AMBARI-6984. Completely remove admin role from ambari.

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -149,10 +149,6 @@ public class Configuration {
       "authorization.ldap.adminGroupMappingRules";
   public static final String LDAP_GROUP_SEARCH_FILTER_KEY =
       "authorization.ldap.groupSearchFilter";
-  public static final String USER_ROLE_NAME_KEY =
-      "authorization.userRoleName";
-  public static final String ADMIN_ROLE_NAME_KEY =
-      "authorization.adminRoleName";
   public static final String SERVER_EC_CACHE_SIZE = "server.ecCacheSize";
   public static final String SERVER_STALE_CONFIG_CACHE_ENABLED_KEY =
     "server.cache.isStale.enabled";
@@ -349,10 +345,6 @@ public class Configuration {
         PASSPHRASE_ENV_KEY, PASSPHRASE_ENV_DEFAULT));
     configsMap.put(PASSPHRASE_KEY, System.getenv(configsMap.get(
         PASSPHRASE_ENV_KEY)));
-    configsMap.put(USER_ROLE_NAME_KEY, properties.getProperty(
-        USER_ROLE_NAME_KEY, USER_ROLE_NAME_DEFAULT));
-    configsMap.put(ADMIN_ROLE_NAME_KEY, properties.getProperty(
-        ADMIN_ROLE_NAME_KEY, ADMIN_ROLE_NAME_DEFAULT));
     configsMap.put(RESOURCES_DIR_KEY, properties.getProperty(
         RESOURCES_DIR_KEY, RESOURCES_DIR_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty(

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -457,7 +457,7 @@ public class AmbariServer {
   }
 
   /**
-   * Creates default users and roles if in-memory database is used
+   * Creates default users if in-memory database is used
    */
   @Transactional
   protected void initDB() {
@@ -465,7 +465,6 @@ public class AmbariServer {
       LOG.info("Database init needed - creating default data");
       Users users = injector.getInstance(Users.class);
 
-      users.createDefaultRoles();
       users.createUser("admin", "admin", true, true);
       users.createUser("user", "user", true, false);
 

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/PrincipalDAO.java

@@ -22,10 +22,11 @@ import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import com.google.inject.persist.Transactional;
-import org.apache.ambari.server.orm.entities.PrincipalEntity;
 
+import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import javax.persistence.EntityManager;
 import javax.persistence.TypedQuery;
+
 import java.util.List;
 
 /**
@@ -44,7 +45,6 @@ public class PrincipalDAO {
   /**
    * Find a principal with the given id.
    *
-   *
    * @param id  type id
    *
    * @return  a matching principal type  or null
@@ -63,6 +63,18 @@ public class PrincipalDAO {
     return daoUtils.selectList(query);
   }
 
+  /**
+   * Find principals having specified permission.
+   *
+   * @param id permission id
+   * @return all principals having specified permission
+   */
+  public List<PrincipalEntity> findByPermissionId(Integer id) {
+    TypedQuery<PrincipalEntity> query = entityManagerProvider.get().createNamedQuery("principalByPrivilegeId", PrincipalEntity.class);
+    query.setParameter("permission_id", id);
+    return daoUtils.selectList(query);
+  }
+
   /**
    * Make an instance managed and persistent.
    *

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleDAO.java

@@ -1,69 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.orm.dao;
-
-import com.google.inject.Inject;
-import com.google.inject.Provider;
-import com.google.inject.Singleton;
-import com.google.inject.persist.Transactional;
-import org.apache.ambari.server.orm.RequiresSession;
-import org.apache.ambari.server.orm.entities.RoleEntity;
-
-import javax.persistence.EntityManager;
-import java.util.List;
-
-@Singleton
-public class RoleDAO {
-
-  @Inject
-  Provider<EntityManager> entityManagerProvider;
-  @Inject
-  DaoUtils daoUtils;
-
-  @RequiresSession
-  public RoleEntity findByName(String roleName) {
-    return entityManagerProvider.get().find(RoleEntity.class, roleName.toLowerCase());
-  }
-
-  @RequiresSession
-  public List<RoleEntity> findAll() {
-    return daoUtils.selectAll(entityManagerProvider.get(), RoleEntity.class);
-  }
-
-  @Transactional
-  public void create(RoleEntity role) {
-    role.setRoleName(role.getRoleName().toLowerCase());
-    entityManagerProvider.get().persist(role);
-  }
-
-  @Transactional
-  public RoleEntity merge(RoleEntity role) {
-    return entityManagerProvider.get().merge(role);
-  }
-
-  @Transactional
-  public void remove(RoleEntity role) {
-    entityManagerProvider.get().remove(merge(role));
-  }
-
-  @Transactional
-  public void removeByName(String roleName) {
-    remove(findByName(roleName));
-  }
-
-}

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java

@@ -30,7 +30,6 @@ import javax.persistence.NoResultException;
 import javax.persistence.TypedQuery;
 import java.util.Collections;
 import java.util.List;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 
 @Singleton
 public class UserDAO {
@@ -51,13 +50,6 @@ public class UserDAO {
     return daoUtils.selectList(query);
   }
 
-  @RequiresSession
-  public List<UserEntity> findAllLocalUsersByRole(RoleEntity roleEntity) {
-    TypedQuery<UserEntity> query = entityManagerProvider.get().createQuery("SELECT role.userEntities FROM RoleEntity role WHERE role = :roleEntity", UserEntity.class);
-    query.setParameter("roleEntity", roleEntity);
-    return query.getResultList();
-  }
-
   @RequiresSession
   public UserEntity findLocalUserByName(String userName) {
     TypedQuery<UserEntity> query = entityManagerProvider.get().createNamedQuery("localUserByName", UserEntity.class);

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PrincipalEntity.java

@@ -29,6 +29,8 @@ import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.JoinColumns;
 import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
@@ -44,6 +46,9 @@ import javax.persistence.TableGenerator;
     , initialValue = 2
     , allocationSize = 1
 )
+@NamedQueries({
+  @NamedQuery(name = "principalByPrivilegeId", query = "SELECT principal FROM PrincipalEntity principal JOIN principal.privileges privilege WHERE privilege.permission.id=:permission_id")
+})
 public class PrincipalEntity {
 
   /**

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleEntity.java

@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.orm.entities;
-
-import javax.persistence.*;
-import java.util.Set;
-
-@javax.persistence.Table(name = "roles")
-@Entity
-public class RoleEntity {
-
-  @Column(name = "role_name")
-  @Id
-  private String roleName;
-
-  @JoinTable(name = "user_roles",
-      joinColumns = {@JoinColumn(name = "role_name", referencedColumnName = "role_name")},
-      inverseJoinColumns = {@JoinColumn(name = "user_id", referencedColumnName = "user_id")})
-  @ManyToMany(cascade = CascadeType.ALL)
-  private Set<UserEntity> userEntities;
-
-  public String getRoleName() {
-    return roleName;
-  }
-
-  public void setRoleName(String roleName) {
-    this.roleName = roleName;
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (this == o) return true;
-    if (o == null || getClass() != o.getClass()) return false;
-
-    RoleEntity that = (RoleEntity) o;
-
-    if (roleName != null ? !roleName.equals(that.roleName) : that.roleName != null) return false;
-
-    return true;
-  }
-
-  @Override
-  public int hashCode() {
-    return roleName != null ? roleName.hashCode() : 0;
-  }
-
-  public Set<org.apache.ambari.server.orm.entities.UserEntity> getUserEntities() {
-    return userEntities;
-  }
-
-  public void setUserEntities(Set<org.apache.ambari.server.orm.entities.UserEntity> userEntities) {
-    this.userEntities = userEntities;
-  }
-}

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java

@@ -59,9 +59,6 @@ public class UserEntity {
   @Column(name = "active")
   private Integer active = 1;
 
-  @ManyToMany(mappedBy = "userEntities")
-  private Set<RoleEntity> roleEntities;
-
   @OneToMany(mappedBy = "user", cascade = CascadeType.ALL)
   private Set<MemberEntity> memberEntities;
 
@@ -118,14 +115,6 @@ public class UserEntity {
     this.createTime = createTime;
   }
 
-  public Set<RoleEntity> getRoleEntities() {
-    return roleEntities;
-  }
-
-  public void setRoleEntities(Set<RoleEntity> roleEntities) {
-    this.roleEntities = roleEntities;
-  }
-
   public Set<MemberEntity> getMemberEntities() {
     return memberEntities;
   }

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java

@@ -18,19 +18,12 @@
 package org.apache.ambari.server.security.authorization;
 
 import com.google.inject.Inject;
-import com.google.inject.persist.Transactional;
-import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.dao.MemberDAO;
-import org.apache.ambari.server.orm.dao.PrincipalDAO;
-import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -39,6 +32,7 @@ import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 
 import java.util.Collection;
+import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 
@@ -48,61 +42,31 @@ import java.util.List;
 public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
   private static final Logger log = LoggerFactory.getLogger(AmbariLdapAuthoritiesPopulator.class);
 
-  Configuration configuration;
   private AuthorizationHelper authorizationHelper;
   UserDAO userDAO;
-  RoleDAO roleDAO;
-  PrincipalDAO principalDAO;
-  PrincipalTypeDAO principalTypeDAO;
   MemberDAO memberDAO;
   PrivilegeDAO privilegeDAO;
 
-  private static final String AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY = "ambari_admin";
-
   @Inject
-  public AmbariLdapAuthoritiesPopulator(Configuration configuration, AuthorizationHelper authorizationHelper,
-                                        UserDAO userDAO, RoleDAO roleDAO,
-                                        PrincipalDAO principalDAO, PrincipalTypeDAO principalTypeDAO,
-                                        MemberDAO memberDAO, PrivilegeDAO privilegeDAO) {
-    this.configuration = configuration;
+  public AmbariLdapAuthoritiesPopulator(AuthorizationHelper authorizationHelper,
+                                        UserDAO userDAO, MemberDAO memberDAO, PrivilegeDAO privilegeDAO) {
     this.authorizationHelper = authorizationHelper;
     this.userDAO = userDAO;
-    this.roleDAO = roleDAO;
-    this.principalDAO = principalDAO;
-    this.principalTypeDAO = principalTypeDAO;
     this.memberDAO = memberDAO;
     this.privilegeDAO = privilegeDAO;
   }
 
   @Override
   public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
-    log.info("Get roles for user " + username + " from local DB");
+    log.info("Get authorities for user " + username + " from local DB");
 
     UserEntity user;
 
     user = userDAO.findLdapUserByName(username);
 
     if (user == null) {
-      log.info("User " + username + " not present in local DB - creating");
-
-      createLdapUser(username);
-      user = userDAO.findLdapUserByName(username);
-    }
-
-    //don't remove admin role from user if group mapping was not configured
-    if (configuration.getLdapServerProperties().isGroupMappingEnabled()) {
-      //Adding an "admin" user role if user is a member of ambari administrators
-      // LDAP group
-      Boolean isAdmin =
-          (Boolean) userData.getObjectAttribute(AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY);
-      if ((isAdmin != null) && isAdmin) {
-        log.info("Adding admin role to LDAP user " + username);
-        addRole(user, configuration.getConfigsMap().
-            get(Configuration.ADMIN_ROLE_NAME_KEY));
-      } else {
-        removeRole(user, configuration.getConfigsMap().
-            get(Configuration.ADMIN_ROLE_NAME_KEY));
-      }
+      log.error("Can't get authorities for user " + username + ", he is not present in local DB");
+      return Collections.emptyList();
     }
 
     // get all of the privileges for the user
@@ -120,90 +84,4 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
 
     return authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities);
   }
-
-  /**
-   * Creates record in local DB for LDAP user
-   * @param username - name of user to create
-   */
-  @Transactional
-  void createLdapUser(String username) {
-    // create an admin principal to represent this user
-    PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findById(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
-    if (principalTypeEntity == null) {
-      principalTypeEntity = new PrincipalTypeEntity();
-      principalTypeEntity.setId(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
-      principalTypeEntity.setName(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
-      principalTypeDAO.create(principalTypeEntity);
-    }
-    PrincipalEntity principalEntity = new PrincipalEntity();
-    principalEntity.setPrincipalType(principalTypeEntity);
-    principalDAO.create(principalEntity);
-
-    UserEntity newUser = new UserEntity();
-    newUser.setLdapUser(true);
-    newUser.setUserName(username);
-    newUser.setPrincipal(principalEntity);
-
-    userDAO.create(newUser);
-
-    //Adding a default "user" role
-    addRole(newUser, configuration.getConfigsMap().
-        get(Configuration.USER_ROLE_NAME_KEY));
-  }
-
-  /**
-   * Adds role to user's role entities
-   * Adds user to roleName's user entities
-   *
-   * @param user - the user entity to be modified
-   * @param roleName - the role to add to user's roleEntities
-   */
-  @Transactional
-  void addRole(UserEntity user, String roleName) {
-    log.info("Using default role name " + roleName);
-
-    RoleEntity roleEntity = roleDAO.findByName(roleName);
-
-    if (roleEntity == null) {
-      log.info("Role " + roleName + " not present in local DB - creating");
-      roleEntity = new RoleEntity();
-      roleEntity.setRoleName(roleName);
-      roleDAO.create(roleEntity);
-      roleEntity = roleDAO.findByName(roleEntity.getRoleName());
-    }
-
-    UserEntity userEntity = userDAO.findLdapUserByName(user.getUserName());
-    if (userEntity == null) {
-      userDAO.create(user);
-      userEntity = userDAO.findLdapUserByName(user.getUserName());
-    }
-
-    if (!userEntity.getRoleEntities().contains(roleEntity)) {
-      userEntity.getRoleEntities().add(roleEntity);
-      roleEntity.getUserEntities().add(userEntity);
-      roleDAO.merge(roleEntity);
-      userDAO.merge(userEntity);
-    }
-  }
-
-  /**
-   * Remove role "roleName" from user "user"
-   *
-   * @param user      the user entity
-   * @param roleName  the role name
-   */
-  @Transactional
-  void removeRole(UserEntity user, String roleName) {
-    UserEntity userEntity = userDAO.findByPK(user.getUserId());
-    RoleEntity roleEntity = roleDAO.findByName(roleName);
-
-    if (userEntity.getRoleEntities().contains(roleEntity)) {
-      log.info("Removing admin role from LDAP user " + user.getUserName());
-      userEntity.getRoleEntities().remove(roleEntity);
-      roleEntity.getUserEntities().remove(userEntity);
-      userDAO.merge(userEntity);
-      roleDAO.merge(roleEntity);
-    }
-
-  }
 }

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java

@@ -22,7 +22,6 @@ import com.google.inject.Injector;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
@@ -46,19 +45,17 @@ public class AmbariLocalUserDetailsService implements UserDetailsService {
   Configuration configuration;
   private AuthorizationHelper authorizationHelper;
   UserDAO userDAO;
-  RoleDAO roleDAO;
   MemberDAO memberDAO;
   PrivilegeDAO privilegeDAO;
 
   @Inject
   public AmbariLocalUserDetailsService(Injector injector, Configuration configuration,
                                        AuthorizationHelper authorizationHelper, UserDAO userDAO,
-                                       RoleDAO roleDAO, MemberDAO memberDAO, PrivilegeDAO privilegeDAO) {
+                                       MemberDAO memberDAO, PrivilegeDAO privilegeDAO) {
     this.injector = injector;
     this.configuration = configuration;
     this.authorizationHelper = authorizationHelper;
     this.userDAO = userDAO;
-    this.roleDAO = roleDAO;
     this.memberDAO = memberDAO;
     this.privilegeDAO = privilegeDAO;
   }
@@ -79,9 +76,6 @@ public class AmbariLocalUserDetailsService implements UserDetailsService {
     if (user == null) {
       log.info("user not found ");
       throw new UsernameNotFoundException("Username " + username + " not found");
-    }else if (user.getRoleEntities().isEmpty()) {
-      log.info("No authorities for user");
-      throw new UsernameNotFoundException("Username " + username + " has no roles");
     }
 
     // get all of the privileges for the user

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java

@@ -24,7 +24,6 @@ import java.util.Date;
 import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 
 /**
@@ -36,7 +35,6 @@ public class User {
   final boolean ldapUser;
   final Date createTime;
   final boolean active;
-  final Collection<String> roles = new ArrayList<String>();
   final Collection<String> groups = new ArrayList<String>();
   boolean admin = false;
 
@@ -46,9 +44,6 @@ public class User {
     createTime = userEntity.getCreateTime();
     ldapUser = userEntity.getLdapUser();
     active = userEntity.getActive();
-    for (RoleEntity roleEntity : userEntity.getRoleEntities()) {
-      roles.add(roleEntity.getRoleName());
-    }
     for (MemberEntity memberEntity : userEntity.getMemberEntities()) {
       groups.add(memberEntity.getGroup().getGroupName());
     }
@@ -84,10 +79,6 @@ public class User {
     return admin;
   }
 
-  public Collection<String> getRoles() {
-    return roles;
-  }
-
   public Collection<String> getGroups() {
     return groups;
   }

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java

@@ -32,7 +32,6 @@ import org.apache.ambari.server.orm.dao.PrincipalDAO;
 import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.ResourceDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.MemberEntity;
@@ -40,7 +39,6 @@ import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -65,8 +63,6 @@ public class Users {
   @Inject
   protected UserDAO userDAO;
   @Inject
-  protected RoleDAO roleDAO;
-  @Inject
   protected GroupDAO groupDAO;
   @Inject
   protected MemberDAO memberDAO;
@@ -260,27 +256,16 @@ public class Users {
     UserEntity userEntity = new UserEntity();
     userEntity.setUserName(userName);
     userEntity.setUserPassword(passwordEncoder.encode(password));
-    userEntity.setRoleEntities(new HashSet<RoleEntity>());
     userEntity.setPrincipal(principalEntity);
     if (active != null) {
       userEntity.setActive(active);
     }
 
-    RoleEntity roleEntity = roleDAO.findByName(getUserRole());
-    if (roleEntity == null) {
-      createRole(getUserRole());
-    }
-    roleEntity = roleDAO.findByName(getUserRole());
-
-    userEntity.getRoleEntities().add(roleEntity);
     userDAO.create(userEntity);
 
     if (admin != null && admin) {
       grantAdminPrivilege(userEntity.getUserId());
     }
-
-    roleEntity.getUserEntities().add(userEntity);
-    roleDAO.merge(roleEntity);
   }
 
   @Transactional
@@ -289,7 +274,7 @@ public class Users {
     if (userEntity != null) {
       if (!isUserCanBeRemoved(userEntity)){
         throw new AmbariException("Could not remove user " + userEntity.getUserName() +
-              ". System should have at least one user with administrator role.");
+              ". System should have at least one administrator.");
       }
       userDAO.remove(userEntity);
     } else {
@@ -430,58 +415,6 @@ public class Users {
     }
   }
 
-  /**
-   * Grants ADMIN role to provided user
-   * @throws AmbariException
-   */
-  public synchronized void promoteToAdmin(User user) throws AmbariException{
-    addRoleToUser(user, getAdminRole());
-  }
-
-  /**
-   * Removes ADMIN role form provided user
-   * @throws AmbariException
-   */
-  public synchronized void demoteAdmin(User user) throws AmbariException {
-    removeRoleFromUser(user, getAdminRole());
-  }
-
-  @Transactional
-  public synchronized void addRoleToUser(User user, String role)
-      throws AmbariException {
-
-    if (configuration.getLdapServerProperties().isGroupMappingEnabled() &&
-        userDAO.findLdapUserByName(user.getUserName()) != null) {
-      LOG.warn("Trying to add a role to the LDAP user"
-          + ", user=" + user.getUserName());
-      throw new AmbariException("Ldap group mapping is enabled, " +
-          "roles for LDAP users should be managed on LDAP server");
-    }
-
-    UserEntity userEntity = userDAO.findByPK(user.getUserId());
-    if (userEntity == null) {
-      throw new AmbariException("User " + user + " doesn't exist");
-    }
-
-    RoleEntity roleEntity = roleDAO.findByName(role);
-    if (roleEntity == null) {
-      LOG.warn("Trying to add user to non-existent role"
-          + ", user=" + user.getUserName()
-          + ", role=" + role);
-      throw new AmbariException("Role " + role + " doesn't exist");
-    }
-
-    if (!userEntity.getRoleEntities().contains(roleEntity)) {
-      userEntity.getRoleEntities().add(roleEntity);
-      roleEntity.getUserEntities().add(userEntity);
-      userDAO.merge(userEntity);
-      roleDAO.merge(roleEntity);
-    } else {
-      throw new AmbariException("User " + user + " already owns role " + role);
-    }
-
-  }
-
   @Transactional
   public synchronized void addMemberToGroup(String groupName, String userName)
       throws AmbariException {
@@ -513,45 +446,6 @@ public class Users {
     }
   }
 
-  @Transactional
-  public synchronized void removeRoleFromUser(User user, String role)
-      throws AmbariException {
-
-    if (configuration.getLdapServerProperties().isGroupMappingEnabled() &&
-        userDAO.findLdapUserByName(user.getUserName()) != null) {
-      LOG.warn("Trying to add a role to the LDAP user"
-          + ", user=" + user.getUserName());
-      throw new AmbariException("Ldap group mapping is enabled, " +
-          "roles for LDAP users should be managed on LDAP server");
-    }
-
-    UserEntity userEntity = userDAO.findByPK(user.getUserId());
-    if (userEntity == null) {
-      throw new AmbariException("User " + user + " doesn't exist");
-    }
-
-    RoleEntity roleEntity = roleDAO.findByName(role);
-    if (roleEntity == null) {
-      throw new AmbariException("Role " + role + " doesn't exist");
-    }
-    if (role.equals(getAdminRole())){
-      if (!isUserCanBeRemoved(userEntity)){
-        throw new AmbariException("Could not remove admin role from user " + userEntity.getUserName() +
-        ". System should have at least one user with administrator role.");
-      }
-    }
-
-    if (userEntity.getRoleEntities().contains(roleEntity)) {
-      userEntity.getRoleEntities().remove(roleEntity);
-      roleEntity.getUserEntities().remove(userEntity);
-      userDAO.merge(userEntity);
-      roleDAO.merge(roleEntity);
-    } else {
-      throw new AmbariException("User " + user + " doesn't own role " + role);
-    }
-
-  }
-
   @Transactional
   public synchronized void removeMemberFromGroup(String groupName, String userName)
       throws AmbariException {
@@ -588,10 +482,15 @@ public class Users {
 
   }
 
+  /**
+   * Performs a check if the user can be removed. Do not allow removing all admins from database.
+   *
+   * @param userEntity user to be checked
+   * @return true if user can be removed
+   */
   public synchronized boolean isUserCanBeRemoved(UserEntity userEntity){
-    RoleEntity roleEntity = new RoleEntity();
-    roleEntity.setRoleName(getAdminRole());
-    Set<UserEntity> userEntitysSet = new HashSet<UserEntity>(userDAO.findAllLocalUsersByRole(roleEntity));
+    List<PrincipalEntity> adminPrincipals = principalDAO.findByPermissionId(PermissionEntity.AMBARI_ADMIN_PERMISSION);
+    Set<UserEntity> userEntitysSet = new HashSet<UserEntity>(userDAO.findUsersByPrincipal(adminPrincipals));
     return (userEntitysSet.contains(userEntity) && userEntitysSet.size() < 2) ? false : true;
   }
 
@@ -611,32 +510,4 @@ public class Users {
     return false;
   }
 
-  public String getUserRole() {
-    return configuration.getConfigsMap().get(Configuration.USER_ROLE_NAME_KEY);
-  }
-
-  public String getAdminRole() {
-    return configuration.getConfigsMap().get(Configuration.ADMIN_ROLE_NAME_KEY);
-  }
-
-  /**
-   * Creates new role
-   */
-  public void createRole(String role) {
-    RoleEntity roleEntity = new RoleEntity();
-    roleEntity.setRoleName(role);
-    roleDAO.create(roleEntity);
-  }
-
-  /**
-   * Creates ADMIN adn USER roles if not present
-   */
-  public synchronized void createDefaultRoles() {
-    if (roleDAO.findByName(getUserRole()) == null) {
-      createRole(getUserRole());
-    }
-    if (roleDAO.findByName(getAdminRole()) == null) {
-      createRole(getAdminRole());
-    }
-  }
 }

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog170.java

@@ -66,7 +66,6 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.orm.entities.ViewEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
@@ -503,8 +502,6 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
 
   @Override
   protected void executeDMLUpdates() throws AmbariException, SQLException {
-    String dbType = getDbType();
-
     // Update historic records with the log paths, but only enough so as to not prolong the upgrade process
     executeInTransaction(new Runnable() {
       @Override
@@ -897,7 +894,7 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
     return result;
   }
 
-  private void upgradePermissionModel() {
+  private void upgradePermissionModel() throws SQLException {
     final UserDAO userDAO = injector.getInstance(UserDAO.class);
     final PrincipalDAO principalDAO = injector.getInstance(PrincipalDAO.class);
     final PrincipalTypeDAO principalTypeDAO = injector.getInstance(PrincipalTypeDAO.class);
@@ -949,17 +946,32 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
     final PermissionEntity clusterOperatePermission = permissionDAO.findClusterOperatePermission();
     final PermissionEntity clusterReadPermission = permissionDAO.findClusterReadPermission();
     final ResourceEntity ambariResource = resourceDAO.findAmbariResource();
-    for (UserEntity user: userDAO.findAll()) {
-      boolean hasAdminRole = false;
-      boolean hasUserRole = false;
-      for (RoleEntity role: user.getRoleEntities()) {
-        if (role.getRoleName().equals("admin")) {
-          hasAdminRole = true;
-        }
-        if (role.getRoleName().equals("user")) {
-          hasUserRole = true;
+
+    final Map<UserEntity, List<String>> roles = new HashMap<UserEntity, List<String>>();
+    ResultSet resultSet = null;
+    try {
+      resultSet = dbAccessor.executeSelect("SELECT role_name, user_id FROM user_roles");
+      while (resultSet.next()) {
+        final String roleName = resultSet.getString(1);
+        final int userId = resultSet.getInt(2);
+
+        final UserEntity user = userDAO.findByPK(userId);
+        List<String> userRoles = roles.get(user);
+        if (userRoles == null) {
+          userRoles = new ArrayList<String>();
+          roles.put(user, userRoles);
         }
-        if (hasAdminRole) {
+        userRoles.add(roleName);
+      }
+    } finally {
+      if (resultSet != null) {
+        resultSet.close();
+      }
+    }
+
+    for (UserEntity user: userDAO.findAll()) {
+      for (String role: roles.get(user)) {
+        if (role.equals("admin")) {
           final PrivilegeEntity privilege = new PrivilegeEntity();
           privilege.setPermission(adminPermission);
           privilege.setPrincipal(user.getPrincipal());
@@ -975,7 +987,7 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
             user.getPrincipal().getPrivileges().add(clusterPrivilege);
           }
           userDAO.merge(user);
-        } else if (hasUserRole) {
+        } else if (role.equals("user")) {
           for (ClusterEntity cluster: clusterDAO.findAll()) {
             final PrivilegeEntity privilege = new PrivilegeEntity();
             privilege.setPermission(clusterReadPermission);
@@ -988,6 +1000,9 @@ public class UpgradeCatalog170 extends AbstractUpgradeCatalog {
         }
       }
     }
+
+    dbAccessor.dropTable("user_roles");
+    dbAccessor.dropTable("roles");
   }
 
   protected void addJobsViewPermissions() {

ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql

@@ -39,7 +39,6 @@ CREATE TABLE hosts (host_name VARCHAR(255) NOT NULL, cpu_count INTEGER NOT NULL,
 CREATE TABLE hoststate (agent_version VARCHAR(255) NOT NULL, available_mem BIGINT NOT NULL, current_state VARCHAR(255) NOT NULL, health_status VARCHAR(255), host_name VARCHAR(255) NOT NULL, time_in_state BIGINT NOT NULL, maintenance_state VARCHAR(512), PRIMARY KEY (host_name));
 CREATE TABLE servicecomponentdesiredstate (component_name VARCHAR(255) NOT NULL, cluster_id BIGINT NOT NULL, desired_stack_version VARCHAR(255) NOT NULL, desired_state VARCHAR(255) NOT NULL, service_name VARCHAR(255) NOT NULL, PRIMARY KEY (component_name, cluster_id, service_name));
 CREATE TABLE servicedesiredstate (cluster_id BIGINT NOT NULL, desired_host_role_mapping INTEGER NOT NULL, desired_stack_version VARCHAR(255) NOT NULL, desired_state VARCHAR(255) NOT NULL, service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL DEFAULT 'ACTIVE', PRIMARY KEY (cluster_id, service_name));
-CREATE TABLE roles (role_name VARCHAR(255) NOT NULL, PRIMARY KEY (role_name));
 CREATE TABLE users (user_id INTEGER, principal_id BIGINT NOT NULL, create_time TIMESTAMP DEFAULT NOW(), ldap_user INTEGER NOT NULL DEFAULT 0, user_name VARCHAR(255) NOT NULL, user_password VARCHAR(255), active INTEGER NOT NULL DEFAULT 1, PRIMARY KEY (user_id));
 CREATE TABLE groups (group_id INTEGER, principal_id BIGINT NOT NULL, group_name VARCHAR(255) NOT NULL, ldap_group INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (group_id));
 CREATE TABLE members (member_id INTEGER, group_id INTEGER NOT NULL, user_id INTEGER NOT NULL, PRIMARY KEY (member_id));
@@ -55,7 +54,6 @@ CREATE TABLE clusterconfigmapping (type_name VARCHAR(255) NOT NULL, create_times
 CREATE TABLE hostconfigmapping (create_timestamp BIGINT NOT NULL, host_name VARCHAR(255) NOT NULL, cluster_id BIGINT NOT NULL, type_name VARCHAR(255) NOT NULL, selected INTEGER NOT NULL DEFAULT 0, service_name VARCHAR(255), version_tag VARCHAR(255) NOT NULL, user_name VARCHAR(255) NOT NULL DEFAULT '_db', PRIMARY KEY (create_timestamp, host_name, cluster_id, type_name));
 CREATE TABLE metainfo (`metainfo_key` VARCHAR(255), `metainfo_value` LONGTEXT, PRIMARY KEY (`metainfo_key`));
 CREATE TABLE ClusterHostMapping (cluster_id BIGINT NOT NULL, host_name VARCHAR(255) NOT NULL, PRIMARY KEY (cluster_id, host_name));
-CREATE TABLE user_roles (role_name VARCHAR(255) NOT NULL, user_id INTEGER NOT NULL, PRIMARY KEY (role_name, user_id));
 CREATE TABLE ambari_sequences (sequence_name VARCHAR(255), sequence_value DECIMAL(38) NOT NULL, PRIMARY KEY (sequence_name));
 CREATE TABLE confgroupclusterconfigmapping (config_group_id BIGINT NOT NULL, cluster_id BIGINT NOT NULL, config_type VARCHAR(255) NOT NULL, version_tag VARCHAR(255) NOT NULL, user_name VARCHAR(255) DEFAULT '_db', create_timestamp BIGINT NOT NULL, PRIMARY KEY(config_group_id, cluster_id, config_type));
 CREATE TABLE configgroup (group_id BIGINT, cluster_id BIGINT NOT NULL, group_name VARCHAR(255) NOT NULL, tag VARCHAR(1024) NOT NULL, description VARCHAR(1024), create_timestamp BIGINT NOT NULL, PRIMARY KEY(group_id));
@@ -114,8 +112,6 @@ ALTER TABLE stage ADD CONSTRAINT FK_stage_request_id FOREIGN KEY (request_id) RE
 ALTER TABLE request ADD CONSTRAINT FK_request_schedule_id FOREIGN KEY (request_schedule_id) REFERENCES requestschedule (schedule_id);
 ALTER TABLE ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
 ALTER TABLE ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_host_name FOREIGN KEY (host_name) REFERENCES hosts (host_name);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_user_id FOREIGN KEY (user_id) REFERENCES users (user_id);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_role_name FOREIGN KEY (role_name) REFERENCES roles (role_name);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_host_name FOREIGN KEY (host_name) REFERENCES hosts (host_name);
 ALTER TABLE serviceconfigmapping ADD CONSTRAINT FK_scvm_scv FOREIGN KEY (service_config_id) REFERENCES serviceconfig(service_config_id);
@@ -287,11 +283,6 @@ insert into adminresourcetype (resource_type_id, resource_type_name)
 insert into adminresource (resource_id, resource_type_id)
   select 1, 1;
 
-insert into roles(role_name)
-  select 'admin'
-  union all
-  select 'user';
-
 insert into adminprincipaltype (principal_type_id, principal_type_name)
   select 1, 'USER'
   union all
@@ -303,9 +294,6 @@ insert into adminprincipal (principal_id, principal_type_id)
 insert into users(user_id, principal_id, user_name, user_password)
   select 1, 1, 'admin','538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00';
 
-insert into user_roles(role_name, user_id)
-  select 'admin',1;
-
 insert into adminpermission(permission_id, permission_name, resource_type_id)
   select 1, 'AMBARI.ADMIN', 1
   union all

ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql

@@ -30,7 +30,6 @@ CREATE TABLE hosts (host_name VARCHAR2(255) NOT NULL, cpu_count INTEGER NOT NULL
 CREATE TABLE hoststate (agent_version VARCHAR2(255) NULL, available_mem NUMBER(19) NOT NULL, current_state VARCHAR2(255) NOT NULL, health_status VARCHAR2(255) NULL, host_name VARCHAR2(255) NOT NULL, time_in_state NUMBER(19) NOT NULL, maintenance_state VARCHAR2(512), PRIMARY KEY (host_name));
 CREATE TABLE servicecomponentdesiredstate (component_name VARCHAR2(255) NOT NULL, cluster_id NUMBER(19) NOT NULL, desired_stack_version VARCHAR2(255) NULL, desired_state VARCHAR2(255) NOT NULL, service_name VARCHAR2(255) NOT NULL, PRIMARY KEY (component_name, cluster_id, service_name));
 CREATE TABLE servicedesiredstate (cluster_id NUMBER(19) NOT NULL, desired_host_role_mapping NUMBER(10) NOT NULL, desired_stack_version VARCHAR2(255) NULL, desired_state VARCHAR2(255) NOT NULL, service_name VARCHAR2(255) NOT NULL, maintenance_state VARCHAR2(32) NOT NULL, PRIMARY KEY (cluster_id, service_name));
-CREATE TABLE roles (role_name VARCHAR2(255) NOT NULL, PRIMARY KEY (role_name));
 CREATE TABLE users (user_id NUMBER(10) NOT NULL, principal_id NUMBER(19) NOT NULL, create_time TIMESTAMP NULL, ldap_user NUMBER(10) DEFAULT 0, user_name VARCHAR2(255) NULL, user_password VARCHAR2(255) NULL, active INTEGER DEFAULT 1 NOT NULL, PRIMARY KEY (user_id));
 CREATE TABLE groups (group_id NUMBER(10) NOT NULL, principal_id NUMBER(19) NOT NULL, group_name VARCHAR2(255) NOT NULL, ldap_group NUMBER(10) DEFAULT 0, PRIMARY KEY (group_id));
 CREATE TABLE members (member_id NUMBER(10), group_id NUMBER(10) NOT NULL, user_id NUMBER(10) NOT NULL, PRIMARY KEY (member_id));
@@ -46,7 +45,6 @@ CREATE TABLE clusterconfigmapping (type_name VARCHAR2(255) NOT NULL, create_time
 CREATE TABLE hostconfigmapping (create_timestamp NUMBER(19) NOT NULL, host_name VARCHAR2(255) NOT NULL, cluster_id NUMBER(19) NOT NULL, type_name VARCHAR2(255) NOT NULL, selected NUMBER(10) NOT NULL, service_name VARCHAR2(255) NULL, version_tag VARCHAR2(255) NOT NULL, user_name VARCHAR(255) DEFAULT '_db', PRIMARY KEY (create_timestamp, host_name, cluster_id, type_name));
 CREATE TABLE metainfo ("metainfo_key" VARCHAR2(255) NOT NULL, "metainfo_value" CLOB NULL, PRIMARY KEY ("metainfo_key"));
 CREATE TABLE ClusterHostMapping (cluster_id NUMBER(19) NOT NULL, host_name VARCHAR2(255) NOT NULL, PRIMARY KEY (cluster_id, host_name));
-CREATE TABLE user_roles (role_name VARCHAR2(255) NOT NULL, user_id NUMBER(10) NOT NULL, PRIMARY KEY (role_name, user_id));
 CREATE TABLE ambari_sequences (sequence_name VARCHAR2(50) NOT NULL, sequence_value NUMBER(38) NULL, PRIMARY KEY (sequence_name));
 CREATE TABLE configgroup (group_id NUMBER(19), cluster_id NUMBER(19) NOT NULL, group_name VARCHAR2(255) NOT NULL, tag VARCHAR2(1024) NOT NULL, description VARCHAR2(1024), create_timestamp NUMBER(19) NOT NULL, PRIMARY KEY(group_id));
 CREATE TABLE confgroupclusterconfigmapping (config_group_id NUMBER(19) NOT NULL, cluster_id NUMBER(19) NOT NULL, config_type VARCHAR2(255) NOT NULL, version_tag VARCHAR2(255) NOT NULL, user_name VARCHAR2(255) DEFAULT '_db', create_timestamp NUMBER(19) NOT NULL, PRIMARY KEY(config_group_id, cluster_id, config_type));
@@ -106,8 +104,6 @@ ALTER TABLE stage ADD CONSTRAINT FK_stage_request_id FOREIGN KEY (request_id) RE
 ALTER TABLE request ADD CONSTRAINT FK_request_schedule_id FOREIGN KEY (request_schedule_id) REFERENCES requestschedule (schedule_id);
 ALTER TABLE ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
 ALTER TABLE ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_host_name FOREIGN KEY (host_name) REFERENCES hosts (host_name);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_user_id FOREIGN KEY (user_id) REFERENCES users (user_id);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_role_name FOREIGN KEY (role_name) REFERENCES roles (role_name);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_host_name FOREIGN KEY (host_name) REFERENCES hosts (host_name);
 ALTER TABLE serviceconfigmapping ADD CONSTRAINT FK_scvm_scv FOREIGN KEY (service_config_id) REFERENCES serviceconfig(service_config_id);
@@ -281,11 +277,6 @@ insert into adminresourcetype (resource_type_id, resource_type_name)
 insert into adminresource (resource_id, resource_type_id)
   select 1, 1 from dual;
 
-insert into Roles(role_name)
-select 'admin' from dual
-union all
-select 'user' from dual;
-
 insert into adminprincipaltype (principal_type_id, principal_type_name)
   select 1, 'USER' from dual
   union all
@@ -297,9 +288,6 @@ insert into adminprincipal (principal_id, principal_type_id)
 insert into users(user_id, principal_id, user_name, user_password)
 select 1,1,'admin','538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' from dual;
 
-insert into user_roles(role_name, user_id)
-select 'admin',1 from dual;
-
 insert into adminpermission(permission_id, permission_name, resource_type_id)
   select 1, 'AMBARI.ADMIN', 1 from dual
   union all

ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql

@@ -45,8 +45,6 @@ CREATE TABLE servicecomponentdesiredstate (component_name VARCHAR(255) NOT NULL,
 
 CREATE TABLE servicedesiredstate (cluster_id BIGINT NOT NULL, desired_host_role_mapping INTEGER NOT NULL, desired_stack_version VARCHAR(255) NOT NULL, desired_state VARCHAR(255) NOT NULL, service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL, PRIMARY KEY (cluster_id, service_name));
 
-CREATE TABLE roles (role_name VARCHAR(255) NOT NULL, PRIMARY KEY (role_name));
-
 CREATE TABLE users (user_id INTEGER, principal_id BIGINT NOT NULL, ldap_user INTEGER NOT NULL DEFAULT 0, user_name VARCHAR(255) NOT NULL, create_time TIMESTAMP DEFAULT NOW(), user_password VARCHAR(255), PRIMARY KEY (user_id), active INTEGER NOT NULL DEFAULT 1, UNIQUE (ldap_user, user_name));
 
 CREATE TABLE groups (group_id INTEGER, principal_id BIGINT NOT NULL, group_name VARCHAR(255) NOT NULL, ldap_group INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (group_id), UNIQUE (ldap_group, group_name));
@@ -69,8 +67,6 @@ CREATE TABLE requestoperationlevel (operation_level_id BIGINT NOT NULL, request_
 
 CREATE TABLE ClusterHostMapping (cluster_id BIGINT NOT NULL, host_name VARCHAR(255) NOT NULL, PRIMARY KEY (cluster_id, host_name));
 
-CREATE TABLE user_roles (role_name VARCHAR(255) NOT NULL, user_id INTEGER NOT NULL, PRIMARY KEY (role_name, user_id));
-
 CREATE TABLE key_value_store ("key" VARCHAR(255), "value" VARCHAR, PRIMARY KEY ("key"));
 
 CREATE TABLE hostconfigmapping (cluster_id BIGINT NOT NULL, host_name VARCHAR(255) NOT NULL, type_name VARCHAR(255) NOT NULL, version_tag VARCHAR(255) NOT NULL, service_name VARCHAR(255), create_timestamp BIGINT NOT NULL, selected INTEGER NOT NULL DEFAULT 0, user_name VARCHAR(255) NOT NULL DEFAULT '_db', PRIMARY KEY (cluster_id, host_name, type_name, create_timestamp));
@@ -139,8 +135,6 @@ ALTER TABLE role_success_criteria ADD CONSTRAINT role_success_criteria_stage_id
 ALTER TABLE stage ADD CONSTRAINT FK_stage_request_id FOREIGN KEY (request_id) REFERENCES request (request_id);
 ALTER TABLE request ADD CONSTRAINT FK_request_schedule_id FOREIGN KEY (request_schedule_id) REFERENCES requestschedule (schedule_id);
 ALTER TABLE ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_host_name FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_user_id FOREIGN KEY (user_id) REFERENCES users (user_id);
-ALTER TABLE user_roles ADD CONSTRAINT FK_user_roles_role_name FOREIGN KEY (role_name) REFERENCES roles (role_name);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
 ALTER TABLE hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_host_name FOREIGN KEY (host_name) REFERENCES hosts (host_name);
 ALTER TABLE configgroup ADD CONSTRAINT FK_configgroup_cluster_id FOREIGN KEY (cluster_id) REFERENCES clusters (cluster_id);
@@ -339,11 +333,6 @@ BEGIN;
   INSERT INTO adminresource (resource_id, resource_type_id)
   SELECT 1, 1;
 
-  INSERT INTO Roles (role_name)
-  SELECT 'admin'
-  UNION ALL
-  SELECT 'user';
-
   INSERT INTO adminprincipaltype (principal_type_id, principal_type_name)
   SELECT 1, 'USER'
   UNION ALL
@@ -355,9 +344,6 @@ BEGIN;
   INSERT INTO Users (user_id, principal_id, user_name, user_password)
   SELECT 1, 1, 'admin', '538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00';
 
-  INSERT INTO user_roles (role_name, user_id)
-  SELECT 'admin', 1;
-
   INSERT INTO adminpermission(permission_id, permission_name, resource_type_id)
   SELECT 1, 'AMBARI.ADMIN', 1
   UNION ALL

ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql

@@ -70,9 +70,6 @@ GRANT ALL PRIVILEGES ON TABLE ambari.servicecomponentdesiredstate TO :username;
 CREATE TABLE ambari.servicedesiredstate (cluster_id BIGINT NOT NULL, desired_host_role_mapping INTEGER NOT NULL, desired_stack_version VARCHAR(255) NOT NULL, desired_state VARCHAR(255) NOT NULL, service_name VARCHAR(255) NOT NULL, maintenance_state VARCHAR(32) NOT NULL, PRIMARY KEY (cluster_id, service_name));
 GRANT ALL PRIVILEGES ON TABLE ambari.servicedesiredstate TO :username;
 
-CREATE TABLE ambari.roles (role_name VARCHAR(255) NOT NULL, PRIMARY KEY (role_name));
-GRANT ALL PRIVILEGES ON TABLE ambari.roles TO :username;
-
 CREATE TABLE ambari.users (user_id INTEGER, principal_id BIGINT NOT NULL, ldap_user INTEGER NOT NULL DEFAULT 0, user_name VARCHAR(255) NOT NULL, create_time TIMESTAMP DEFAULT NOW(), user_password VARCHAR(255), active INTEGER NOT NULL DEFAULT 1, PRIMARY KEY (user_id), UNIQUE (ldap_user, user_name));
 GRANT ALL PRIVILEGES ON TABLE ambari.users TO :username;
 
@@ -106,9 +103,6 @@ GRANT ALL PRIVILEGES ON TABLE ambari.requestoperationlevel TO :username;
 CREATE TABLE ambari.ClusterHostMapping (cluster_id BIGINT NOT NULL, host_name VARCHAR(255) NOT NULL, PRIMARY KEY (cluster_id, host_name));
 GRANT ALL PRIVILEGES ON TABLE ambari.ClusterHostMapping TO :username;
 
-CREATE TABLE ambari.user_roles (role_name VARCHAR(255) NOT NULL, user_id INTEGER NOT NULL, PRIMARY KEY (role_name, user_id));
-GRANT ALL PRIVILEGES ON TABLE ambari.user_roles TO :username;
-
 CREATE TABLE ambari.key_value_store ("key" VARCHAR(255), "value" VARCHAR, PRIMARY KEY ("key"));
 GRANT ALL PRIVILEGES ON TABLE ambari.key_value_store TO :username;
 
@@ -205,8 +199,6 @@ ALTER TABLE ambari.stage ADD CONSTRAINT FK_stage_request_id FOREIGN KEY (request
 ALTER TABLE ambari.request ADD CONSTRAINT FK_request_schedule_id FOREIGN KEY (request_schedule_id) REFERENCES ambari.requestschedule (schedule_id);
 ALTER TABLE ambari.ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_cluster_id FOREIGN KEY (host_name) REFERENCES ambari.hosts (host_name);
 ALTER TABLE ambari.ClusterHostMapping ADD CONSTRAINT ClusterHostMapping_host_name FOREIGN KEY (cluster_id) REFERENCES ambari.clusters (cluster_id);
-ALTER TABLE ambari.user_roles ADD CONSTRAINT FK_user_roles_user_id FOREIGN KEY (user_id) REFERENCES ambari.users (user_id);
-ALTER TABLE ambari.user_roles ADD CONSTRAINT FK_user_roles_role_name FOREIGN KEY (role_name) REFERENCES ambari.roles (role_name);
 ALTER TABLE ambari.hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_cluster_id FOREIGN KEY (cluster_id) REFERENCES ambari.clusters (cluster_id);
 ALTER TABLE ambari.hostconfigmapping ADD CONSTRAINT FK_hostconfmapping_host_name FOREIGN KEY (host_name) REFERENCES ambari.hosts (host_name);
 ALTER TABLE ambari.configgroup ADD CONSTRAINT FK_configgroup_cluster_id FOREIGN KEY (cluster_id) REFERENCES ambari.clusters (cluster_id);
@@ -414,11 +406,6 @@ INSERT INTO ambari.adminresourcetype (resource_type_id, resource_type_name)
 INSERT INTO ambari.adminresource (resource_id, resource_type_id)
   SELECT 1, 1;
 
-INSERT INTO ambari.Roles (role_name)
-  SELECT 'admin'
-  UNION ALL
-  SELECT 'user';
-
 INSERT INTO ambari.adminprincipaltype (principal_type_id, principal_type_name)
   SELECT 1, 'USER'
   UNION ALL
@@ -430,9 +417,6 @@ INSERT INTO ambari.adminprincipal (principal_id, principal_type_id)
 INSERT INTO ambari.Users (user_id, principal_id, user_name, user_password)
   SELECT 1, 1, 'admin', '538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00';
 
-INSERT INTO ambari.user_roles (role_name, user_id)
-  SELECT 'admin', 1;
-
 INSERT INTO ambari.adminpermission(permission_id, permission_name, resource_type_id)
   SELECT 1, 'AMBARI.ADMIN', 1
   UNION ALL

ambari-server/src/main/resources/META-INF/persistence.xml

@@ -24,7 +24,6 @@
     <class>org.apache.ambari.server.orm.entities.HostStateEntity</class>
     <class>org.apache.ambari.server.orm.entities.ServiceComponentDesiredStateEntity</class>
     <class>org.apache.ambari.server.orm.entities.ServiceDesiredStateEntity</class>
-    <class>org.apache.ambari.server.orm.entities.RoleEntity</class>
     <class>org.apache.ambari.server.orm.entities.UserEntity</class>
     <class>org.apache.ambari.server.orm.entities.GroupEntity</class>
     <class>org.apache.ambari.server.orm.entities.MemberEntity</class>

ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java

@@ -88,9 +88,7 @@ import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
 import org.apache.ambari.server.orm.dao.ExecutionCommandDAO;
 import org.apache.ambari.server.orm.dao.HostDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.entities.ExecutionCommandEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.security.authorization.Users;
 import org.apache.ambari.server.serveraction.ServerAction;
 import org.apache.ambari.server.serveraction.ServerActionManager;
@@ -4593,7 +4591,6 @@ public class AmbariManagementControllerTest {
   @Test
   public void testUpdateUsers() throws Exception {
     createUser("user1");
-    users.createDefaultRoles();
 
     UserRequest request = new UserRequest("user1");
 
@@ -4606,8 +4603,6 @@ public class AmbariManagementControllerTest {
   public void testDeleteUsers() throws Exception {
     createUser("user1");
 
-    users.createDefaultRoles();
-
     UserRequest request = new UserRequest("user1");
     controller.updateUsers(Collections.singleton(request));
 
@@ -4618,12 +4613,6 @@ public class AmbariManagementControllerTest {
         Collections.singleton(new UserRequest(null)));
 
     Assert.assertEquals(0, responses.size());
-
-    RoleDAO roleDao = injector.getInstance(RoleDAO.class);
-    RoleEntity re1 = roleDao.findByName("user");
-    RoleEntity re2 = roleDao.findByName("admin");
-    Assert.assertNotNull(re1);
-    Assert.assertNotNull(re2);
   }
 
   @Test
@@ -10329,7 +10318,7 @@ public class AmbariManagementControllerTest {
 
     // Start
     startService(clusterName, serviceName, false, false);
-    
+
     ServiceComponentHostRequest req = new ServiceComponentHostRequest(clusterName, serviceName,
         componentName1, host1, "INSTALLED");
 
@@ -10339,24 +10328,24 @@ public class AmbariManagementControllerTest {
 
     // succeed in creating a task
     assertNotNull(resp);
-    
+
     // manually change live state to stopped as no running action manager
     for (ServiceComponentHost sch :
       clusters.getCluster(clusterName).getServiceComponentHosts(host1)) {
         sch.setState(State.INSTALLED);
     }
-    
+
     // no new commands since no targeted info
     resp = controller.updateHostComponents(Collections.singleton(req), new HashMap<String, String>(), false);
     assertNull(resp);
-    
+
     // role commands added for targeted command
     resp = controller.updateHostComponents(Collections.singleton(req), requestProperties, false);
     assertNotNull(resp);
-    
+
   }
-  
-  
+
+
 }
 
 

ambari-server/src/test/java/org/apache/ambari/server/orm/OrmTestHelper.java

@@ -39,7 +39,6 @@ import org.apache.ambari.server.orm.dao.HostDAO;
 import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
 import org.apache.ambari.server.orm.dao.RequestDAO;
 import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.StageDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.AlertDefinitionEntity;
@@ -55,7 +54,6 @@ import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.RequestEntity;
 import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.StageEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.state.HostState;
@@ -81,9 +79,6 @@ public class OrmTestHelper {
   @Inject
   public UserDAO userDAO;
 
-  @Inject
-  public RoleDAO roleDAO;
-
   @Inject
   public AlertDefinitionDAO alertDefinitionDAO;
 
@@ -175,25 +170,16 @@ public class OrmTestHelper {
 
     PasswordEncoder encoder = injector.getInstance(PasswordEncoder.class);
 
-    RoleEntity adminRole = new RoleEntity();
-    adminRole.setRoleName("admin");
-
     UserEntity admin = new UserEntity();
     admin.setUserName("administrator");
     admin.setUserPassword(encoder.encode("admin"));
     admin.setPrincipal(principalEntity);
 
-    Set<RoleEntity> roles = new HashSet<RoleEntity>();
     Set<UserEntity> users = new HashSet<UserEntity>();
 
-    roles.add(adminRole);
     users.add(admin);
 
-    admin.setRoleEntities(roles);
-    adminRole.setUserEntities(users);
-
     userDAO.create(admin);
-    roleDAO.create(adminRole);
 
     principalEntity = new PrincipalEntity();
     principalEntity.setPrincipalType(principalTypeEntity);
@@ -274,7 +260,7 @@ public class OrmTestHelper {
 
   /**
    * Creates an empty cluster with an ID.
-   * 
+   *
    * @return the cluster ID.
    */
   @Transactional
@@ -306,7 +292,7 @@ public class OrmTestHelper {
 
   /**
    * Creates an alert target.
-   * 
+   *
    * @return
    */
   @Transactional
@@ -320,10 +306,10 @@ public class OrmTestHelper {
     alertDispatchDAO.create(target);
     return alertDispatchDAO.findTargetById(target.getTargetId());
   }
-  
+
   /**
    * Creates an alert definition.
-   * 
+   *
    * @param clusterId
    * @return
    * @throws Exception
@@ -342,14 +328,14 @@ public class OrmTestHelper {
     definition.setScope(Scope.SERVICE);
     definition.setSource("Source " + System.currentTimeMillis());
     definition.setSourceType("SCRIPT");
-    
+
     alertDefinitionDAO.create(definition);
     return alertDefinitionDAO.findById(definition.getDefinitionId());
   }
 
   /**
    * Creates an alert group.
-   * 
+   *
    * @param clusterId
    * @param targets
    * @return

ambari-server/src/test/java/org/apache/ambari/server/orm/dao/UserDAOTest.java

@@ -21,25 +21,14 @@ package org.apache.ambari.server.orm.dao;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import org.junit.Before;
-import org.junit.Test;
 import static org.easymock.EasyMock.createStrictMock;
-import static org.easymock.EasyMock.eq;
 import static org.easymock.EasyMock.expect;
 import static org.easymock.EasyMock.replay;
 import static org.easymock.EasyMock.reset;
-import static org.easymock.EasyMock.verify;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertSame;
-
 import javax.persistence.EntityManager;
-import javax.persistence.TypedQuery;
-import java.util.Collections;
-import java.util.List;
-import org.apache.ambari.server.orm.entities.RoleEntity;
-import org.apache.ambari.server.orm.entities.UserEntity;
 
 /**
- * BlueprintDAO unit tests.
+ * UserDAO unit tests.
  */
 public class UserDAOTest {
 
@@ -56,31 +45,4 @@ public class UserDAOTest {
     replay(entityManagerProvider);
   }
 
-
-  @Test
-  public void testfindAllLocalUsersByRole() {
-    UserEntity entity = new UserEntity();
-    RoleEntity roleEntity = new RoleEntity();
-    TypedQuery<UserEntity> query = createStrictMock(TypedQuery.class);
-
-    // set expectations
-    expect(entityManager.createQuery(eq("SELECT role.userEntities FROM RoleEntity role WHERE role = :roleEntity"), eq(UserEntity.class))).andReturn(query);
-    roleEntity.setRoleName("admin");
-    expect(query.setParameter("roleEntity", roleEntity)).andReturn(query);
-    expect(query.getResultList()).andReturn(Collections.singletonList(entity));
-    
-    replay(entityManager, query);
-
-    UserDAO dao = new UserDAO();
-    dao.entityManagerProvider = entityManagerProvider;
-    roleEntity.setRoleName("admin");
-    
-    List<UserEntity> results = dao.findAllLocalUsersByRole(roleEntity);
-
-    assertEquals(1, results.size());
-    assertSame(entity, results.get(0));
-
-    verify(entityManagerProvider, entityManager, query);
-  }
-
 }

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java

@@ -23,9 +23,7 @@ import com.google.inject.Injector;
 import com.google.inject.persist.PersistService;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.security.ClientSecurityType;
 import org.junit.*;
@@ -45,8 +43,6 @@ public class AmbariLdapAuthenticationProviderForDNWithSpaceTest {
   @Inject
   private UserDAO userDAO;
   @Inject
-  private RoleDAO roleDAO;
-  @Inject
   Configuration configuration;
 
   @BeforeClass
@@ -81,7 +77,6 @@ public class AmbariLdapAuthenticationProviderForDNWithSpaceTest {
     Authentication authentication = new UsernamePasswordAuthenticationToken("the allowedUser", "password");
     Authentication result = authenticationProvider.authenticate(authentication);
     assertTrue(result.isAuthenticated());
-    assertNotNull("User was not created", userDAO.findLdapUserByName("the allowedUser"));
     result = authenticationProvider.authenticate(authentication);
     assertTrue(result.isAuthenticated());
   }
@@ -94,39 +89,6 @@ public class AmbariLdapAuthenticationProviderForDNWithSpaceTest {
     assertTrue(auth == null);
   }
 
-  @Test
-  public void testLdapAdminGroupToRolesMapping() throws Exception {
-
-    Authentication authentication;
-
-    authentication =
-        new UsernamePasswordAuthenticationToken("allowedAdmin", "password");
-    Authentication result = authenticationProvider.authenticate(authentication);
-    assertTrue(result.isAuthenticated());
-
-    UserEntity allowedAdminEntity = userDAO.findLdapUserByName("allowedAdmin");
-
-    authentication =
-        new UsernamePasswordAuthenticationToken("the allowedUser", "password");
-    authenticationProvider.authenticate(authentication);
-    UserEntity allowedUserEntity = userDAO.findLdapUserByName("the allowedUser");
-
-
-    RoleEntity adminRole = roleDAO.findByName(
-        configuration.getConfigsMap().get(Configuration.ADMIN_ROLE_NAME_KEY));
-    RoleEntity userRole = roleDAO.findByName(
-        configuration.getConfigsMap().get(Configuration.USER_ROLE_NAME_KEY));
-
-
-    assertTrue(allowedAdminEntity.getRoleEntities().contains(userRole));
-    assertTrue(allowedAdminEntity.getRoleEntities().contains(adminRole));
-
-    assertTrue(allowedUserEntity.getRoleEntities().contains(userRole));
-    assertFalse(allowedUserEntity.getRoleEntities().contains(adminRole));
-
-
-  }
-
   @AfterClass
   public static void afterClass() {
     apacheDSContainer.stop();

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java

@@ -25,10 +25,7 @@ import com.google.inject.Inject;
 import com.google.inject.Injector;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
-import org.apache.ambari.server.orm.entities.RoleEntity;
-import org.apache.ambari.server.orm.entities.UserEntity;
 import org.apache.ambari.server.security.ClientSecurityType;
 import org.easymock.EasyMockSupport;
 import org.easymock.IAnswer;
@@ -56,8 +53,6 @@ public class AmbariLdapAuthenticationProviderTest extends EasyMockSupport {
   @Inject
   private UserDAO userDAO;
   @Inject
-  private RoleDAO roleDAO;
-  @Inject
   Configuration configuration;
 
   @BeforeClass
@@ -161,7 +156,6 @@ public class AmbariLdapAuthenticationProviderTest extends EasyMockSupport {
     Authentication authentication = new UsernamePasswordAuthenticationToken("allowedUser", "password");
     Authentication result = authenticationProvider.authenticate(authentication);
     assertTrue(result.isAuthenticated());
-    assertNotNull("User was not created", userDAO.findLdapUserByName("allowedUser"));
     result = authenticationProvider.authenticate(authentication);
     assertTrue(result.isAuthenticated());
   }
@@ -174,39 +168,6 @@ public class AmbariLdapAuthenticationProviderTest extends EasyMockSupport {
     Assert.assertTrue(auth == null);
   }
 
-  @Test
-  public void testLdapAdminGroupToRolesMapping() throws Exception {
-
-    Authentication authentication;
-
-    authentication =
-        new UsernamePasswordAuthenticationToken("allowedAdmin", "password");
-    Authentication result = authenticationProvider.authenticate(authentication);
-    assertTrue(result.isAuthenticated());
-
-    UserEntity allowedAdminEntity = userDAO.findLdapUserByName("allowedAdmin");
-
-    authentication =
-        new UsernamePasswordAuthenticationToken("allowedUser", "password");
-    authenticationProvider.authenticate(authentication);
-    UserEntity allowedUserEntity = userDAO.findLdapUserByName("allowedUser");
-
-
-    RoleEntity adminRole = roleDAO.findByName(
-        configuration.getConfigsMap().get(Configuration.ADMIN_ROLE_NAME_KEY));
-    RoleEntity userRole = roleDAO.findByName(
-        configuration.getConfigsMap().get(Configuration.USER_ROLE_NAME_KEY));
-
-
-    assertTrue(allowedAdminEntity.getRoleEntities().contains(userRole));
-    assertTrue(allowedAdminEntity.getRoleEntities().contains(adminRole));
-
-    assertTrue(allowedUserEntity.getRoleEntities().contains(userRole));
-    assertFalse(allowedUserEntity.getRoleEntities().contains(adminRole));
-
-
-  }
-
   @AfterClass
   public static void afterClass() {
     apacheDSContainer.stop();

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapDataPopulatorTest.java

@@ -34,7 +34,6 @@ import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
@@ -229,7 +228,6 @@ public class AmbariLdapDataPopulatorTest {
     userEntity.setLdapUser(ldapUser);
     userEntity.setActive(true);
     userEntity.setMemberEntities(new HashSet<MemberEntity>());
-    userEntity.setRoleEntities(new HashSet<RoleEntity>());
     final PrincipalEntity principalEntity = new PrincipalEntity();
     principalEntity.setPrivileges(new HashSet<PrivilegeEntity>());
     userEntity.setPrincipal(principalEntity);

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsServiceTest.java

@@ -23,7 +23,6 @@ import com.google.inject.Injector;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.orm.OrmTestHelper;
 import org.apache.ambari.server.orm.dao.UserDAO;
-import org.apache.ambari.server.orm.entities.UserEntity;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -70,10 +69,4 @@ public class AmbariLocalUserDetailsServiceTest {
   public void testUsernameNotFound() throws Exception {
     userDetailsService.loadUserByUsername("notExists_123123123");
   }
-
-  @Test(expected = UsernameNotFoundException.class)
-  public void testEmptyRoles() throws Exception {
-    UserEntity user = userDAO.findLocalUserByName("userWithoutRoles");
-    userDetailsService.loadUserByUsername(user.getUserName());
-  }
 }

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java

@@ -17,49 +17,31 @@
  */
 package org.apache.ambari.server.security.authorization;
 
-import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.dao.MemberDAO;
-import org.apache.ambari.server.orm.dao.PrincipalDAO;
-import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.GroupEntity;
 import org.apache.ambari.server.orm.entities.MemberEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
-import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
-import org.easymock.Capture;
+import org.easymock.EasyMock;
 import org.easymock.EasyMockSupport;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.ldap.core.DirContextOperations;
 
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
 import static org.easymock.EasyMock.*;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 
 public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
 
   AuthorizationHelper helper = new AuthorizationHelper();
-  Configuration configuration = createMock(Configuration.class);
   UserDAO userDAO = createMock(UserDAO.class);
-  RoleDAO roleDAO = createMock(RoleDAO.class);
-  PrincipalDAO principalDAO = createMock(PrincipalDAO.class);
-  PrincipalTypeDAO principalTypeDAO = createMock(PrincipalTypeDAO.class);
   MemberDAO memberDAO = createMock(MemberDAO.class);
   PrivilegeDAO privilegeDAO = createMock(PrivilegeDAO.class);
-  LdapServerProperties ldapServerProperties = createMock(LdapServerProperties.class);
   DirContextOperations userData = createMock(DirContextOperations.class);
   UserEntity userEntity = createMock(UserEntity.class);
   PrincipalEntity principalEntity = createMock(PrincipalEntity.class);
@@ -68,23 +50,9 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
   GroupEntity groupEntity = createMock(GroupEntity.class);
   PrivilegeEntity privilegeEntity = createMock(PrivilegeEntity.class);
 
-  Set<RoleEntity> roleSetStub = new HashSet<RoleEntity>();
-  String username = "user";
-  String adminRole = "role";
-  String userRole = "userRole";
-  Map<String, String> configs = new HashMap<String, String>();
-
-  public TestAmbariLdapAuthoritiesPopulator() {
-    configs.put(Configuration.ADMIN_ROLE_NAME_KEY, adminRole);
-    configs.put(Configuration.USER_ROLE_NAME_KEY, userRole);
-
-  }
-
   @Before
   public void setUp() throws Exception {
     resetAll();
-
-    expect(configuration.getConfigsMap()).andReturn(configs).anyTimes();
   }
 
   @Test
@@ -92,15 +60,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
     String username = "user";
 
     AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
-        .addMockedMethod("createLdapUser")
-        .withConstructor(
-            configuration, helper, userDAO, roleDAO, principalDAO, principalTypeDAO, memberDAO, privilegeDAO
-        ).createMock();
-
-
-    expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(false).atLeastOnce();
-
-    expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce();
+        .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity);
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity));
@@ -111,13 +71,9 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
     principalEntityList.add(groupPrincipalEntity);
     expect(privilegeDAO.findAllByPrincipal(principalEntityList)).andReturn(Collections.singletonList(privilegeEntity));
 
-    populator.createLdapUser(username);
-    expectLastCall();
-
-    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity);
+    expect(userDAO.findLdapUserByName(username)).andReturn(userEntity);
     replayAll();
 
-
     populator.getGrantedAuthorities(userData, username);
 
     verifyAll();
@@ -127,20 +83,8 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
   @Test
   public void testGetGrantedAuthorities_mappingEnabled() throws Exception {
 
-
     AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
-        .addMockedMethod("createLdapUser")
-        .addMockedMethod("addRole")
-        .addMockedMethod("removeRole")
-        .withConstructor(
-            configuration, helper, userDAO, roleDAO, principalDAO, principalTypeDAO, memberDAO, privilegeDAO
-        ).createMock();
-
-    expect(userData.getObjectAttribute("ambari_admin")).andReturn(Boolean.TRUE).andReturn(Boolean.FALSE);
-
-    expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(true).atLeastOnce();
-
-    expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce();
+        .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity)).anyTimes();
@@ -151,158 +95,16 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
     principalEntityList.add(groupPrincipalEntity);
     expect(privilegeDAO.findAllByPrincipal(principalEntityList)).andReturn(Collections.singletonList(privilegeEntity)).anyTimes();
 
-    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity).times(2);
-
-    populator.createLdapUser(username);
-    expectLastCall();
-    populator.addRole(userEntity, adminRole);
-    expectLastCall();
-    populator.removeRole(userEntity, adminRole);
-    expectLastCall();
+    expect(userDAO.findLdapUserByName(EasyMock.<String> anyObject())).andReturn(null).andReturn(userEntity).once();
 
     replayAll();
 
     //test with admin user
-    populator.getGrantedAuthorities(userData, username);
+    populator.getGrantedAuthorities(userData, "admin");
     //test with non-admin
-    populator.getGrantedAuthorities(userData, username);
-
-    verifyAll();
-  }
-
-  @Test
-  public void testCreateLdapUser() throws Exception {
-    AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class)
-        .addMockedMethod("addRole")
-        .addMockedMethod("removeRole")
-        .withConstructor(
-            configuration, helper, userDAO, roleDAO, principalDAO, principalTypeDAO, memberDAO, privilegeDAO
-        ).createMock();
-
-    Capture<UserEntity> createEntity = new Capture<UserEntity>();
-    Capture<UserEntity> addRoleEntity = new Capture<UserEntity>();
-    Capture<PrincipalEntity> principalEntity = new Capture<PrincipalEntity>();
-
-    userDAO.create(capture(createEntity));
-    expectLastCall();
-
-    populator.addRole(capture(addRoleEntity), eq(userRole));
-    expectLastCall();
-
-    PrincipalTypeEntity principalTypeEntity = new PrincipalTypeEntity();
-    principalTypeEntity.setId(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
-    principalTypeEntity.setName(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
-
-    expect(principalTypeDAO.findById(1)).andReturn(principalTypeEntity);
-
-    principalDAO.create(capture(principalEntity));
-
-    replayAll();
-
-    populator.createLdapUser(username);
-
-    verifyAll();
-
-    UserEntity capturedCreateEntity = createEntity.getValue();
-    UserEntity capturedAddRoleEntity = addRoleEntity.getValue();
-
-    assertTrue(capturedCreateEntity.getLdapUser());
-    assertEquals(username, capturedCreateEntity.getUserName());
-
-    assertEquals(capturedCreateEntity,capturedAddRoleEntity);
-
-  }
-
-
-  @Test
-  public void testAddRole() throws Exception {
-    AmbariLdapAuthoritiesPopulator populator =
-        new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO, principalDAO, principalTypeDAO,
-            memberDAO, privilegeDAO);
-
-    RoleEntity roleEntity = createMock(RoleEntity.class);
-    Set<UserEntity> userEntities = createMock(Set.class);
-    Set<RoleEntity> roleEntities = createMock(Set.class);
-
-    Capture<RoleEntity> createdRole = new Capture<RoleEntity>();
-
-    expect(roleDAO.findByName(adminRole)).andReturn(null).andReturn(roleEntity);
-    expect(roleDAO.findByName(adminRole)).andReturn(roleEntity);
-
-    roleDAO.create(capture(createdRole));
-    expectLastCall();
-
-    expect(userEntity.getUserName()).andReturn(username).anyTimes();
-    expect(userEntity.getRoleEntities()).andReturn(roleEntities).anyTimes();
-
-    expect(roleEntity.getUserEntities()).andReturn(userEntities).anyTimes();
-
-    expect(roleEntities.contains(roleEntity)).andReturn(false);
-    expect(roleEntities.contains(roleEntity)).andReturn(true);
-
-    expect(userEntities.add(userEntity)).andReturn(true);
-    expect(roleEntities.add(roleEntity)).andReturn(true);
-
-    userDAO.merge(userEntity);
-    expectLastCall().andReturn(userEntity);
-    roleDAO.merge(roleEntity);
-    expectLastCall().andReturn(roleEntity);
-
-    expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity);
-    expect(userDAO.findLdapUserByName(username)).andReturn(userEntity);
-
-    userDAO.create(userEntity);
-    expectLastCall();
-
-    replayAll();
-
-    populator.addRole(userEntity, adminRole);
-    populator.addRole(userEntity, adminRole);
+    populator.getGrantedAuthorities(userData, "user");
 
     verifyAll();
-
-    assertEquals(adminRole, createdRole.getValue().getRoleName());
-
   }
 
-
-  @Test
-  public void testRemoveRole() throws Exception {
-    int userId = 123;
-
-    AmbariLdapAuthoritiesPopulator populator =
-        new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO, principalDAO, principalTypeDAO,
-            memberDAO, privilegeDAO);
-
-    RoleEntity roleEntity = createMock(RoleEntity.class);
-    Set<UserEntity> userEntities = createMock(Set.class);
-    Set<RoleEntity> roleEntities = createMock(Set.class);
-
-    expect(userEntity.getUserId()).andReturn(userId);
-
-    expect(userDAO.findByPK(userId)).andReturn(userEntity);
-
-    expect(roleDAO.findByName(adminRole)).andReturn(roleEntity);
-
-    expect(userEntity.getRoleEntities()).andReturn(roleEntities);
-
-    expect(roleEntities.contains(roleEntity)).andReturn(true);
-
-    expect(userEntity.getUserName()).andReturn(username);
-
-    expect(userEntity.getRoleEntities()).andReturn(roleEntities);
-    expect(roleEntity.getUserEntities()).andReturn(userEntities);
-
-    expect(userEntities.remove(userEntity)).andReturn(true);
-    expect(roleEntities.remove(roleEntity)).andReturn(true);
-
-    expect(userDAO.merge(userEntity)).andReturn(userEntity);
-    expect(roleDAO.merge(roleEntity)).andReturn(roleEntity);
-
-    replayAll();
-
-    populator.removeRole(userEntity, adminRole);
-
-    verifyAll();
-  }
 }

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java

@@ -35,11 +35,9 @@ import org.apache.ambari.server.orm.dao.GroupDAO;
 import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrincipalDAO;
 import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
-import org.apache.ambari.server.orm.dao.RoleDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
-import org.apache.ambari.server.orm.entities.RoleEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
 import org.junit.After;
 import org.junit.Before;
@@ -66,8 +64,6 @@ public class TestUsers {
   @Inject
   protected MemberDAO memberDAO;
   @Inject
-  protected RoleDAO roleDAO;
-  @Inject
   protected PrincipalTypeDAO principalTypeDAO;
   @Inject
   protected PrincipalDAO principalDAO;
@@ -82,7 +78,6 @@ public class TestUsers {
     injector = Guice.createInjector(module);
     injector.getInstance(GuiceJpaInitializer.class);
     injector.injectMembers(this);
-    users.createDefaultRoles();
     Authentication auth = new UsernamePasswordAuthenticationToken("admin", null);
     SecurityContextHolder.getContext().setAuthentication(auth);
   }
@@ -214,83 +209,6 @@ public class TestUsers {
     fail("Exception was not thrown");
   }
 
-  @Test(expected = AmbariException.class)
-  public void testPromoteUser() throws Exception {
-    users.createUser("admin", "admin");
-    users.createUser("admin2", "admin2");
-    User user = users.getLocalUser("admin");
-    assertTrue(user.getRoles().contains(users.getUserRole()));
-    assertFalse(user.getRoles().contains(users.getAdminRole()));
-    users.promoteToAdmin(user);
-    user = users.getLocalUser("admin2");
-    users.promoteToAdmin(user);
-
-    user = users.getLocalUser("admin");
-    assertTrue(user.getRoles().contains(users.getAdminRole()));
-
-    users.demoteAdmin(user);
-
-    user = users.getLocalUser("admin");
-    assertFalse(user.getRoles().contains(users.getAdminRole()));
-
-    user = users.getLocalUser("admin2");
-    users.demoteAdmin(user);
-
-  }
-
-  @Test(expected = AmbariException.class)
-  public void testRemoveUser() throws Exception {
-    users.createUser("admin", "admin");
-    User user = users.getLocalUser("admin");
-    users.promoteToAdmin(user);
-
-    user = users.getLocalUser("admin");
-    assertTrue(user.getRoles().contains(users.getAdminRole()));
-
-    users.removeUser(user);
-  }
-
-
-  @Test
-  public void testPromoteLdapUser() throws Exception {
-    createLdapUser();
-
-    User ldapUser = users.getLdapUser("ldapUser");
-    users.createUser("localadmin", "admin");
-    User localUser = users.getLocalUser("localadmin");
-    users.promoteToAdmin(localUser);
-
-    users.promoteToAdmin(ldapUser);
-
-    ldapUser = users.getLdapUser("ldapUser");
-    assertTrue(ldapUser.getRoles().contains(users.getAdminRole()));
-
-    users.demoteAdmin(ldapUser);
-
-    ldapUser = users.getLdapUser("ldapUser");
-    assertFalse(ldapUser.getRoles().contains(users.getAdminRole()));
-
-    users.removeUser(ldapUser);
-
-    //toggle group mapping
-    properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=groups,dc=ambari,dc=apache,dc=org");
-    createLdapUser();
-
-    try {
-      users.promoteToAdmin(ldapUser);
-      fail("Not allowed with mapping on");
-    } catch (AmbariException e) {
-    }
-
-    try {
-      users.demoteAdmin(ldapUser);
-      fail("Not allowed with mapping on");
-    } catch (AmbariException e) {
-    }
-
-
-  }
-
   private void createLdapUser() {
 
     PrincipalTypeEntity principalTypeEntity = new PrincipalTypeEntity();
@@ -301,7 +219,6 @@ public class TestUsers {
     principalEntity.setPrincipalType(principalTypeEntity);
     principalDAO.create(principalEntity);
 
-    RoleEntity role = roleDAO.findByName(users.getUserRole());
     UserEntity ldapUser = new UserEntity();
 
     ldapUser.setUserName("ldapUser");
@@ -312,10 +229,6 @@ public class TestUsers {
 
     UserEntity userEntity = userDAO.findLdapUserByName("ldapUser");
 
-    userEntity.getRoleEntities().add(role);
-    role.getUserEntities().add(ldapUser);
-
     userDAO.merge(ldapUser);
-    roleDAO.merge(role);
   }
 }

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog170Test.java

@@ -247,6 +247,7 @@ public class UpgradeCatalog170Test {
     Order o = createNiceMock(Order.class);
     TypedQuery<HostRoleCommandEntity> q = createNiceMock(TypedQuery.class);
     List<HostRoleCommandEntity> r = new ArrayList<HostRoleCommandEntity>();
+    ResultSet userRolesResultSet = createNiceMock(ResultSet.class);
 
     Method m = AbstractUpgradeCatalog.class.getDeclaredMethod
         ("updateConfigurationProperties", String.class, Map.class, boolean.class, boolean.class);
@@ -292,9 +293,11 @@ public class UpgradeCatalog170Test {
         Collections.singletonMap("min_user_id", "1000"), false, false);
     expectLastCall();
 
+    expect(dbAccessor.executeSelect("SELECT role_name, user_id FROM user_roles")).andReturn(userRolesResultSet).once();
     expect(entityManager.getTransaction()).andReturn(trans).anyTimes();
     expect(entityManager.getCriteriaBuilder()).andReturn(cb).anyTimes();
     expect(entityManager.createQuery(cq)).andReturn(q).anyTimes();
+    expect(userRolesResultSet.next()).andReturn(false).once();
     expect(trans.isActive()).andReturn(true).anyTimes();
     expect(upgradeCatalog.getEntityManagerProvider()).andReturn(entityManagerProvider).anyTimes();
     expect(cb.createQuery(HostRoleCommandEntity.class)).andReturn(cq).anyTimes();
@@ -362,7 +365,8 @@ public class UpgradeCatalog170Test {
     keyValueDAO.remove(showJobsKeyValue);
     privilegeDAO.create(anyObject(PrivilegeEntity.class));
 
-    replay(entityManager, trans, upgradeCatalog, cb, cq, hrc, q);
+    replay(entityManager, trans, upgradeCatalog, cb, cq, hrc, q, userRolesResultSet);
+
     replay(dbAccessor, configuration, injector, cluster, clusters, amc, config, configHelper, pigConfig);
     replay(userDAO, clusterDAO, viewDAO, viewInstanceDAO, permissionDAO);
     replay(resourceTypeDAO, resourceDAO, keyValueDAO, privilegeDAO);
@@ -382,7 +386,7 @@ public class UpgradeCatalog170Test {
     upgradeCatalog.executeDMLUpdates();
 
     verify(upgradeCatalog, dbAccessor, configuration, injector, cluster, clusters, amc, config, configHelper,
-        jobsView, showJobsKeyValue, privilegeDAO, viewDAO, viewInstanceDAO, resourceDAO, keyValueDAO);
+        jobsView, showJobsKeyValue, privilegeDAO, viewDAO, viewInstanceDAO, resourceDAO, keyValueDAO, userRolesResultSet);
   }
 
 

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeTest.java

@@ -23,15 +23,10 @@ import com.google.inject.Injector;
 import com.google.inject.Key;
 import com.google.inject.TypeLiteral;
 import com.google.inject.persist.PersistService;
-import org.apache.ambari.server.configuration.ComponentSSLConfiguration;
 import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.controller.AmbariServer;
 import org.apache.ambari.server.controller.ControllerModule;
 import org.apache.ambari.server.orm.DBAccessor;
-import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
 import org.apache.ambari.server.orm.dao.*;
-import org.apache.ambari.server.security.CertificateManager;
-import org.apache.ambari.server.state.Config;
 import org.apache.ambari.server.utils.VersionUtils;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -45,8 +40,6 @@ import java.sql.SQLException;
 import java.sql.SQLNonTransientConnectionException;
 import java.util.*;
 
-import static org.junit.Assert.assertTrue;
-
 @RunWith(Parameterized.class)
 public class UpgradeTest {
   private static final Logger LOG = LoggerFactory.getLogger(UpgradeTest.class);
@@ -139,7 +132,6 @@ public class UpgradeTest {
     requestDAO.findAllResourceFilters();
     injector.getInstance(RequestScheduleBatchRequestDAO.class).findAll();
     injector.getInstance(RequestScheduleDAO.class).findAll();
-    injector.getInstance(RoleDAO.class).findAll();
     injector.getInstance(RoleSuccessCriteriaDAO.class).findAll();
     injector.getInstance(ServiceComponentDesiredStateDAO.class).findAll();
     injector.getInstance(ServiceDesiredStateDAO.class).findAll();