                                 Map<Long, UserEntity> userEntities,
                                 Map<Long, GroupEntity> groupEntities,
-                                Map<Long, ViewInstanceEntity> resourceEntities, Set<String> requestedIds) {
-    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, requestedIds);
+                                Map<Long, PermissionEntity> roleEntities,
+                                Map<Long, ViewInstanceEntity> resourceEntities,
+                                Set<String> requestedIds) {
+    Resource resource = super.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, requestedIds);
     if (resource != null) {
 
       ViewInstanceEntity viewInstanceEntity = resourceEntities.get(privilegeEntity.getResource().getId());

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PermissionDAO.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,6 +18,7 @@
 
 package org.apache.ambari.server.orm.dao;
 
+import java.util.Collections;
 import java.util.List;
 
 import javax.persistence.EntityManager;
@@ -25,6 +26,7 @@ import javax.persistence.TypedQuery;
 
 import org.apache.ambari.server.orm.RequiresSession;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
 
 import com.google.inject.Inject;
@@ -79,6 +81,37 @@ public class PermissionDAO {
     return entityManagerProvider.get().find(PermissionEntity.class, id);
   }
 
+  /**
+   * Find a permission entity with the given name.
+   *
+   * @param name  permission name
+   *
+   * @return  a matching permission entity or null
+   */
+  @RequiresSession
+  public PermissionEntity findByName(String name) {
+    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByName", PermissionEntity.class);
+    query.setParameter("permissionName", name);
+    return daoUtils.selectSingle(query);
+  }
+
+  /**
+   * Find the permission entities for the given list of principals
+   *
+   * @param principalList  the list of principal entities
+   *
+   * @return the list of permissions (or roles) matching the query
+   */
+  @RequiresSession
+  public List<PermissionEntity> findPermissionsByPrincipal(List<PrincipalEntity> principalList) {
+    if (principalList == null || principalList.isEmpty()) {
+      return Collections.emptyList();
+    }
+    TypedQuery<PermissionEntity> query = entityManagerProvider.get().createNamedQuery("PermissionEntity.findByPrincipals", PermissionEntity.class);
+    query.setParameter("principalList", principalList);
+    return daoUtils.selectList(query);
+  }
+
   /**
    * Find all permission entities.
    *

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -121,4 +121,15 @@ public class PrincipalDAO {
   public PrincipalEntity merge(PrincipalEntity entity) {
     return entityManagerProvider.get().merge(entity);
   }
+
+  /**
+   * Remove the entity instance.
+   *
+   * @param entity  entity to remove
+   */
+  @Transactional
+  public void remove(PrincipalEntity entity) {
+    entityManagerProvider.get().remove(entity);
+  }
+
 }

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalTypeDAO.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -59,6 +59,20 @@ public class PrincipalTypeDAO {
     return entityManagerProvider.get().find(PrincipalTypeEntity.class, id);
   }
 
+  /**
+   * Find a principal type entity with the given name.
+   *
+   * @param name  principal type name
+   *
+   * @return  a matching principal type entity or null
+   */
+  @RequiresSession
+  public PrincipalTypeEntity findByName(String name) {
+    TypedQuery<PrincipalTypeEntity> query = entityManagerProvider.get().createNamedQuery("PrincipalTypeEntity.findByName", PrincipalTypeEntity.class);
+    query.setParameter("name", name);
+    return daoUtils.selectSingle(query);
+  }
+
   /**
    * Find all principal types.
    *
@@ -85,6 +99,16 @@ public class PrincipalTypeDAO {
     return entityManagerProvider.get().merge(entity);
   }
 
+  /**
+   * Remove the entity instance.
+   *
+   * @param entity entity to remove
+   */
+  @Transactional
+  public void remove(PrincipalTypeEntity entity) {
+    entityManagerProvider.get().remove(entity);
+  }
+
   /**
    * Creates and returns principal type if it wasn't persisted yet.
    *
@@ -104,6 +128,9 @@ public class PrincipalTypeDAO {
         case PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE:
           principalTypeEntity.setName(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME);
           break;
+        case PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE:
+          principalTypeEntity.setName(PrincipalTypeEntity.ROLE_PRINCIPAL_TYPE_NAME);
+          break;
         default:
           throw new IllegalArgumentException("Unknown principal type ID=" + principalType);
       }

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java

@@ -29,6 +29,8 @@ import javax.persistence.JoinColumns;
 import javax.persistence.JoinTable;
 import javax.persistence.ManyToMany;
 import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
@@ -44,6 +46,10 @@ import java.util.Collection;
     , pkColumnValue = "permission_id_seq"
     , initialValue = 100
 )
+@NamedQueries({
+    @NamedQuery(name = "PermissionEntity.findByName", query = "SELECT p FROM PermissionEntity p WHERE p.permissionName = :permissionName"),
+    @NamedQuery(name = "PermissionEntity.findByPrincipals", query = "SELECT p FROM PermissionEntity p WHERE p.principal IN :principalList")
+})
 public class PermissionEntity {
 
   /**

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalTypeEntity.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -30,6 +30,9 @@ import javax.persistence.*;
     , pkColumnValue = "principal_type_id_seq"
     , initialValue = 100
 )
+@NamedQueries({
+    @NamedQuery(name = "PrincipalTypeEntity.findByName", query = "SELECT p FROM PrincipalTypeEntity p WHERE p.name = :name")
+})
 public class PrincipalTypeEntity {
 
   /**
@@ -37,19 +40,11 @@ public class PrincipalTypeEntity {
    */
   public static final int USER_PRINCIPAL_TYPE  = 1;
   public static final int GROUP_PRINCIPAL_TYPE = 2;
-  public static final int CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE = 3;
-  public static final int CLUSTER_OPERATOR_PRINCIPAL_TYPE = 4;
-  public static final int CLUSTER_USER_PRINCIPAL_TYPE = 5;
-  public static final int SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE = 6;
-  public static final int SERVICE_OPERATOR_PRINCIPAL_TYPE = 7;
+  public static final int ROLE_PRINCIPAL_TYPE = 8;
 
   public static final String USER_PRINCIPAL_TYPE_NAME  = "USER";
   public static final String GROUP_PRINCIPAL_TYPE_NAME = "GROUP";
-  public static final String CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.ADMINISTRATOR";
-  public static final String CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.OPERATOR";
-  public static final String CLUSTER_USER_PRINCIPAL_TYPE_NAME = "ALL.CLUSTER.USER";
-  public static final String SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.ADMINISTRATOR";
-  public static final String SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME = "ALL.SERVICE.OPERATOR";
+  public static final String ROLE_PRINCIPAL_TYPE_NAME = "ROLE";
 
   /**
    * The type id.

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java

@@ -17,9 +17,6 @@
  */
 package org.apache.ambari.server.security.authorization;
 
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Lists;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -30,7 +27,6 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
@@ -47,10 +43,10 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
-@Singleton
 /**
  * Provides utility methods for authentication functionality
  */
+@Singleton
 public class AuthorizationHelper {
   private final static Logger LOG = LoggerFactory.getLogger(AuthorizationHelper.class);
 
@@ -230,56 +226,8 @@ public class AuthorizationHelper {
         }
       }
 
-      // Check if the resourceId is a view.
-      // Get all privileges for the resourceId and the principal associated for them should be of all cluster/service
-      // type.
-      // Now from the authorities check if the user privileges with CLUSTER/SERVICE type permission and has access to
-      // cluster resource with the permission.
-      // Then if the permission type matches the cluster/service type principal(names) then the user should have access
-      // to those views.
-
-      if(resourceId == null) {
-        return false;
-      }
-
-      ViewInstanceDAO viewInstanceDAO = viewInstanceDAOProvider.get();
-
-      ViewInstanceEntity instanceEntity = viewInstanceDAO.findByResourceId(resourceId);
-      if(instanceEntity == null || instanceEntity.getClusterHandle() == null) {
-        return false;
-      }
-
-      PrivilegeDAO privilegeDAO = privilegeDAOProvider.get();
-
-      final Set<String> privilegeNames = FluentIterable.from(privilegeDAO.findByResourceId(resourceId))
-        .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
-        .transform(ClusterInheritedPermissionHelper.permissionNameFromClusterInheritedPrivilege)
-        .toSet();
-
-      return FluentIterable.from(authentication.getAuthorities())
-        .filter(new Predicate<GrantedAuthority>() {
-          @Override
-          public boolean apply(GrantedAuthority grantedAuthority) {
-            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
-            PrivilegeEntity privilege = authority.getPrivilegeEntity();
-            String resourceTypeName = privilege.getResource().getResourceType().getName();
-            return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
-          }
-        }).transform(new Function<GrantedAuthority, PermissionEntity>() {
-          @Override
-          public PermissionEntity apply(GrantedAuthority grantedAuthority) {
-            AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority;
-            PrivilegeEntity privilege = authority.getPrivilegeEntity();
-            return privilege.getPermission();
-          }
-        }).anyMatch(new Predicate<PermissionEntity>() {
-          @Override
-          public boolean apply(PermissionEntity input) {
-            return privilegeNames.contains(input.getPermissionName());
-          }
-        });
+      return false;
     }
-
   }
 
   /**

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/ClusterInheritedPermissionHelper.java

@@ -1,213 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization;
-
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.FluentIterable;
-import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ResourceEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
-
-import javax.annotation.Nullable;
-import java.util.Collection;
-import java.util.Set;
-
-
-/**
- * Helper class to take care of the cluster inherited permission for any view.
- */
-public class ClusterInheritedPermissionHelper {
-
-  /**
-   * Predicate which validates if the principalType passed is valid or not.
-   */
-  public static final Predicate<String> validPrincipalTypePredicate = new Predicate<String>() {
-    @Override
-    public boolean apply(String principalType) {
-      return isValidPrincipalType(principalType);
-    }
-  };
-
-  /**
-   * Predicate which validates if the privilegeEntity has resourceEntity of type {@see ResourceType.CLUSTER}
-   */
-  public static final Predicate<PrivilegeEntity> clusterPrivilegesPredicate = new Predicate<PrivilegeEntity>() {
-    @Override
-    public boolean apply(PrivilegeEntity privilegeEntity) {
-      String resourceTypeName = privilegeEntity.getResource().getResourceType().getName();
-      return ResourceType.translate(resourceTypeName) == ResourceType.CLUSTER;
-    }
-  };
-
-  /**
-   * Predicate which validates if view instance entity is cluster associated
-   */
-  public static final Predicate<ViewInstanceEntity> clusterAssociatedViewInstancePredicate = new Predicate<ViewInstanceEntity>() {
-    @Override
-    public boolean apply(ViewInstanceEntity viewInstanceEntity) {
-      return viewInstanceEntity.getClusterHandle() != null;
-    }
-  };
-
-  /**
-   * Predicate to validate if the privilege entity has a principal which has a cluster inherited principal type
-   */
-  public static final Predicate<PrivilegeEntity> privilegeWithClusterInheritedPermissionTypePredicate = new Predicate<PrivilegeEntity>() {
-    @Override
-    public boolean apply(PrivilegeEntity privilegeEntity) {
-      String principalTypeName = privilegeEntity.getPrincipal().getPrincipalType().getName();
-      return principalTypeName.startsWith("ALL.");
-    }
-  };
-
-  /**
-   * Mapper to return the Permission Name from the cluster inherited privilege name. Example: "ALL.CLUSTER.USER" becomes "CLUSTER.USER"
-   */
-  public static final Function<PrivilegeEntity, String> permissionNameFromClusterInheritedPrivilege = new Function<PrivilegeEntity, String>() {
-    @Override
-    public String apply(PrivilegeEntity input) {
-      return input.getPrincipal().getPrincipalType().getName().substring(4);
-    }
-  };
-
-  /**
-   * Mapper to return resources from view instance entity.
-   */
-  public static final Function<ViewInstanceEntity, ResourceEntity> resourceFromViewInstanceMapper = new Function<ViewInstanceEntity, ResourceEntity>() {
-    @Override
-    public ResourceEntity apply(ViewInstanceEntity viewInstanceEntity) {
-      return viewInstanceEntity.getResource();
-    }
-  };
-
-  /**
-   * Mapper to return all privileges from resource entity
-   */
-  public static final Function<ResourceEntity, Iterable<PrivilegeEntity>> allPrivilegesFromResoucesMapper = new Function<ResourceEntity, Iterable<PrivilegeEntity>>() {
-    @Override
-    public Iterable<PrivilegeEntity> apply(ResourceEntity resourceEntity) {
-      return resourceEntity.getPrivileges();
-    }
-  };
-
-  /**
-   * Mapper to return permission name from privilege
-   */
-  public static final Function<PrivilegeEntity, String> permissionNameFromPrivilegeMapper = new Function<PrivilegeEntity, String>() {
-    @Override
-    public String apply(PrivilegeEntity privilegeEntity) {
-      return privilegeEntity.getPermission().getPermissionName();
-    }
-  };
-
-  /**
-   * Predicate to validate if the cluster inherited principal type for privilege entity is present in the valid permission type set passed
-   * @param validSet - valid set of permission types
-   * @return Predicate to check the condition
-   */
-  public static final Predicate<PrivilegeEntity> principalTypeInSetFrom(final Collection<String> validSet) {
-    return new Predicate<PrivilegeEntity>() {
-      @Override
-      public boolean apply(PrivilegeEntity privilegeEntity) {
-        String permissionName = privilegeEntity.getPrincipal().getPrincipalType().getName().substring(4);
-        return validSet.contains(permissionName);
-      }
-    };
-  }
-
-  /**
-   * Predicate to filter out privileges which are already existing in the passed privileges set.
-   * @param existingPrivileges - Privileges set to which the comparison will be made
-   * @return Predicate to check the validation
-   */
-  public static Predicate<PrivilegeEntity> removeIfExistingPrivilegePredicate(final Set<PrivilegeEntity> existingPrivileges) {
-    return new Predicate<PrivilegeEntity>() {
-      @Override
-      public boolean apply(final PrivilegeEntity privilegeEntity) {
-        return !FluentIterable.from(existingPrivileges).anyMatch(new com.google.common.base.Predicate<PrivilegeEntity>() {
-          @Override
-          public boolean apply(PrivilegeEntity directPrivilegeEntity) {
-            return directPrivilegeEntity.getResource().getId().equals(privilegeEntity.getResource().getId())
-              && directPrivilegeEntity.getPermission().getId().equals(privilegeEntity.getPermission().getId());
-          }
-        });
-      }
-    };
-  }
-
-  /**
-   * Validates if the principal type is valid for cluster inherited permissions.
-   * @param principalType - Principal type
-   * @return true if the principalType is in ("ALL.CLUSTER.ADMINISTRATOR", "ALL.CLUSTER.OPERATOR",
-   * "ALL.CLUSTER.USER", "ALL.SERVICE.OPERATOR", "ALL.SERVICE.USER")
-   */
-  public static boolean isValidPrincipalType(String principalType) {
-    return PrincipalTypeEntity.CLUSTER_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.CLUSTER_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.CLUSTER_USER_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.SERVICE_ADMINISTRATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType)
-      || PrincipalTypeEntity.SERVICE_OPERATOR_PRINCIPAL_TYPE_NAME.equalsIgnoreCase(principalType);
-  }
-
-  /**
-   * Returns the view privileges for which cluster permissions has been specified. This filters out all the privileges
-   * which are related to view resources attached to a cluster and are configured to have cluster level permissions. Then
-   * It checks if the user has cluster level permissions and further filters down the privilege list to the ones for which
-   * the user should have privilege.
-   * @param userDirectPrivileges - direct privileges for the user.
-   * @return - Filtered list of privileges for view resource for which the user should have access.
-   */
-  public static Set<PrivilegeEntity> getViewPrivilegesWithClusterPermission(final ViewInstanceDAO viewInstanceDAO, final PrivilegeDAO privilegeDAO,
-                                                                            final Set<PrivilegeEntity> userDirectPrivileges) {
-
-    final Set<String> clusterPrivileges = FluentIterable.from(userDirectPrivileges)
-      .filter(ClusterInheritedPermissionHelper.clusterPrivilegesPredicate)
-      .transform(ClusterInheritedPermissionHelper.permissionNameFromPrivilegeMapper)
-      .toSet();
-
-    Set<Long> resourceIds = FluentIterable.from(viewInstanceDAO.findAll())
-      .filter(ClusterInheritedPermissionHelper.clusterAssociatedViewInstancePredicate)
-      .transform(ClusterInheritedPermissionHelper.resourceFromViewInstanceMapper)
-      .transform(new Function<ResourceEntity, Long>() {
-        @Nullable
-        @Override
-        public Long apply(@Nullable ResourceEntity input) {
-          return input.getId();
-        }
-      }).toSet();
-
-    Set<PrivilegeEntity> allPrivileges = FluentIterable.from(resourceIds)
-      .transformAndConcat(new Function<Long, Iterable<PrivilegeEntity>>() {
-        @Nullable
-        @Override
-        public Iterable<PrivilegeEntity> apply(@Nullable Long input) {
-          return privilegeDAO.findByResourceId(input);
-        }
-      }).toSet();
-
-    return FluentIterable.from(allPrivileges)
-      .filter(ClusterInheritedPermissionHelper.privilegeWithClusterInheritedPermissionTypePredicate)
-      .filter(ClusterInheritedPermissionHelper.principalTypeInSetFrom(clusterPrivileges))
-      .filter(ClusterInheritedPermissionHelper.removeIfExistingPrivilegePredicate(userDirectPrivileges))
-      .toSet();
-  }
-}

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java

@@ -704,6 +704,96 @@ public class Users {
     entityManagerProvider.get().getEntityManagerFactory().getCache().evictAll();
   }
 
+  /**
+   * Gets the explicit and implicit privileges for the given user.
+   * <p>
+   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+   * a user.  For example the Cluster Operator role on a given cluster gives that the ability to
+   * start and stop services in that cluster, among other privileges for that particular cluster.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the users that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all users who have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param userEntity the relevant user
+   * @return the collection of implicit and explicit privileges
+   */
+  public Collection<PrivilegeEntity> getUserPrivileges(UserEntity userEntity) {
+    if (userEntity == null) {
+      return Collections.emptyList();
+    }
+
+    // get all of the privileges for the user
+    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+    principalEntities.add(userEntity.getPrincipal());
+
+    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+
+    for (MemberEntity memberEntity : memberEntities) {
+      principalEntities.add(memberEntity.getGroup().getPrincipal());
+    }
+
+    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+    List<PrivilegeEntity> privilegeEntities;
+
+    if(implicitPrivilegeEntities.isEmpty()) {
+      privilegeEntities = explicitPrivilegeEntities;
+    }
+    else {
+      privilegeEntities = new LinkedList<PrivilegeEntity>();
+      privilegeEntities.addAll(explicitPrivilegeEntities);
+      privilegeEntities.addAll(implicitPrivilegeEntities);
+    }
+
+    return privilegeEntities;
+  }
+
+  /**
+   * Gets the explicit and implicit privileges for the given group.
+   * <p>
+   * The explicit privileges are the privileges that have be explicitly set by assigning roles to
+   * a group.  For example the Cluster Operator role on a given cluster gives that the ability to
+   * start and stop services in that cluster, among other privileges for that particular cluster.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the groups that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param groupEntity the relevant group
+   * @return the collection of implicit and explicit privileges
+   */
+  public Collection<PrivilegeEntity> getGroupPrivileges(GroupEntity groupEntity) {
+    if (groupEntity == null) {
+      return Collections.emptyList();
+    }
+
+    // get all of the privileges for the group
+    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+
+    principalEntities.add(groupEntity.getPrincipal());
+
+    List<PrivilegeEntity> explicitPrivilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivilegeEntities = getImplicitPrivileges(explicitPrivilegeEntities);
+    List<PrivilegeEntity> privilegeEntities;
+
+    if(implicitPrivilegeEntities.isEmpty()) {
+      privilegeEntities = explicitPrivilegeEntities;
+    }
+    else {
+      privilegeEntities = new LinkedList<PrivilegeEntity>();
+      privilegeEntities.addAll(explicitPrivilegeEntities);
+      privilegeEntities.addAll(implicitPrivilegeEntities);
+    }
+
+    return privilegeEntities;
+  }
+
   /**
    * Gets the explicit and implicit authorities for the given user.
    * <p>
@@ -727,50 +817,58 @@ public class Users {
       return Collections.emptyList();
     }
 
-    // get all of the privileges for the user
-    List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
+    Collection<PrivilegeEntity> privilegeEntities = getUserPrivileges(userEntity);
 
-    principalEntities.add(userEntity.getPrincipal());
+    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
 
-    List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
+    for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
+    }
 
-    for (MemberEntity memberEntity : memberEntities) {
-      principalEntities.add(memberEntity.getGroup().getPrincipal());
+    return authorities;
+  }
+
+  /**
+   * Gets the implicit privileges based on the set of roles found in a collection of privileges.
+   * <p>
+   * The implicit privileges are the privileges that have been given to the roles themselves which
+   * in turn are granted to the groups that have been assigned those roles. For example if the
+   * Cluster User role for a given cluster has been given View User access on a specified File View
+   * instance, then all groups that have the Cluster User role for that cluster will implicitly be
+   * granted View User access on that File View instance.
+   *
+   * @param privilegeEntities the relevant privileges
+   * @return the collection explicit privileges
+   */
+  private List<PrivilegeEntity> getImplicitPrivileges(List<PrivilegeEntity> privilegeEntities) {
+
+    if ((privilegeEntities == null) || privilegeEntities.isEmpty()) {
+      return Collections.emptyList();
     }
 
-    List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
+    List<PrivilegeEntity> implicitPrivileges = new LinkedList<PrivilegeEntity>();
 
     // A list of principals representing roles/permissions. This collection of roles will be used to
-    // find additional authorizations inherited by the authenticated user based on the assigned roles.
+    // find additional inherited privileges based on the assigned roles.
     // For example a File View instance may be set to be accessible to all authenticated user with
     // the Cluster User role.
     List<PrincipalEntity> rolePrincipals = new ArrayList<PrincipalEntity>();
 
-    Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
     for (PrivilegeEntity privilegeEntity : privilegeEntities) {
       // Add the principal representing the role associated with this PrivilegeEntity to the collection
-      // of roles for the authenticated user.
+      // of roles.
       PrincipalEntity rolePrincipal = privilegeEntity.getPermission().getPrincipal();
-      if(rolePrincipal != null) {
+      if (rolePrincipal != null) {
         rolePrincipals.add(rolePrincipal);
       }
-
-      authorities.add(new AmbariGrantedAuthority(privilegeEntity));
     }
 
-    // If the collections of assigned roles is not empty find the inherited authorizations that are
-    // give to the roles and add them to the collection of (Granted) authorities for the user.
-    if(!rolePrincipals.isEmpty()) {
+    // If the collections of assigned roles is not empty find the inherited priviliges.
+    if (!rolePrincipals.isEmpty()) {
       // For each "role" see if any privileges have been granted...
-      List<PrivilegeEntity> rolePrivilegeEntities = privilegeDAO.findAllByPrincipal(rolePrincipals);
-
-      for (PrivilegeEntity privilegeEntity : rolePrivilegeEntities) {
-        authorities.add(new AmbariGrantedAuthority(privilegeEntity));
-      }
+      implicitPrivileges.addAll(privilegeDAO.findAllByPrincipal(rolePrincipals));
     }
 
-    return authorities;
+    return implicitPrivileges;
   }
-
 }

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog242.java

@@ -19,10 +19,23 @@
 package org.apache.ambari.server.upgrade;
 
 import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -106,6 +119,7 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
   @Override
   protected void executeDMLUpdates() throws AmbariException, SQLException {
     addNewConfigurationsFromXml();
+    convertRolePrincipals();
   }
 
   protected void updateTablesForMysql() throws SQLException {
@@ -141,4 +155,90 @@ public class UpgradeCatalog242 extends AbstractUpgradeCatalog {
     }
   }
 
+  /**
+   * Convert the previously set inherited privileges to the more generic inherited privileges model
+   * based on role-based principals rather than specialized principal types.
+   */
+  protected void convertRolePrincipals() {
+    LOG.info("Converting pseudo principle types to role principals");
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    PrivilegeDAO privilegeDAO = injector.getInstance(PrivilegeDAO.class);
+    PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
+    PrincipalTypeDAO principalTypeDAO = injector.getInstance(PrincipalTypeDAO.class);
+
+    Map<String, String> principalTypeToRole = new HashMap<String, String>();
+    principalTypeToRole.put("ALL.CLUSTER.ADMINISTRATOR", "CLUSTER.ADMINISTRATOR");
+    principalTypeToRole.put("ALL.CLUSTER.OPERATOR", "CLUSTER.OPERATOR");
+    principalTypeToRole.put("ALL.CLUSTER.USER", "CLUSTER.USER");
+    principalTypeToRole.put("ALL.SERVICE.ADMINISTRATOR", "SERVICE.ADMINISTRATOR");
+    principalTypeToRole.put("ALL.SERVICE.OPERATOR", "SERVICE.OPERATOR");
+
+    // Handle a typo introduced in org.apache.ambari.server.upgrade.UpgradeCatalog240.updateClusterInheritedPermissionsConfig
+    principalTypeToRole.put("ALL.SERVICE.OPERATIOR", "SERVICE.OPERATOR");
+
+    for (Map.Entry<String, String> entry : principalTypeToRole.entrySet()) {
+      String principalTypeName = entry.getKey();
+      String roleName = entry.getValue();
+
+      PermissionEntity role = permissionDAO.findByName(roleName);
+      PrincipalEntity rolePrincipalEntity = (role == null) ? null : role.getPrincipal();
+
+      // Convert Privilege Records
+      PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findByName(principalTypeName);
+
+      if (principalTypeEntity != null) {
+        List<PrincipalEntity> principalEntities = principalDAO.findByPrincipalType(principalTypeName);
+
+        for (PrincipalEntity principalEntity : principalEntities) {
+          Set<PrivilegeEntity> privilegeEntities = principalEntity.getPrivileges();
+
+          for (PrivilegeEntity privilegeEntity : privilegeEntities) {
+            if (rolePrincipalEntity == null) {
+              LOG.info("Removing privilege (id={}) since no role principle was found for {}:\n{}",
+                  privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+              // Remove this privilege
+              privilegeDAO.remove(privilegeEntity);
+            } else {
+              LOG.info("Updating privilege (id={}) to use role principle for {}:\n{}",
+                  privilegeEntity.getId(), roleName, formatPrivilegeEntityDetails(privilegeEntity));
+
+              // Set the principal to the updated principal value
+              privilegeEntity.setPrincipal(rolePrincipalEntity);
+              privilegeDAO.merge(privilegeEntity);
+            }
+          }
+
+          // Remove the obsolete principal
+          principalDAO.remove(principalEntity);
+        }
+
+        // Remove the obsolete principal type
+        principalTypeDAO.remove(principalTypeEntity);
+      }
+    }
+
+    LOG.info("Converting pseudo principle types to role principals - complete.");
+  }
+
+  private String formatPrivilegeEntityDetails(PrivilegeEntity privilegeEntity) {
+    if (privilegeEntity == null) {
+      return "";
+    } else {
+      ResourceEntity resource = privilegeEntity.getResource();
+      PrincipalEntity principal = privilegeEntity.getPrincipal();
+      PermissionEntity permission = privilegeEntity.getPermission();
+
+      return String.format("" +
+              "\tPrivilege ID: %d" +
+              "\n\tResource ID: %d" +
+              "\n\tPrincipal ID: %d" +
+              "\n\tPermission ID: %d",
+          privilegeEntity.getId(),
+          resource.getId(),
+          principal.getId(),
+          permission.getId()
+      );
+    }
+  }
 }

ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -86,7 +86,6 @@ import org.apache.ambari.server.orm.entities.ViewParameterEntity;
 import org.apache.ambari.server.orm.entities.ViewResourceEntity;
 import org.apache.ambari.server.security.SecurityHelper;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
-import org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
 import org.apache.ambari.server.state.Clusters;
@@ -122,7 +121,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 
-import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Sets;
 import com.google.common.eventbus.AllowConcurrentEvents;
 import com.google.common.eventbus.Subscribe;
@@ -1796,7 +1794,7 @@ public class ViewRegistry {
     }
 
     List<String> services = autoInstanceConfig.getServices();
-    List<String> permissions = autoInstanceConfig.getPermissions();
+    Collection<String> roles = autoInstanceConfig.getRoles();
 
     Map<String, org.apache.ambari.server.state.Cluster> allClusters = clustersProvider.get().getClusters();
     for (org.apache.ambari.server.state.Cluster cluster : allClusters.values()) {
@@ -1814,7 +1812,7 @@ public class ViewRegistry {
             ViewInstanceEntity viewInstanceEntity = createViewInstanceEntity(viewEntity, viewConfig, autoInstanceConfig);
             viewInstanceEntity.setClusterHandle(clusterId);
             installViewInstance(viewInstanceEntity);
-            addClusterInheritedPermissions(viewInstanceEntity, permissions);
+            setViewInstanceRoleAccess(viewInstanceEntity, roles);
           }
         } catch (Exception e) {
           LOG.error("Can't auto create instance of view " + viewName + " for cluster " + clusterName +
@@ -1825,40 +1823,45 @@ public class ViewRegistry {
   }
 
   /**
-   * Validates principalTypes and creates privilege entities for each permission type for the view instance entity
-   * resource.
-   * @param viewInstanceEntity - view instance entity for which permission has to be set.
-   * @param principalTypes - list of cluster inherited principal types
+   * Set access to the a particular view instance based on a set of roles.
+   * <p>
+   * View access to the specified view instances will be granted to anyone directly or indirectly
+   * assigned to one of the roles in the suppled set of role names.
+   *
+   * @param viewInstanceEntity a view instance entity
+   * @param roles the set of roles to use to for granting access
    */
   @Transactional
-  private void addClusterInheritedPermissions(ViewInstanceEntity viewInstanceEntity, List<String> principalTypes) {
-    List<String> validPermissions = FluentIterable.from(principalTypes)
-      .filter(ClusterInheritedPermissionHelper.validPrincipalTypePredicate)
-      .toList();
-
-    for(String permission: validPermissions) {
-      addClusterInheritedPermission(viewInstanceEntity, permission);
-    }
-  }
-
-  private void addClusterInheritedPermission(ViewInstanceEntity viewInstanceEntity, String principalType) {
-    ResourceEntity resource = viewInstanceEntity.getResource();
-    List<PrincipalEntity> principals = principalDAO.findByPrincipalType(principalType);
-    if (principals.size() == 0) {
-      LOG.error("Failed to find principal for principal type '{}'", principalType);
-      return;
-    }
+  protected void setViewInstanceRoleAccess(ViewInstanceEntity viewInstanceEntity, Collection<String> roles) {
+    if ((roles != null) && !roles.isEmpty()) {
+      PermissionEntity permissionViewUser = permissionDAO.findViewUsePermission();
 
-    PrincipalEntity principal = principals.get(0); // There will be only one principal associated with the principal type
-    PermissionEntity permission = permissionDAO.findViewUsePermission();
-
-    if (!privilegeDAO.exists(principal, resource, permission)) {
-      PrivilegeEntity privilege = new PrivilegeEntity();
-      privilege.setPrincipal(principal);
-      privilege.setResource(resource);
-      privilege.setPermission(permission);
-
-      privilegeDAO.create(privilege);
+      if (permissionViewUser == null) {
+        LOG.error("Missing the {} role.  Access to view cannot be set.",
+            PermissionEntity.VIEW_USER_PERMISSION_NAME, viewInstanceEntity.getName());
+      } else {
+        for (String role : roles) {
+          PermissionEntity permissionRole = permissionDAO.findByName(role);
+
+          if (permissionRole == null) {
+            LOG.warn("Invalid role {} encountered while setting access to view {}, Ignoring.",
+                role, viewInstanceEntity.getName());
+          } else {
+            PrincipalEntity principalRole = permissionRole.getPrincipal();
+
+            if (principalRole == null) {
+              LOG.warn("Missing principal ID for role {} encountered while setting access to view {}. Ignoring.",
+                  role, viewInstanceEntity.getName());
+            } else {
+              PrivilegeEntity privilegeEntity = new PrivilegeEntity();
+              privilegeEntity.setPermission(permissionViewUser);
+              privilegeEntity.setPrincipal(principalRole);
+              privilegeEntity.setResource(viewInstanceEntity.getResource());
+              privilegeDAO.create(privilegeEntity);
+            }
+          }
+        }
+      }
     }
   }
 

ambari-server/src/main/java/org/apache/ambari/server/view/configuration/AutoInstanceConfig.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,16 +18,14 @@
 
 package org.apache.ambari.server.view.configuration;
 
-import com.google.common.base.Function;
-import com.google.common.collect.FluentIterable;
-import com.google.common.collect.Lists;
-
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlElementWrapper;
-import java.util.Arrays;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 import java.util.List;
+import java.util.Set;
 
 /**
  * View auto instance configuration.
@@ -48,14 +46,25 @@ public class AutoInstanceConfig extends InstanceConfig {
    */
   @XmlElementWrapper
   @XmlElement(name="service")
+  @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
   private List<String> services;
 
   /**
-   * Cluster Inherited permissions. Comma separated strings for multiple values
-   * Possible values: ALL.CLUSTER.ADMINISTRATOR, ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER,
-   * ALL.SERVICE.OPERATOR, ALL.SERVICE.ADMINISTRATOR
+   * A list of roles that should have access to this view.
+   * <p>
+   * Example values:
+   * <ul>
+   * <li>CLUSTER.ADMINISTRATOR</li>
+   * <li>CLUSTER.OPERATOR</li>
+   * <li>SERVICE.ADMINISTRATOR</li>
+   * <li>SERVICE.OPERATOR</li>
+   * <li>CLUSTER.USER</li>
+   * </ul>
    */
-  private String permissions;
+  @XmlElementWrapper
+  @XmlElement(name="role")
+  @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+  private Set<String> roles;
 
   /**
    * Get the stack id used for auto instance creation.
@@ -76,17 +85,9 @@ public class AutoInstanceConfig extends InstanceConfig {
   }
 
   /**
-   * @return the list of configured cluster inherited permissions
+   * @return the set of roles that should have access to this view
    */
-  public List<String> getPermissions() {
-    if(permissions == null) {
-      return Lists.newArrayList();
-    }
-    return FluentIterable.from(Arrays.asList(permissions.split(","))).transform(new Function<String, String>() {
-      @Override
-      public String apply(String permission) {
-        return permission.trim();
-      }
-    }).toList();
+  public Set<String> getRoles() {
+    return roles;
   }
 }

ambari-server/src/main/resources/Ambari-DDL-Derby-CREATE.sql

@@ -1174,16 +1174,6 @@ INSERT INTO adminprincipaltype (principal_type_id, principal_type_name)
   UNION ALL
   SELECT 2, 'GROUP' FROM SYSIBM.SYSDUMMY1
   UNION ALL
-  SELECT 3, 'ALL.CLUSTER.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 4, 'ALL.CLUSTER.OPERATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 5, 'ALL.CLUSTER.USER' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 6, 'ALL.SERVICE.ADMINISTRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
-  SELECT 7, 'ALL.SERVICE.OPERRATOR' FROM SYSIBM.SYSDUMMY1
-  UNION ALL
   SELECT 8, 'ROLE' FROM SYSIBM.SYSDUMMY1;
 
 INSERT INTO adminprincipal (principal_id, principal_type_id)

ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql

@@ -1123,11 +1123,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
 INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
   (1, 'USER'),
   (2, 'GROUP'),
-  (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-  (4, 'ALL.CLUSTER.OPERATOR'),
-  (5, 'ALL.CLUSTER.USER'),
-  (6, 'ALL.SERVICE.ADMINISTRATOR'),
-  (7, 'ALL.SERVICE.OPERATOR'),
   (8, 'ROLE');
 
 INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES

ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql

@@ -1119,16 +1119,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
   union all
   select 2, 'GROUP' from dual
   union all
-  select 3, 'ALL.CLUSTER.ADMINISTRATOR' from dual
-  union all
-  select 4, 'ALL.CLUSTER.OPERATOR' from dual
-  union all
-  select 5, 'ALL.CLUSTER.USER' from dual
-  union all
-  select 6, 'ALL.SERVICE.ADMINISTRATOR' from dual
-  union all
-  select 7, 'ALL.SERVICE.OPERATOR' from dual
-  union all
   select 8, 'ROLE' from dual;
 
 insert into adminprincipal (principal_id, principal_type_id)

ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql

@@ -1114,11 +1114,6 @@ INSERT INTO adminresource (resource_id, resource_type_id) VALUES
 INSERT INTO adminprincipaltype (principal_type_id, principal_type_name) VALUES
   (1, 'USER'),
   (2, 'GROUP'),
-  (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-  (4, 'ALL.CLUSTER.OPERATOR'),
-  (5, 'ALL.CLUSTER.USER'),
-  (6, 'ALL.SERVICE.ADMINISTRATOR'),
-  (7, 'ALL.SERVICE.OPERATOR'),
   (8, 'ROLE');
 
 INSERT INTO adminprincipal (principal_id, principal_type_id) VALUES

ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql

@@ -1116,16 +1116,6 @@ insert into adminprincipaltype (principal_type_id, principal_type_name)
   union all
   select 2, 'GROUP'
   union all
-  select 3, 'ALL.CLUSTER.ADMINISTRATOR'
-  union all
-  select 4, 'ALL.CLUSTER.OPERATOR'
-  union all
-  select 5, 'ALL.CLUSTER.USER'
-  union all
-  select 6, 'ALL.SERVICE.ADMINISTRATOR'
-  union all
-  select 7, 'ALL.SERVICE.OPERATOR'
-  union all
   select 8, 'ROLE';
 
 insert into adminprincipal (principal_id, principal_type_id)

ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql

@@ -1140,11 +1140,6 @@ BEGIN TRANSACTION
   values
     (1, 'USER'),
     (2, 'GROUP'),
-    (3, 'ALL.CLUSTER.ADMINISTRATOR'),
-    (4, 'ALL.CLUSTER.OPERATOR'),
-    (5, 'ALL.CLUSTER.USER'),
-    (6, 'ALL.SERVICE.ADMINISTRATOR'),
-    (7, 'ALL.SERVICE.OPERATOR'),
     (8, 'ROLE');
 
   insert into adminprincipal (principal_id, principal_type_id)

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AbstractPrivilegeResourceProviderTest.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.security.authorization.Users;
+import org.easymock.EasyMockSupport;
+
+class AbstractPrivilegeResourceProviderTest extends EasyMockSupport {
+
+  static class TestUsers extends Users {
+
+    void setPrivilegeDAO(PrivilegeDAO privilegeDAO) {
+      this.privilegeDAO = privilegeDAO;
+    }
+
+    public void setMemberDAO(MemberDAO memberDAO) {
+      this.memberDAO = memberDAO;
+    }
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java

@@ -270,9 +270,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(anyObject(List.class))).andReturn(userEntities).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(anyObject(List.class))).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator("admin"));
@@ -356,10 +353,11 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals(ResourceType.AMBARI.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
 
@@ -399,12 +397,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), clusterEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("TestCluster", resource.getPropertyValue(ClusterPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID));
     Assert.assertEquals(ResourceType.CLUSTER.name(), resource.getPropertyValue(AmbariPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID));
@@ -450,12 +449,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
     Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -503,12 +503,13 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
 
     Map<Long, UserEntity> userEntities = new HashMap<>();
     Map<Long, GroupEntity> groupEntities = new HashMap<>();
+    Map<Long, PermissionEntity> roleEntities = new HashMap<>();
 
     Map<Long, Object> resourceEntities = new HashMap<Long, Object>();
     resourceEntities.put(resourceEntity.getId(), viewInstanceEntity);
 
     AmbariPrivilegeResourceProvider provider = new AmbariPrivilegeResourceProvider();
-    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, resourceEntities, provider.getPropertyIds());
+    Resource resource = provider.toResource(privilegeEntity, userEntities, groupEntities, roleEntities, resourceEntities, provider.getPropertyIds());
 
     Assert.assertEquals("Test View", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID));
     Assert.assertEquals("TestView", resource.getPropertyValue(ViewPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID));
@@ -608,9 +609,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
     expect(clusterDAO.findAll()).andReturn(Collections.<ClusterEntity>emptyList()).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -664,9 +662,6 @@ public class AmbariPrivilegeResourceProviderTest extends EasyMockSupport {
     ClusterDAO clusterDAO = injector.getInstance(ClusterDAO.class);
     expect(clusterDAO.findAll()).andReturn(clusterEntities).atLeastOnce();
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList()).atLeastOnce();
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java

@@ -38,7 +38,6 @@ import org.apache.ambari.server.orm.dao.ResourceDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -61,7 +60,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
 
 import javax.persistence.EntityManager;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
@@ -251,9 +249,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -306,9 +301,6 @@ public class ClusterPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = injector.getInstance(UserDAO.class);
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
 
-    GroupDAO groupDAO = injector.getInstance(GroupDAO.class);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
-
     replayAll();
 
     SecurityContextHolder.getContext().setAuthentication(authentication);

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/GroupPrivilegeResourceProviderTest.java

@@ -18,7 +18,6 @@
 
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.collect.Lists;
 import junit.framework.Assert;
 import org.apache.ambari.server.controller.spi.Predicate;
 import org.apache.ambari.server.controller.spi.Request;
@@ -31,7 +30,6 @@ import org.apache.ambari.server.orm.dao.GroupDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
 import org.apache.ambari.server.orm.entities.ClusterEntity;
-import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -44,13 +42,15 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
 import org.junit.Test;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Set;
 
 import static org.easymock.EasyMock.anyObject;
@@ -59,7 +59,7 @@ import static org.easymock.EasyMock.expect;
 /**
  * GroupPrivilegeResourceProvider tests.
  */
-public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
+public class GroupPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
 
   @Test(expected = SystemException.class)
   public void testCreateResources() throws Exception {
@@ -124,11 +124,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     ClusterDAO clusterDAO = createMock(ClusterDAO.class);
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -175,11 +175,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -233,11 +233,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -292,11 +292,11 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     GroupDAO groupDAO = createMock(GroupDAO.class);
     expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
     GroupPrivilegeResourceProvider provider = new GroupPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "group1", provider.getPropertyIds());
 
@@ -320,30 +320,32 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
     final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
     final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
     final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-    final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
-    expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).anyTimes();
-    expect(groupEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-    expect(groupEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
-    expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).anyTimes();
-    expect(principalEntity.getPrivileges()).andReturn(new HashSet<PrivilegeEntity>() {
-      {
-        add(privilegeEntity);
-      }
-    }).anyTimes();
-    expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).anyTimes();
-    expect(groupEntity.getGroupName()).andReturn(requestedGroupName).anyTimes();
-    expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes();
-    expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes();
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+
+    List<PrincipalEntity> groupPrincipals = new LinkedList<PrincipalEntity>();
+    groupPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(groupPrincipals)).
+        andReturn(Collections.singletonList(privilegeEntity))
+        .once();
+    expect(groupDAO.findGroupByName(requestedGroupName)).andReturn(groupEntity).atLeastOnce();
+    expect(groupEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
+    expect(principalTypeEntity.getName()).andReturn(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE_NAME).atLeastOnce();
+    expect(groupDAO.findGroupByPrincipal(anyObject(PrincipalEntity.class))).andReturn(groupEntity).atLeastOnce();
+    expect(groupEntity.getGroupName()).andReturn(requestedGroupName).atLeastOnce();
+    expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
+    expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).atLeastOnce();
     expect(resourceTypeEntity.getName()).andReturn(ResourceType.AMBARI.name());
-    expect(viewInstanceDAO.findAll()).andReturn(Lists.<ViewInstanceEntity>newArrayList()).anyTimes();
 
     replayAll();
 
-    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    GroupPrivilegeResourceProvider.init(clusterDAO, groupDAO, viewInstanceDAO, users);
 
     final Set<String> propertyIds = new HashSet<String>();
     propertyIds.add(GroupPrivilegeResourceProvider.PRIVILEGE_GROUP_NAME_PROPERTY_ID);
@@ -367,5 +369,4 @@ public class GroupPrivilegeResourceProviderTest extends EasyMockSupport {
 
     verifyAll();
   }
-
 }

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -18,8 +18,6 @@
 
 package org.apache.ambari.server.controller.internal;
 
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import junit.framework.Assert;
 import org.apache.ambari.server.controller.spi.Predicate;
 import org.apache.ambari.server.controller.spi.Request;
@@ -29,6 +27,7 @@ import org.apache.ambari.server.controller.utilities.PredicateBuilder;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
+import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
@@ -46,7 +45,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 import org.apache.ambari.server.security.TestAuthenticationFactory;
 import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.ResourceType;
-import org.easymock.EasyMockSupport;
+import org.apache.ambari.server.security.authorization.Users;
 import org.junit.Test;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -54,6 +53,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Set;
 
 import static org.easymock.EasyMock.anyObject;
@@ -62,7 +63,7 @@ import static org.easymock.EasyMock.expect;
 /**
  * UserPrivilegeResourceProvider tests.
  */
-public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
+public class UserPrivilegeResourceProviderTest extends AbstractPrivilegeResourceProviderTest {
 
   @Test(expected = SystemException.class)
   public void testCreateResources() throws Exception {
@@ -134,11 +135,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     GroupDAO groupDAO = createMock(GroupDAO.class);
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -187,11 +188,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -246,11 +247,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -307,11 +308,11 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     UserDAO userDAO = createMock(UserDAO.class);
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
+    Users users = createNiceMock(Users.class);
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Resource resource = provider.toResource(privilegeEntity, "jdoe", provider.getPropertyIds());
 
@@ -327,7 +328,14 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
   public void testToResource_SpecificVIEW_WithClusterInheritedPermission() throws Exception {
     SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L));
 
+    PrincipalTypeEntity rolePrincipalTypeEntity = createMock(PrincipalTypeEntity.class);
+    expect(rolePrincipalTypeEntity.getName()).andReturn("ROLE").atLeastOnce();
+
+    PrincipalEntity rolePrincipalEntity = createMock(PrincipalEntity.class);
+    expect(rolePrincipalEntity.getPrincipalType()).andReturn(rolePrincipalTypeEntity).atLeastOnce();
+
     PermissionEntity permissionEntity = createMock(PermissionEntity.class);
+    expect(permissionEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
     expect(permissionEntity.getPermissionName()).andReturn("CLUSTER.ADMINISTRATOR").atLeastOnce();
     expect(permissionEntity.getPermissionLabel()).andReturn("Cluster Administrator").atLeastOnce();
 
@@ -337,19 +345,10 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
     expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).atLeastOnce();
 
-
-    PrincipalTypeEntity principalTypeWithAllClusterAdministrator = createNiceMock(PrincipalTypeEntity.class);
-    expect(principalTypeWithAllClusterAdministrator.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").atLeastOnce();
-
-    PrincipalEntity principalEntityWithAllClusterAdministrator = createNiceMock(PrincipalEntity.class);
-    expect(principalEntityWithAllClusterAdministrator.getPrincipalType()).andReturn(principalTypeWithAllClusterAdministrator).atLeastOnce();
-
     ViewEntity viewEntity = createMock(ViewEntity.class);
     expect(viewEntity.getCommonName()).andReturn("TestView").atLeastOnce();
     expect(viewEntity.getVersion()).andReturn("1.2.3.4").atLeastOnce();
 
-
-
     ResourceTypeEntity resourceTypeEntity = createMock(ResourceTypeEntity.class);
     expect(resourceTypeEntity.getName()).andReturn("TestView{1.2.3.4}").atLeastOnce();
 
@@ -360,38 +359,56 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     ViewInstanceEntity viewInstanceEntity = createMock(ViewInstanceEntity.class);
     expect(viewInstanceEntity.getViewEntity()).andReturn(viewEntity).atLeastOnce();
     expect(viewInstanceEntity.getName()).andReturn("Test View").atLeastOnce();
-    expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).atLeastOnce();
-    expect(viewInstanceEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
-    PrivilegeEntity privilegeEntityViewWithClusterAdminAccess = createMock(PrivilegeEntity.class);
-    expect(privilegeEntityViewWithClusterAdminAccess.getPrincipal()).andReturn(principalEntityWithAllClusterAdministrator).atLeastOnce();
+    PrivilegeEntity explicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+    expect(explicitPrivilegeEntity.getId()).andReturn(1).atLeastOnce();
+    expect(explicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(explicitPrivilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
+    expect(explicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
-    PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
-    expect(privilegeEntity.getId()).andReturn(1).atLeastOnce();
-    expect(privilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
-    expect(privilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
-
-    expect(principalEntity.getPrivileges()).andReturn(Sets.newHashSet(privilegeEntity)).atLeastOnce();
+    PrivilegeEntity implicitPrivilegeEntity = createMock(PrivilegeEntity.class);
+    expect(implicitPrivilegeEntity.getId()).andReturn(2).atLeastOnce();
+    expect(implicitPrivilegeEntity.getPermission()).andReturn(permissionEntity).atLeastOnce();
+    expect(implicitPrivilegeEntity.getPrincipal()).andReturn(rolePrincipalEntity).atLeastOnce();
+    expect(implicitPrivilegeEntity.getResource()).andReturn(resourceEntity).atLeastOnce();
 
     UserEntity userEntity = createMock(UserEntity.class);
     expect(userEntity.getUserName()).andReturn("jdoe").atLeastOnce();
     expect(userEntity.getPrincipal()).andReturn(principalEntity).atLeastOnce();
-    expect(userEntity.getMemberEntities()).andReturn(Sets.<MemberEntity>newHashSet()).atLeastOnce();
 
     ClusterDAO clusterDAO = createMock(ClusterDAO.class);
     GroupDAO groupDAO = createMock(GroupDAO.class);
 
     ViewInstanceDAO viewInstanceDAO = createMock(ViewInstanceDAO.class);
     expect(viewInstanceDAO.findByResourceId(1L)).andReturn(viewInstanceEntity).atLeastOnce();
-    expect(viewInstanceDAO.findAll()).andReturn(Lists.newArrayList(viewInstanceEntity)).atLeastOnce();
 
     final UserDAO userDAO = createNiceMock(UserDAO.class);
     expect(userDAO.findLocalUserByName("jdoe")).andReturn(userEntity).anyTimes();
     expect(userDAO.findUserByPrincipal(anyObject(PrincipalEntity.class))).andReturn(userEntity).anyTimes();
 
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-    expect(privilegeDAO.findByResourceId(1L)).andReturn(Lists.newArrayList(privilegeEntity, privilegeEntityViewWithClusterAdminAccess)).anyTimes();
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+    final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+    users.setMemberDAO(memberDAO);
+
+    List<PrincipalEntity> rolePrincipals = new LinkedList<PrincipalEntity>();
+    rolePrincipals.add(rolePrincipalEntity);
+
+    List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+    userPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+        andReturn(Collections.singletonList(explicitPrivilegeEntity))
+        .once();
+    // Implicit privileges...
+    expect(privilegeDAO.findAllByPrincipal(rolePrincipals)).
+        andReturn(Collections.singletonList(implicitPrivilegeEntity))
+        .once();
+    expect(memberDAO.findAllMembersByUser(userEntity)).
+        andReturn(Collections.<MemberEntity>emptyList())
+        .atLeastOnce();
 
     replayAll();
 
@@ -404,7 +421,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     TestAuthenticationFactory.createClusterAdministrator("jdoe", 2L);
     Request request = PropertyHelper.getReadRequest(propertyIds);
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
     UserPrivilegeResourceProvider provider = new UserPrivilegeResourceProvider();
     Set<Resource> resources = provider.getResources(request, predicate);
 
@@ -424,7 +441,6 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     final GroupDAO groupDAO = createNiceMock(GroupDAO.class);
     final ClusterDAO clusterDAO = createNiceMock(ClusterDAO.class);
     final ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
-    final PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
     final UserEntity userEntity = createNiceMock(UserEntity.class);
     final PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
     final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
@@ -432,7 +448,22 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
     final PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
     final ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class);
     final ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class);
-
+    final PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
+    final MemberDAO memberDAO = createMock(MemberDAO.class);
+
+    final TestUsers users = new TestUsers();
+    users.setPrivilegeDAO(privilegeDAO);
+    users.setMemberDAO(memberDAO);
+
+    List<PrincipalEntity> userPrincipals = new LinkedList<PrincipalEntity>();
+    userPrincipals.add(principalEntity);
+
+    expect(privilegeDAO.findAllByPrincipal(userPrincipals)).
+        andReturn(Collections.singletonList(privilegeEntity))
+        .atLeastOnce();
+    expect(memberDAO.findAllMembersByUser(userEntity)).
+        andReturn(Collections.<MemberEntity>emptyList())
+        .atLeastOnce();
     expect(userDAO.findLocalUserByName(requestedUsername)).andReturn(userEntity).anyTimes();
     expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
     expect(userEntity.getMemberEntities()).andReturn(Collections.<MemberEntity>emptySet()).anyTimes();
@@ -454,7 +485,7 @@ public class UserPrivilegeResourceProviderTest extends EasyMockSupport {
 
     replayAll();
 
-    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, privilegeDAO);
+    UserPrivilegeResourceProvider.init(userDAO, clusterDAO, groupDAO, viewInstanceDAO, users);
 
     final Set<String> propertyIds = new HashSet<String>();
     propertyIds.add(UserPrivilegeResourceProvider.PRIVILEGE_USER_NAME_PROPERTY_ID);

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -30,7 +30,6 @@ import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.dao.ViewDAO;
 import org.apache.ambari.server.orm.dao.ViewInstanceDAO;
-import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -53,7 +52,6 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
@@ -146,7 +144,6 @@ public class ViewPrivilegeResourceProviderTest {
     expect(permissionDAO.findById(PermissionEntity.VIEW_USER_PERMISSION)).andReturn(permissionEntity);
 
     expect(userDAO.findUsersByPrincipal(principalEntities)).andReturn(userEntities);
-    expect(groupDAO.findGroupsByPrincipal(principalEntities)).andReturn(Collections.<GroupEntity>emptyList());
 
     replay(privilegeDAO, userDAO, groupDAO, principalDAO, permissionDAO, resourceDAO, privilegeEntity, resourceEntity,
         userEntity, principalEntity, permissionEntity, principalTypeEntity);

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java

@@ -362,72 +362,6 @@ public class AuthorizationHelperTest  extends EasyMockSupport {
   }
 
   @Test
-  public void testIsAuthorizedForClusterInheritedPermission() {
-
-    ResourceTypeEntity clusterResourceTypeEntity = new ResourceTypeEntity();
-    clusterResourceTypeEntity.setId(1);
-    clusterResourceTypeEntity.setName(ResourceType.CLUSTER.name());
-
-    ResourceEntity clusterResourceEntity = new ResourceEntity();
-    clusterResourceEntity.setResourceType(clusterResourceTypeEntity);
-    clusterResourceEntity.setId(1L);
-
-    PermissionEntity clusterPermissionEntity = new PermissionEntity();
-    clusterPermissionEntity.setPermissionName("CLUSTER.ADMINISTRATOR");
-
-    RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
-    readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());
-
-    RoleAuthorizationEntity privilegedRoleAuthorizationEntity = new RoleAuthorizationEntity();
-    privilegedRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_TOGGLE_KERBEROS.getId());
-
-
-    clusterPermissionEntity.setAuthorizations(Arrays.asList(readOnlyRoleAuthorizationEntity,
-      privilegedRoleAuthorizationEntity));
-
-    PrivilegeEntity clusterPrivilegeEntity = new PrivilegeEntity();
-    clusterPrivilegeEntity.setPermission(clusterPermissionEntity);
-    clusterPrivilegeEntity.setResource(clusterResourceEntity);
-
-    GrantedAuthority clusterAuthority = new AmbariGrantedAuthority(clusterPrivilegeEntity);
-    Authentication clusterUser = new TestAuthentication(Collections.singleton(clusterAuthority));
-
-
-    Provider viewInstanceDAOProvider = createNiceMock(Provider.class);
-    Provider privilegeDAOProvider = createNiceMock(Provider.class);
-
-    ViewInstanceDAO viewInstanceDAO = createNiceMock(ViewInstanceDAO.class);
-    PrivilegeDAO privilegeDAO = createNiceMock(PrivilegeDAO.class);
-
-    ViewInstanceEntity viewInstanceEntity = createNiceMock(ViewInstanceEntity.class);
-    expect(viewInstanceEntity.getClusterHandle()).andReturn(1L).anyTimes();
-
-    PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
-    PrincipalEntity principalEntity = createNiceMock(PrincipalEntity.class);
-    PrincipalTypeEntity principalTypeEntity = createNiceMock(PrincipalTypeEntity.class);
-
-    expect(viewInstanceDAOProvider.get()).andReturn(viewInstanceDAO).anyTimes();
-    expect(privilegeDAOProvider.get()).andReturn(privilegeDAO).anyTimes();
-
-    expect(viewInstanceDAO.findByResourceId(2L)).andReturn(viewInstanceEntity).anyTimes();
-
-    expect(privilegeDAO.findByResourceId(2L)).andReturn(Lists.newArrayList(privilegeEntity)).anyTimes();
-
-    expect(principalTypeEntity.getName()).andReturn("ALL.CLUSTER.ADMINISTRATOR").anyTimes();
-    expect(principalEntity.getPrincipalType()).andReturn(principalTypeEntity).anyTimes();
-    expect(privilegeEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
-
-    replayAll();
-
-    AuthorizationHelper.viewInstanceDAOProvider = viewInstanceDAOProvider;
-    AuthorizationHelper.privilegeDAOProvider = privilegeDAOProvider;
-
-    SecurityContext context = SecurityContextHolder.getContext();
-    context.setAuthentication(clusterUser);
-
-    assertTrue(AuthorizationHelper.isAuthorized(ResourceType.VIEW, 2L, EnumSet.of(RoleAuthorization.VIEW_USE)));
-  }
-
   public void testIsAuthorizedForSpecificView() {
     RoleAuthorizationEntity readOnlyRoleAuthorizationEntity = new RoleAuthorizationEntity();
     readOnlyRoleAuthorizationEntity.setAuthorizationId(RoleAuthorization.CLUSTER_VIEW_METRICS.getId());

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog242Test.java

@@ -21,6 +21,8 @@ package org.apache.ambari.server.upgrade;
 import javax.persistence.EntityManager;
 import junit.framework.Assert;
 import static org.easymock.EasyMock.aryEq;
+
+import static org.easymock.EasyMock.anyString;
 import static org.easymock.EasyMock.capture;
 import static org.easymock.EasyMock.createMockBuilder;
 import static org.easymock.EasyMock.createNiceMock;
@@ -34,7 +36,13 @@ import static org.easymock.EasyMock.reset;
 import static org.easymock.EasyMock.verify;
 
 import java.lang.reflect.Method;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
+import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.api.services.AmbariMetaInfo;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.AmbariManagementController;
@@ -44,12 +52,22 @@ import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
 import org.apache.ambari.server.orm.dao.ClusterDAO;
 import org.apache.ambari.server.orm.dao.ClusterVersionDAO;
 import org.apache.ambari.server.orm.dao.HostVersionDAO;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.PrincipalDAO;
+import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.RepositoryVersionDAO;
 import org.apache.ambari.server.orm.dao.StackDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
+import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
+import org.apache.ambari.server.orm.entities.PrivilegeEntity;
+import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.StackEntity;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
+import org.easymock.EasyMockSupport;
 import org.easymock.IMocksControl;
 import org.junit.After;
 import org.junit.Before;
@@ -219,16 +237,19 @@ public class UpgradeCatalog242Test {
   @Test
   public void testExecuteDMLUpdates() throws Exception {
     Method addNewConfigurationsFromXml = AbstractUpgradeCatalog.class.getDeclaredMethod("addNewConfigurationsFromXml");
-
+    Method convertRolePrincipals = UpgradeCatalog242.class.getDeclaredMethod("convertRolePrincipals");
 
     UpgradeCatalog242 upgradeCatalog242 = createMockBuilder(UpgradeCatalog242.class)
-            .addMockedMethod(addNewConfigurationsFromXml)
-            .createMock();
+        .addMockedMethod(addNewConfigurationsFromXml)
+        .addMockedMethod(convertRolePrincipals)
+        .createMock();
 
 
     upgradeCatalog242.addNewConfigurationsFromXml();
     expectLastCall().once();
 
+    upgradeCatalog242.convertRolePrincipals();
+    expectLastCall().once();
 
     replay(upgradeCatalog242);
 
@@ -236,4 +257,111 @@ public class UpgradeCatalog242Test {
 
     verify(upgradeCatalog242);
   }
+
+  @Test
+  public void testConvertRolePrincipals() throws AmbariException, SQLException {
+
+    EasyMockSupport easyMockSupport = new EasyMockSupport();
+
+    PrincipalEntity clusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+
+    PermissionEntity clusterAdministratorPermissionEntity = easyMockSupport.createMock(PermissionEntity.class);
+    expect(clusterAdministratorPermissionEntity.getPrincipal())
+        .andReturn(clusterAdministratorPrincipalEntity)
+        .once();
+
+    PrincipalTypeEntity allClusterAdministratorPrincipalTypeEntity = easyMockSupport.createMock(PrincipalTypeEntity.class);
+
+    PermissionDAO permissionDAO = easyMockSupport.createMock(PermissionDAO.class);
+    expect(permissionDAO.findByName("CLUSTER.ADMINISTRATOR"))
+        .andReturn(clusterAdministratorPermissionEntity)
+        .once();
+    expect(permissionDAO.findByName(anyString()))
+        .andReturn(null)
+        .anyTimes();
+
+    PrincipalTypeDAO principalTypeDAO = easyMockSupport.createMock(PrincipalTypeDAO.class);
+    expect(principalTypeDAO.findByName("ALL.CLUSTER.ADMINISTRATOR"))
+        .andReturn(allClusterAdministratorPrincipalTypeEntity)
+        .once();
+    expect(principalTypeDAO.findByName(anyString()))
+        .andReturn(null)
+        .anyTimes();
+    principalTypeDAO.remove(allClusterAdministratorPrincipalTypeEntity);
+    expectLastCall().once();
+
+    ResourceEntity allClusterAdministratorPrivilege1Resource = easyMockSupport.createMock(ResourceEntity.class);
+    expect(allClusterAdministratorPrivilege1Resource.getId()).andReturn(1L).once();
+
+    PrincipalEntity allClusterAdministratorPrivilege1Principal = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrivilege1Principal.getId()).andReturn(1L).once();
+
+    PermissionEntity allClusterAdministratorPrivilege1Permission = easyMockSupport.createMock(PermissionEntity.class);
+    expect(allClusterAdministratorPrivilege1Permission.getId()).andReturn(1).once();
+
+    PrivilegeEntity allClusterAdministratorPrivilege1  = easyMockSupport.createMock(PrivilegeEntity.class);
+    expect(allClusterAdministratorPrivilege1.getId()).andReturn(1).atLeastOnce();
+    expect(allClusterAdministratorPrivilege1.getResource()).andReturn(allClusterAdministratorPrivilege1Resource).once();
+    expect(allClusterAdministratorPrivilege1.getPrincipal()).andReturn(allClusterAdministratorPrivilege1Principal).once();
+    expect(allClusterAdministratorPrivilege1.getPermission()).andReturn(allClusterAdministratorPrivilege1Permission).once();
+    allClusterAdministratorPrivilege1.setPrincipal(clusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+    ResourceEntity allClusterAdministratorPrivilege2Resource = easyMockSupport.createMock(ResourceEntity.class);
+    expect(allClusterAdministratorPrivilege2Resource.getId()).andReturn(2L).once();
+
+    PrincipalEntity allClusterAdministratorPrivilege2Principal = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrivilege2Principal.getId()).andReturn(2L).once();
+
+    PermissionEntity allClusterAdministratorPrivilege2Permission = easyMockSupport.createMock(PermissionEntity.class);
+    expect(allClusterAdministratorPrivilege2Permission.getId()).andReturn(2).once();
+
+    PrivilegeEntity allClusterAdministratorPrivilege2  = easyMockSupport.createMock(PrivilegeEntity.class);
+    expect(allClusterAdministratorPrivilege2.getId()).andReturn(2).atLeastOnce();
+    expect(allClusterAdministratorPrivilege2.getResource()).andReturn(allClusterAdministratorPrivilege2Resource).once();
+    expect(allClusterAdministratorPrivilege2.getPrincipal()).andReturn(allClusterAdministratorPrivilege2Principal).once();
+    expect(allClusterAdministratorPrivilege2.getPermission()).andReturn(allClusterAdministratorPrivilege2Permission).once();
+    allClusterAdministratorPrivilege2.setPrincipal(clusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+    Set<PrivilegeEntity> allClusterAdministratorPrivileges = new HashSet<PrivilegeEntity>();
+    allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege1);
+    allClusterAdministratorPrivileges.add(allClusterAdministratorPrivilege2);
+
+    PrincipalEntity allClusterAdministratorPrincipalEntity = easyMockSupport.createMock(PrincipalEntity.class);
+    expect(allClusterAdministratorPrincipalEntity.getPrivileges())
+        .andReturn(allClusterAdministratorPrivileges)
+        .once();
+
+    List<PrincipalEntity> allClusterAdministratorPrincipals = new ArrayList<PrincipalEntity>();
+    allClusterAdministratorPrincipals.add(allClusterAdministratorPrincipalEntity);
+
+    PrincipalDAO principalDAO = easyMockSupport.createMock(PrincipalDAO.class);
+    expect(principalDAO.findByPrincipalType("ALL.CLUSTER.ADMINISTRATOR"))
+        .andReturn(allClusterAdministratorPrincipals)
+        .once();
+    principalDAO.remove(allClusterAdministratorPrincipalEntity);
+    expectLastCall().once();
+
+
+    PrivilegeDAO privilegeDAO = easyMockSupport.createMock(PrivilegeDAO.class);
+    expect(privilegeDAO.merge(allClusterAdministratorPrivilege1))
+        .andReturn(allClusterAdministratorPrivilege1)
+        .once();
+    expect(privilegeDAO.merge(allClusterAdministratorPrivilege2))
+        .andReturn(allClusterAdministratorPrivilege2)
+        .once();
+
+    Injector injector = easyMockSupport.createNiceMock(Injector.class);
+    expect(injector.getInstance(PrincipalTypeDAO.class)).andReturn(principalTypeDAO).atLeastOnce();
+    expect(injector.getInstance(PrincipalDAO.class)).andReturn(principalDAO).atLeastOnce();
+    expect(injector.getInstance(PermissionDAO.class)).andReturn(permissionDAO).atLeastOnce();
+    expect(injector.getInstance(PrivilegeDAO.class)).andReturn(privilegeDAO).atLeastOnce();
+
+    easyMockSupport.replayAll();
+    UpgradeCatalog242 upgradeCatalog = new UpgradeCatalog242(injector);
+    injector.injectMembers(upgradeCatalog);
+    upgradeCatalog.convertRolePrincipals();
+    easyMockSupport.verifyAll();
+  }
 }

ambari-server/src/test/java/org/apache/ambari/server/view/configuration/AutoInstanceConfigTest.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -22,9 +22,8 @@ import junit.framework.Assert;
 import org.junit.Test;
 
 import javax.xml.bind.JAXBException;
-import java.util.LinkedList;
+import java.util.Collection;
 import java.util.List;
-import java.util.Set;
 
 import static org.junit.Assert.*;
 
@@ -75,7 +74,7 @@ public class AutoInstanceConfigTest {
       "        </property>\n" +
       "        <stack-id>HDP-2.0</stack-id>\n" +
       "        <services><service>HIVE</service><service>HDFS</service></services>\n" +
-      "        <permissions>ALL.CLUSTER.OPERATOR, ALL.CLUSTER.USER</permissions>\n" +
+      "        <roles><role>CLUSTER.OPERATOR </role><role> CLUSTER.USER</role></roles>\n" +
       "    </auto-instance>\n" +
       "</view>";
 
@@ -113,13 +112,13 @@ public class AutoInstanceConfigTest {
   @Test
   public void shouldParseClusterInheritedPermissions() throws Exception {
     AutoInstanceConfig config = getAutoInstanceConfigs(VIEW_XML);
-    List<String> permissions = config.getPermissions();
-    assertEquals(2, permissions.size());
-    assertTrue(permissions.contains("ALL.CLUSTER.OPERATOR"));
-    assertTrue(permissions.contains("ALL.CLUSTER.USER"));
+    Collection<String> roles = config.getRoles();
+    assertEquals(2, roles.size());
+    assertTrue(roles.contains("CLUSTER.OPERATOR"));
+    assertTrue(roles.contains("CLUSTER.USER"));
   }
 
-  public static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
+  private static AutoInstanceConfig getAutoInstanceConfigs(String xml) throws JAXBException {
     ViewConfig config = ViewConfigTest.getConfig(xml);
     return config.getAutoInstance();
   }