AMBARI-13865. Add authorizations to permissions so that the definition of a permission (or role) is explicit (rlevas)

ambari-server/src/main/java/org/apache/ambari/server/api/services/RoleAuthorizationService.java

@@ -32,6 +32,12 @@ import javax.ws.rs.core.UriInfo;
 import java.util.HashMap;
 import java.util.Map;
 
+/**
+ * RoleAuthorizationService is a read-only service responsible for role authorization resource requests.
+ * <p/>
+ * The result sets returned by this service are either the full set of available authorizations or
+ * those related to a particular permission.
+ */
 @Path("/authorizations/")
 public class RoleAuthorizationService extends BaseService {
   private String permissionId;

ambari-server/src/main/java/org/apache/ambari/server/api/services/UserAuthorizationService.java

@@ -32,6 +32,13 @@ import javax.ws.rs.core.UriInfo;
 import java.util.HashMap;
 import java.util.Map;
 
+/**
+ * UserAuthorizationService is a read-only service responsible for user authorization resource requests.
+ * <p/>
+ * The result sets returned by this service represent the set of authorizations assigned to a given user.
+ * Authorizations are tied to a resource, so a user may have the multiple authorization entries for the
+ * same authorization id (for example VIEW.USE), however each will represnet a different view instance.
+ */
 public class UserAuthorizationService extends BaseService {
 
   /**

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProvider.java

@@ -30,7 +30,9 @@ import org.apache.ambari.server.controller.spi.Resource.Type;
 import org.apache.ambari.server.controller.spi.SystemException;
 import org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.dao.RoleAuthorizationDAO;
 import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.commons.lang.StringUtils;
 
@@ -78,11 +80,17 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
     KEY_PROPERTY_IDS = Collections.unmodifiableMap(map);
   }
 
+  /**
+   * Data access object used to obtain authorization entities.
+   */
+  @Inject
+  private static RoleAuthorizationDAO roleAuthorizationDAO;
+
   /**
    * Data access object used to obtain permission entities.
    */
   @Inject
-  protected static PermissionDAO permissionDAO;
+  private static PermissionDAO permissionDAO;
 
   /**
    * Create a new resource provider.
@@ -127,39 +135,25 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
         }
 
         if (permissionId == null) {
-          // TODO: ** This is stubbed out until the data layer catches up...
-          // TODO: entities = roleAuthorizationDAO.findAll();
-          authorizationEntities = createAdminAuthorizations();
+          authorizationEntities = roleAuthorizationDAO.findAll();
         } else {
           PermissionEntity permissionEntity = permissionDAO.findById(permissionId);
 
-          if(permissionEntity == null)
+          if (permissionEntity == null) {
             authorizationEntities = null;
-          else
-          {
-            // TODO: ** This is stubbed out until the data layer catches up...
-            // TODO: authorizationEntities = (permissionEntity == null)
-            // TODO: ? null
-            // TODO: : permissionEntity.getAuthorizations();
-            String permissionName = permissionEntity.getPermissionName();
-            if (permissionName.startsWith("AMBARI")) {
-              authorizationEntities = createAdminAuthorizations();
-            } else if (permissionName.startsWith("CLUSTER")) {
-              authorizationEntities = createOperatorAuthorizations();
-            } else {
-              authorizationEntities = null;
-            }
+          } else {
+            authorizationEntities = permissionEntity.getAuthorizations();
           }
         }
 
         if (authorizationEntities != null) {
           String authorizationId = (String) propertyMap.get(AUTHORIZATION_ID_PROPERTY_ID);
 
-          if(!StringUtils.isEmpty(authorizationId)) {
+          if (!StringUtils.isEmpty(authorizationId)) {
             // Filter the entities
             Iterator<RoleAuthorizationEntity> iterator = authorizationEntities.iterator();
-            while(iterator.hasNext()) {
-              if(!authorizationId.equals(iterator.next().getAuthorizationId())) {
+            while (iterator.hasNext()) {
+              if (!authorizationId.equals(iterator.next().getAuthorizationId())) {
                 iterator.remove();
               }
             }
@@ -190,130 +184,10 @@ public class RoleAuthorizationResourceProvider extends ReadOnlyResourceProvider
   private Resource toResource(Integer permissionId, RoleAuthorizationEntity entity, Set<String> requestedIds) {
     Resource resource = new ResourceImpl(Type.RoleAuthorization);
     setResourceProperty(resource, AUTHORIZATION_ID_PROPERTY_ID, entity.getAuthorizationId(), requestedIds);
-    if(permissionId != null) {
+    if (permissionId != null) {
       setResourceProperty(resource, PERMISSION_ID_PROPERTY_ID, permissionId, requestedIds);
     }
     setResourceProperty(resource, AUTHORIZATION_NAME_PROPERTY_ID, entity.getAuthorizationName(), requestedIds);
     return resource;
   }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createAdminAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ADD_DELETE_CLUSTERS", "Create new clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.SET_SERVICE_USERS_GROUPS", "Set service users and groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.RENAME_CLUSTER", "Rename clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_USERS", "Manage users"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_GROUPS", "Manage groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_VIEWS", "Manage Ambari Views"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ASSIGN_ROLES", "Assign roles"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_STACK_VERSIONS", "Manage stack versions"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.EDIT_STACK_REPOS", "Edit stack repository URLs"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createOperatorAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    return authorizationEntities;
-  }
-
-  /**
-   * RoleAuthorizationEntity is a stubbed out Entity class to be replaced by a real Entity class
-   * TODO: Replace with real RoleAuthorizationEntity class when the data later catches up
-   */
-  private static class RoleAuthorizationEntity {
-    private final String authorizationId;
-    private final String authorizationName;
-
-    private RoleAuthorizationEntity(String authorizationId, String authorizationName) {
-      this.authorizationId = authorizationId;
-      this.authorizationName = authorizationName;
-    }
-
-    public String getAuthorizationId() {
-      return authorizationId;
-    }
-
-    public String getAuthorizationName() {
-      return authorizationName;
-    }
-  }
 }

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java

@@ -38,6 +38,7 @@ import org.apache.ambari.server.orm.dao.PermissionDAO;
 import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -97,13 +98,13 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
    * Data access object used to obtain permission entities.
    */
   @Inject
-  protected static PermissionDAO permissionDAO;
+  private static PermissionDAO permissionDAO;
 
   /**
    * Data access object used to obtain resource type entities.
    */
   @Inject
-  protected static ResourceTypeDAO resourceTypeDAO;
+  private static ResourceTypeDAO resourceTypeDAO;
 
   /**
    * The ClusterController user to get access to other resource providers
@@ -149,17 +150,7 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
             if (permissionEntity == null) {
               authorizationEntities = null;
             } else {
-              // TODO: ** This is stubbed out until the data layer catches up...
-              // TODO: authorizationEntities = permissionEntity.getAuthorizations();
-              if (permissionName.startsWith("AMBARI")) {
-                authorizationEntities = createAdminAuthorizations();
-              } else if (permissionName.startsWith("CLUSTER")) {
-                authorizationEntities = createOperatorAuthorizations();
-              } else if (permissionName.startsWith("VIEW")) {
-                authorizationEntities = createViewUserAuthorizations();
-              } else {
-                authorizationEntities = null;
-              }
+              authorizationEntities = permissionEntity.getAuthorizations();
             }
 
             if (authorizationEntities != null) {
@@ -296,141 +287,4 @@ public class UserAuthorizationResourceProvider extends ReadOnlyResourceProvider
       resources.add(resource);
     }
   }
-
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createAdminAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ADD_DELETE_CLUSTERS", "Create new clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.SET_SERVICE_USERS_GROUPS", "Set service users and groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.RENAME_CLUSTER", "Rename clusters"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_USERS", "Manage users"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_GROUPS", "Manage groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_VIEWS", "Manage Ambari Views"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.ASSIGN_ROLES", "Assign roles"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.MANAGE_STACK_VERSIONS", "Manage stack versions"));
-    authorizationEntities.add(new RoleAuthorizationEntity("AMBARI.EDIT_STACK_REPOS", "Edit stack repository URLs"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for an administrator user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createOperatorAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_CONFIGS", "View configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.COMPARE_CONFIGS", "Compare configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.VIEW_ALERTS", "View service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.START_STOP", "Start/Stop/Restart Service"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.DECOMMISSION_RECOMMISSION", "Decommission/recommission"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_SERVICE_CHECK", "Run service checks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_MAINTENANCE", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.RUN_CUSTOM_COMMAND", "Perform service-specific tasks"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MODIFY_CONFIGS", "Modify configurations"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MANAGE_CONFIG_GROUPS", "Manage configuration groups"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.MOVE", "Move to another host"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ENABLE_HA", "Enable HA"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.TOGGLE_ALERTS", "Enable/disable service alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("SERVICE.ADD_DELETE_SERVICES", "Add Service to cluster"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.COMPARE_CONFIGS", "Turn on/off maintenance mode"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_COMPONENTS", "Install components"));
-    authorizationEntities.add(new RoleAuthorizationEntity("HOST.ADD_DELETE_HOSTS", "Add/Delete hosts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_METRICS", "View metrics"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STATUS_INFO", "View status information"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_CONFIGS", "View configuration"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_STACK_DETAILS", "View stack version details"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.VIEW_ALERTS", "View alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_ALERTS", "Enable/disable alerts"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.TOGGLE_KERBEROS", "Enable/disable Kerberos"));
-    authorizationEntities.add(new RoleAuthorizationEntity("CLUSTER.UPGRADE_DOWNGRADE_STACK", "Upgrade/downgrade stack"));
-    return authorizationEntities;
-  }
-
-  /**
-   * Fills RoleAuthorizationEntities for a view user
-   * <p/>
-   * This is a temporary method until the data layer catches up
-   * <p/>
-   * TODO: Remove when the data later catches up
-   *
-   * @return an array of RoleAuthorizationEntity objects
-   */
-  private Collection<RoleAuthorizationEntity> createViewUserAuthorizations() {
-    Collection<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
-    authorizationEntities.add(new RoleAuthorizationEntity("VIEW.USE", "Use View"));
-    return authorizationEntities;
-  }
-
-
-  /**
-   * RoleAuthorizationEntity is a stubbed out Entity class to be replaced by a real Entity class
-   * TODO: Replace with real RoleAuthorizationEntity class when the data later catches up
-   */
-  private static class RoleAuthorizationEntity {
-    private final String authorizationId;
-    private final String authorizationName;
-
-    private RoleAuthorizationEntity(String authorizationId, String authorizationName) {
-      this.authorizationId = authorizationId;
-      this.authorizationName = authorizationName;
-    }
-
-    public String getAuthorizationId() {
-      return authorizationId;
-    }
-
-    public String getAuthorizationName() {
-      return authorizationName;
-    }
-  }
 }

ambari-server/src/main/java/org/apache/ambari/server/orm/dao/RoleAuthorizationDAO.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing authorizations and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.orm.dao;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import org.apache.ambari.server.orm.RequiresSession;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+
+import javax.persistence.EntityManager;
+import javax.persistence.TypedQuery;
+import java.util.List;
+
+/**
+ * Authorization (definition) Data Access Object.
+ */
+@Singleton
+public class RoleAuthorizationDAO {
+
+  /**
+   * JPA entity manager
+   */
+  @Inject
+  Provider<EntityManager> entityManagerProvider;
+
+  @Inject
+  DaoUtils daoUtils;
+
+  /**
+   * Find a authorization entity with the given id.
+   *
+   * @param id type id
+   * @return a matching authorization entity or null
+   */
+  @RequiresSession
+  public RoleAuthorizationEntity findById(String id) {
+    return entityManagerProvider.get().find(RoleAuthorizationEntity.class, id);
+  }
+
+  /**
+   * Find all authorization entities.
+   *
+   * @return all entities or an empty List
+   */
+  @RequiresSession
+  public List<RoleAuthorizationEntity> findAll() {
+    TypedQuery<RoleAuthorizationEntity> query = entityManagerProvider.get().createNamedQuery("findAll", RoleAuthorizationEntity.class);
+    return daoUtils.selectList(query);
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/PermissionEntity.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -26,9 +26,12 @@ import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.JoinColumns;
+import javax.persistence.JoinTable;
+import javax.persistence.ManyToMany;
 import javax.persistence.ManyToOne;
 import javax.persistence.Table;
 import javax.persistence.TableGenerator;
+import java.util.Collection;
 
 /**
  * Represents an admin permission.
@@ -38,7 +41,7 @@ import javax.persistence.TableGenerator;
 @TableGenerator(name = "permission_id_generator",
     table = "ambari_sequences", pkColumnName = "sequence_name", valueColumnName = "sequence_value"
     , pkColumnValue = "permission_id_seq"
-    , initialValue = 5
+    , initialValue = 8
 )
 public class PermissionEntity {
 
@@ -85,6 +88,20 @@ public class PermissionEntity {
   })
   private ResourceTypeEntity resourceType;
 
+  /**
+   * The set of authorizations related to this permission.
+   *
+   * This value declares the granular details for which operations this PermissionEntity grants
+   * access.
+   */
+  @ManyToMany
+  @JoinTable(
+      name = "permission_roleauthorization",
+      joinColumns = {@JoinColumn(name = "permission_id")},
+      inverseJoinColumns = {@JoinColumn(name = "authorization_id")}
+  )
+  private Collection<RoleAuthorizationEntity> authorizations;
+
 
   // ----- PermissionEntity ---------------------------------------------------
 
@@ -160,8 +177,25 @@ public class PermissionEntity {
     this.resourceType = resourceType;
   }
 
+  /**
+   * Gets the collection of granular authorizations for this PermissionEntity
+   *
+   * @return a collection of granular authorizations
+   */
+  public Collection<RoleAuthorizationEntity> getAuthorizations() {
+    return authorizations;
+  }
+
+  /**
+   * Sets the collection of granular authorizations for this PermissionEntity
+   *
+   * @param authorizations a collection of granular authorizations
+   */
+  public void setAuthorizations(Collection<RoleAuthorizationEntity> authorizations) {
+    this.authorizations = authorizations;
+  }
 
-  // ----- Object overrides --------------------------------------------------
+// ----- Object overrides --------------------------------------------------
 
   @Override
   public boolean equals(Object o) {
@@ -173,7 +207,8 @@ public class PermissionEntity {
     return !(id != null ? !id.equals(that.id) : that.id != null) &&
         !(permissionName != null ? !permissionName.equals(that.permissionName) : that.permissionName != null) &&
         !(permissionLabel != null ? !permissionLabel.equals(that.permissionLabel) : that.permissionLabel != null) &&
-        !(resourceType != null ? !resourceType.equals(that.resourceType) : that.resourceType != null);
+        !(resourceType != null ? !resourceType.equals(that.resourceType) : that.resourceType != null) &&
+        !(authorizations != null ? !authorizations.equals(that.authorizations) : that.authorizations != null);
   }
 
   @Override
@@ -182,6 +217,7 @@ public class PermissionEntity {
     result = 31 * result + (permissionName != null ? permissionName.hashCode() : 0);
     result = 31 * result + (permissionLabel != null ? permissionLabel.hashCode() : 0);
     result = 31 * result + (resourceType != null ? resourceType.hashCode() : 0);
+    result = 31 * result + (authorizations != null ? authorizations.hashCode() : 0);
     return result;
   }
 }

ambari-server/src/main/java/org/apache/ambari/server/orm/entities/RoleAuthorizationEntity.java

@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.orm.entities;
+
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+
+/**
+ * Represents an authorization (typically assigned to a permission)
+ */
+@Table(name = "roleauthorization")
+@Entity
+@NamedQueries({
+    @NamedQuery(name = "findAll", query = "SELECT a FROM RoleAuthorizationEntity a")
+})
+public class RoleAuthorizationEntity {
+
+  /**
+   * The authorization id.
+   */
+  @Id
+  @Column(name = "authorization_id")
+  private String authorizationId;
+
+
+  /**
+   * The authorization name.
+   */
+  @Column(name = "authorization_name")
+  private String authorizationName;
+
+  // ----- RoleAuthorizationEntity ---------------------------------------------------
+
+  /**
+   * Get the authorization id.
+   *
+   * @return the authorization id.
+   */
+  public String getAuthorizationId() {
+    return authorizationId;
+  }
+
+  /**
+   * Set the authorization id.
+   *
+   * @param authorizationId the type id.
+   */
+  public void setAuthorizationId(String authorizationId) {
+    this.authorizationId = authorizationId;
+  }
+
+  /**
+   * Get the authorization name.
+   *
+   * @return the authorization name
+   */
+  public String getAuthorizationName() {
+    return authorizationName;
+  }
+
+  /**
+   * Set the authorization name.
+   *
+   * @param authorizationName the authorization name
+   */
+  public void setAuthorizationName(String authorizationName) {
+    this.authorizationName = authorizationName;
+  }
+
+  // ----- Object overrides --------------------------------------------------
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    RoleAuthorizationEntity that = (RoleAuthorizationEntity) o;
+
+    return !(authorizationId != null ? !authorizationId.equals(that.authorizationId) : that.authorizationId != null) &&
+        !(authorizationName != null ? !authorizationName.equals(that.authorizationName) : that.authorizationName != null);
+  }
+
+  @Override
+  public int hashCode() {
+    int result = authorizationId != null ? authorizationId.hashCode() : 0;
+    result = 31 * result + (authorizationName != null ? authorizationName.hashCode() : 0);
+    return result;
+  }
+}

ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java

@@ -19,10 +19,17 @@
 package org.apache.ambari.server.upgrade;
 
 import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
 import org.apache.ambari.server.orm.dao.DaoUtils;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -46,6 +53,11 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
   private static final String PERMISSION_NAME_COL = "permission_name";
   private static final String PERMISSION_LABEL_COL = "permission_label";
 
+  private static final String ROLE_AUTHORIZATION_TABLE = "roleauthorization";
+  private static final String PERMISSION_ROLE_AUTHORIZATION_TABLE = "permission_roleauthorization";
+  private static final String ROLE_AUTHORIZATION_ID_COL = "authorization_id";
+  private static final String ROLE_AUTHORIZATION_NAME_COL = "authorization_name";
+
   @Inject
   DaoUtils daoUtils;
 
@@ -100,8 +112,8 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
 
     dbAccessor.addUniqueConstraint(USERS_TABLE, "UNQ_users_0", "user_name", "user_type");
 
-
     updateAdminPermissionTable();
+    createRoleAuthorizationTables();
   }
 
   @Override
@@ -112,6 +124,191 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
   protected void executeDMLUpdates() throws AmbariException, SQLException {
     setPermissionLabels();
     updatePermissionNames();
+    addNewPermissions();
+    createRoleAuthorizations();
+    createPermissionRoleAuthorizationMap();
+  }
+
+  private void addNewPermissions() throws SQLException {
+    LOG.info("Adding new permissions: CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR");
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+    PermissionEntity permissionEntity = new PermissionEntity();
+
+    // CLUSTER.OPERATOR: Cluster Operator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("CLUSTER.OPERATOR");
+    permissionEntity.setPermissionLabel("Cluster Operator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+
+    // SERVICE.ADMINISTRATOR: Service Administrator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("SERVICE.ADMINISTRATOR");
+    permissionEntity.setPermissionLabel("Service Administrator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+
+    // SERVICE.OPERATOR: Service Operator
+    permissionEntity.setId(null);
+    permissionEntity.setPermissionName("SERVICE.OPERATOR");
+    permissionEntity.setPermissionLabel("Service Operator");
+    permissionEntity.setResourceType(resourceTypeDAO.findByName("CLUSTER"));
+    permissionDAO.create(permissionEntity);
+  }
+
+
+  private void createRoleAuthorizations() throws SQLException {
+    LOG.info("Adding authorizations");
+
+    String[] columnNames = new String[]{ROLE_AUTHORIZATION_ID_COL, ROLE_AUTHORIZATION_NAME_COL};
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'VIEW.USE'", "'Use View'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_CONFIGS'", "'View configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.COMPARE_CONFIGS'", "'Compare configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.VIEW_ALERTS'", "'View service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.START_STOP'", "'Start/Stop/Restart Service'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.DECOMMISSION_RECOMMISSION'", "'Decommission/recommission'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_SERVICE_CHECK'", "'Run service checks'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_MAINTENANCE'", "'Turn on/off maintenance mode'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.RUN_CUSTOM_COMMAND'", "'Perform service-specific tasks'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MODIFY_CONFIGS'", "'Modify configurations'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MANAGE_CONFIG_GROUPS'", "'Manage configuration groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.MOVE'", "'Move to another host'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ENABLE_HA'", "'Enable HA'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.TOGGLE_ALERTS'", "'Enable/disable service alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'SERVICE.ADD_DELETE_SERVICES'", "'Add Service to cluster'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.VIEW_CONFIGS'", "'View configuration'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.TOGGLE_MAINTENANCE'", "'Turn on/off maintenance mode'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.ADD_DELETE_COMPONENTS'", "'Install components'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'HOST.ADD_DELETE_HOSTS'", "'Add/Delete hosts'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_METRICS'", "'View metrics'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STATUS_INFO'", "'View status information'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_CONFIGS'", "'View configuration'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_STACK_DETAILS'", "'View stack version details'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.VIEW_ALERTS'", "'View alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_ALERTS'", "'Enable/disable alerts'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.TOGGLE_KERBEROS'", "'Enable/disable Kerberos'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'CLUSTER.UPGRADE_DOWNGRADE_STACK'", "'Upgrade/downgrade stack'"}, false);
+
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.ADD_DELETE_CLUSTERS'", "'Create new clusters'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.SET_SERVICE_USERS_GROUPS'", "'Set service users and groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.RENAME_CLUSTER'", "'Rename clusters'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_USERS'", "'Manage users'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_GROUPS'", "'Manage groups'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_VIEWS'", "'Manage Ambari Views'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.ASSIGN_ROLES'", "'Assign roles'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.MANAGE_STACK_VERSIONS'", "'Manage stack versions'"}, false);
+    dbAccessor.insertRow(ROLE_AUTHORIZATION_TABLE, columnNames, new String[]{"'AMBARI.EDIT_STACK_REPOS'", "'Edit stack repository URLs'"}, false);
+  }
+
+  private void createPermissionRoleAuthorizationMap() throws SQLException {
+    LOG.info("Creating permission to authorizations map");
+
+    String[] columnNames = new String[] {PERMISSION_ID_COL, ROLE_AUTHORIZATION_ID_COL};
+
+    // Determine the role Ids"
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+
+    String viewPermissionId = permissionDAO.findPermissionByNameAndType("VIEW.USER", resourceTypeDAO.findByName("VIEW")).getId().toString();
+    String administratorPermissionId = permissionDAO.findPermissionByNameAndType("AMBARI.ADMINISTRATOR", resourceTypeDAO.findByName("AMBARI")).getId().toString();
+    String clusterUserPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.USER", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String clusterOperatorPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String clusterAdministratorPermissionId = permissionDAO.findPermissionByNameAndType("CLUSTER.ADMINISTRATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String serviceAdministratorPermissionId = permissionDAO.findPermissionByNameAndType("SERVICE.ADMINISTRATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+    String serviceOperatorPermissionId = permissionDAO.findPermissionByNameAndType("SERVICE.OPERATOR", resourceTypeDAO.findByName("CLUSTER")).getId().toString();
+
+    // Create role groups
+    List<String> viewUserOnly = Arrays.asList(viewPermissionId);
+    List<String> clusterUserAndUp = Arrays.asList(
+        clusterUserPermissionId,
+        serviceOperatorPermissionId,
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> serviceOperatorAndUp = Arrays.asList(
+        serviceOperatorPermissionId,
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> serviceAdministratorAndUp = Arrays.asList(
+        serviceAdministratorPermissionId,
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> clusterOperatorAndUp = Arrays.asList(
+        clusterOperatorPermissionId,
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> clusterAdministratorAndUp = Arrays.asList(
+        clusterAdministratorPermissionId,
+        administratorPermissionId);
+    List<String> administratorOnly = Arrays.asList(administratorPermissionId);
+
+    // A map of the authorizations to the relevant roles
+    Map<String, List<String>> map = new HashMap<String, List<String>>();
+    map.put("VIEW.USE", viewUserOnly);
+    map.put("SERVICE.VIEW_METRICS", clusterUserAndUp);
+    map.put("SERVICE.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("SERVICE.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("SERVICE.COMPARE_CONFIGS", clusterUserAndUp);
+    map.put("SERVICE.VIEW_ALERTS", clusterUserAndUp);
+    map.put("SERVICE.START_STOP", serviceOperatorAndUp);
+    map.put("SERVICE.DECOMMISSION_RECOMMISSION", serviceOperatorAndUp);
+    map.put("SERVICE.RUN_SERVICE_CHECK", serviceOperatorAndUp);
+    map.put("SERVICE.TOGGLE_MAINTENANCE", serviceOperatorAndUp);
+    map.put("SERVICE.RUN_CUSTOM_COMMAND", serviceOperatorAndUp);
+    map.put("SERVICE.MODIFY_CONFIGS", serviceAdministratorAndUp);
+    map.put("SERVICE.MANAGE_CONFIG_GROUPS", serviceAdministratorAndUp);
+    map.put("SERVICE.MOVE", serviceAdministratorAndUp);
+    map.put("SERVICE.ENABLE_HA", serviceAdministratorAndUp);
+    map.put("SERVICE.TOGGLE_ALERTS", serviceAdministratorAndUp);
+    map.put("SERVICE.ADD_DELETE_SERVICES", clusterAdministratorAndUp);
+    map.put("HOST.VIEW_METRICS",clusterUserAndUp);
+    map.put("HOST.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("HOST.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("HOST.TOGGLE_MAINTENANCE", clusterOperatorAndUp);
+    map.put("HOST.ADD_DELETE_COMPONENTS", clusterOperatorAndUp);
+    map.put("HOST.ADD_DELETE_HOSTS", clusterOperatorAndUp);
+    map.put("CLUSTER.VIEW_METRICS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_STATUS_INFO", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_CONFIGS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_STACK_DETAILS", clusterUserAndUp);
+    map.put("CLUSTER.VIEW_ALERTS", clusterUserAndUp);
+    map.put("CLUSTER.TOGGLE_ALERTS", clusterAdministratorAndUp);
+    map.put("CLUSTER.TOGGLE_KERBEROS", clusterAdministratorAndUp);
+    map.put("CLUSTER.UPGRADE_DOWNGRADE_STACK", clusterAdministratorAndUp);
+    map.put("AMBARI.ADD_DELETE_CLUSTERS", administratorOnly);
+    map.put("AMBARI.SET_SERVICE_USERS_GROUPS", administratorOnly);
+    map.put("AMBARI.RENAME_CLUSTER", administratorOnly);
+    map.put("AMBARI.MANAGE_USERS", administratorOnly);
+    map.put("AMBARI.MANAGE_GROUPS", administratorOnly);
+    map.put("AMBARI.MANAGE_VIEWS", administratorOnly);
+    map.put("AMBARI.ASSIGN_ROLES", administratorOnly);
+    map.put("AMBARI.MANAGE_STACK_VERSIONS", administratorOnly);
+    map.put("AMBARI.EDIT_STACK_REPOS", administratorOnly);
+
+    // Iterate over the map of authorizations to role to find the set of roles to map to each
+    // authorization and then add the relevant record
+    for(Map.Entry<String,List<String>> entry: map.entrySet()) {
+      String authorizationId = entry.getKey();
+
+      for(String permissionId : entry.getValue()) {
+        dbAccessor.insertRow(PERMISSION_ROLE_AUTHORIZATION_TABLE, columnNames,
+            new String[]{permissionId, "'" + authorizationId + "'"}, false);
+      }
+    }
   }
 
 
@@ -122,6 +319,31 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
     dbAccessor.addColumn(ADMIN_PERMISSION_TABLE, new DBColumnInfo(PERMISSION_LABEL_COL, String.class, 255, null, true));
   }
 
+  private void createRoleAuthorizationTables() throws SQLException {
+
+    ArrayList<DBColumnInfo> columns;
+
+    //  Add roleauthorization table
+    LOG.info("Creating " + ROLE_AUTHORIZATION_TABLE + " table");
+    columns = new ArrayList<DBColumnInfo>();
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_ID_COL, String.class, 100, null, false));
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_NAME_COL, String.class, 255, null, false));
+    dbAccessor.createTable(ROLE_AUTHORIZATION_TABLE, columns, ROLE_AUTHORIZATION_ID_COL);
+
+    //  Add permission_roleauthorization table to map roleauthorizations to permissions (aka roles)
+    LOG.info("Creating " + PERMISSION_ROLE_AUTHORIZATION_TABLE + " table");
+    columns = new ArrayList<DBColumnInfo>();
+    columns.add(new DBColumnInfo(PERMISSION_ID_COL, Long.class, null, null, false));
+    columns.add(new DBColumnInfo(ROLE_AUTHORIZATION_ID_COL, String.class, 100, null, false));
+    dbAccessor.createTable(PERMISSION_ROLE_AUTHORIZATION_TABLE, columns, PERMISSION_ID_COL, ROLE_AUTHORIZATION_ID_COL);
+
+    dbAccessor.addFKConstraint(PERMISSION_ROLE_AUTHORIZATION_TABLE, "FK_permission_roleauthorization_permission_id",
+        PERMISSION_ID_COL, ADMIN_PERMISSION_TABLE, PERMISSION_ID_COL, false);
+
+    dbAccessor.addFKConstraint(PERMISSION_ROLE_AUTHORIZATION_TABLE, "FK_permission_roleauthorization_authorization_id",
+        ROLE_AUTHORIZATION_ID_COL, ROLE_AUTHORIZATION_TABLE, ROLE_AUTHORIZATION_ID_COL, false);
+  }
+
   private void setPermissionLabels() throws SQLException {
     String updateStatement = "UPDATE " + ADMIN_PERMISSION_TABLE + " SET " + PERMISSION_LABEL_COL + "='%s' WHERE " + PERMISSION_ID_COL + "=%d";
 

ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql

@@ -534,6 +534,16 @@ CREATE TABLE adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id BIGINT NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id BIGINT,
   permission_id BIGINT NOT NULL,
@@ -719,6 +729,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -998,7 +1010,227 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
   union all
   select 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'
   union all
-  select 4, 'VIEW.USER', 3, 'View User';
+  select 4, 'VIEW.USER', 3, 'View User'
+  union all
+  select 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'
+  union all
+  select 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'
+  union all
+  select 7, 'SERVICE.OPERATOR', 2, 'Service Operator';
+
+INSERT INTO roleauthorization(authorization_id, authorization_name)
+  SELECT 'VIEW.USE', 'Use View' UNION ALL
+  SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+  SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+  SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+  SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+  SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+  SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+  SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+  SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+  SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
+  SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+  SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+  SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+  SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+  SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+  SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+  SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+  SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+  SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+  SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+  SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+  SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+  SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+  SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+  SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs' FROM  adminresourcetype WHERE resource_type_name='AMBARI';
+
+-- Set authorizations for View User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+-- Set authorizations for Cluster User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+-- Set authorizations for Service Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+-- Set authorizations for Service Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+-- Set authorizations for Cluster Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+-- Set authorizations for Cluster Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+-- Set authorizations for Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
 insert into adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   select 1, 1, 1, 1;

ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql

@@ -523,6 +523,16 @@ CREATE TABLE adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id NUMBER(19) NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id NUMBER(19),
   permission_id NUMBER(19) NOT NULL,
@@ -708,6 +718,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -990,7 +1002,227 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
   union all
   select 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator' from dual
   union all
-  select 4, 'VIEW.USER', 3, 'View User' from dual;
+  select 4, 'VIEW.USER', 3, 'View User' from dual
+  union all
+  select 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator' from dual
+  union all
+  select 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator' from dual
+  union all
+  select 7, 'SERVICE.OPERATOR', 2, 'Service Operator' from dual;
+
+INSERT INTO roleauthorization(authorization_id, authorization_name)
+  SELECT 'VIEW.USE', 'Use View' FROM dual UNION ALL
+  SELECT 'SERVICE.VIEW_METRICS', 'View metrics' FROM dual UNION ALL
+  SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
+  SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' FROM dual UNION ALL
+  SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' FROM dual UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' FROM dual UNION ALL
+  SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' FROM dual UNION ALL
+  SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' FROM dual UNION ALL
+  SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' FROM dual UNION ALL
+  SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' FROM dual UNION ALL
+  SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' FROM dual UNION ALL
+  SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' FROM dual UNION ALL
+  SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' FROM dual UNION ALL
+  SELECT 'SERVICE.MOVE', 'Move to another host' FROM dual UNION ALL
+  SELECT 'SERVICE.ENABLE_HA', 'Enable HA' FROM dual UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' FROM dual UNION ALL
+  SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' FROM dual UNION ALL
+  SELECT 'HOST.VIEW_METRICS', 'View metrics' FROM dual UNION ALL
+  SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
+  SELECT 'HOST.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL
+  SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' FROM dual UNION ALL
+  SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' FROM dual UNION ALL
+  SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' FROM dual UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' FROM dual UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' FROM dual UNION ALL
+  SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' FROM dual UNION ALL
+  SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' FROM dual UNION ALL
+  SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' FROM dual UNION ALL
+  SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' FROM dual UNION ALL
+  SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' FROM dual UNION ALL
+  SELECT 'AMBARI.MANAGE_USERS', 'Manage users' FROM dual UNION ALL
+  SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' FROM dual UNION ALL
+  SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' FROM dual UNION ALL
+  SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' FROM dual UNION ALL
+  SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' FROM dual UNION ALL
+  SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs' FROM dual;
+
+-- Set authorizations for View User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+-- Set authorizations for Cluster User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+-- Set authorizations for Service Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+-- Set authorizations for Service Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+-- Set authorizations for Cluster Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+-- Set authorizations for Cluster Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+-- Set authorizations for Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
 insert into adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   select 1, 1, 1, 1 from dual;

ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql

@@ -526,6 +526,16 @@ CREATE TABLE adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id BIGINT NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id BIGINT,
   permission_id BIGINT NOT NULL,
@@ -706,6 +716,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -1034,7 +1046,227 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
   UNION ALL
   SELECT 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'
   UNION ALL
-  SELECT 4, 'VIEW.USER', 3, 'View User';
+  SELECT 4, 'VIEW.USER', 3, 'View User'
+  UNION ALL
+  SELECT 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'
+  UNION ALL
+  SELECT 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'
+  UNION ALL
+  SELECT 7, 'SERVICE.OPERATOR', 2, 'Service Operator';
+
+INSERT INTO roleauthorization(authorization_id, authorization_name)
+  SELECT 'VIEW.USE', 'Use View' UNION ALL
+  SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+  SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+  SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+  SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+  SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+  SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+  SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+  SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+  SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
+  SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+  SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+  SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+  SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+  SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+  SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+  SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+  SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+  SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+  SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+  SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+  SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+  SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+  SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+  SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs';
+
+-- Set authorizations for View User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+-- Set authorizations for Cluster User role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+-- Set authorizations for Service Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+-- Set authorizations for Service Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+-- Set authorizations for Cluster Operator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+-- Set authorizations for Cluster Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+-- Set authorizations for Administrator role
+INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
 INSERT INTO adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   SELECT 1, 1, 1, 1;

ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql

@@ -587,6 +587,16 @@ CREATE TABLE ambari.adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE ambari.roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE ambari.permission_roleauthorization (
+  permission_id BIGINT NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE ambari.adminprivilege (
   privilege_id BIGINT,
   permission_id BIGINT NOT NULL,
@@ -599,6 +609,8 @@ GRANT ALL PRIVILEGES ON TABLE ambari.adminresource TO :username;
 GRANT ALL PRIVILEGES ON TABLE ambari.adminprincipaltype TO :username;
 GRANT ALL PRIVILEGES ON TABLE ambari.adminprincipal TO :username;
 GRANT ALL PRIVILEGES ON TABLE ambari.adminpermission TO :username;
+GRANT ALL PRIVILEGES ON TABLE ambari.roleauthorization TO :username;
+GRANT ALL PRIVILEGES ON TABLE ambari.permission_roleauthorization TO :username;
 GRANT ALL PRIVILEGES ON TABLE ambari.adminprivilege TO :username;
 
 CREATE TABLE ambari.repo_version (
@@ -789,6 +801,8 @@ ALTER TABLE ambari.serviceconfighosts ADD CONSTRAINT FK_scvhosts_host_id FOREIGN
 ALTER TABLE ambari.adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES ambari.adminresourcetype(resource_type_id);
 ALTER TABLE ambari.adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES ambari.adminprincipaltype(principal_type_id);
 ALTER TABLE ambari.adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES ambari.adminresourcetype(resource_type_id);
+ALTER TABLE ambari.permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES ambari.adminpermission(permission_id);
+ALTER TABLE ambari.permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES ambari.roleauthorization(authorization_id);
 ALTER TABLE ambari.adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES ambari.adminpermission(permission_id);
 ALTER TABLE ambari.adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES ambari.adminresource(resource_id);
 ALTER TABLE ambari.viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES ambari.adminresourcetype(resource_type_id);
@@ -1130,7 +1144,227 @@ insert into ambari.adminpermission(permission_id, permission_name, resource_type
   UNION ALL
   SELECT 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'
   UNION ALL
-  SELECT 4, 'VIEW.USER', 3, 'View User';
+  SELECT 4, 'VIEW.USER', 3, 'View User'
+  UNION ALL
+  SELECT 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'
+  UNION ALL
+  SELECT 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'
+  UNION ALL
+  SELECT 7, 'SERVICE.OPERATOR', 2, 'Service Operator';
+
+INSERT INTO ambari.roleauthorization(authorization_id, authorization_name)
+  SELECT 'VIEW.USE', 'Use View' UNION ALL
+  SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+  SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+  SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+  SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+  SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+  SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+  SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+  SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+  SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+  SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
+  SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+  SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+  SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+  SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+  SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+  SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+  SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+  SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+  SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+  SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+  SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+  SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+  SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+  SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+  SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+  SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+  SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+  SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+  SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+  SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+  SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+  SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs';
+
+-- Set authorizations for View User role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM ambari.adminpermission WHERE permission_name='VIEW.USER';
+
+-- Set authorizations for Cluster User role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.USER';
+
+-- Set authorizations for Service Operator role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+-- Set authorizations for Service Administrator role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+-- Set authorizations for Cluster Operator role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+-- Set authorizations for Cluster Administrator role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+-- Set authorizations for Administrator role
+INSERT INTO ambari.permission_roleauthorization(permission_id, authorization_id)
+  SELECT permission_id, 'VIEW.USE' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.START_STOP' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.MOVE' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ENABLE_HA' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+  SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM ambari.adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
 INSERT INTO ambari.adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   SELECT 1, 1, 1, 1;

ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql

@@ -523,6 +523,16 @@ CREATE TABLE adminpermission (
   permission_label VARCHAR(255),
   PRIMARY KEY(permission_id));
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id NUMERIC(19) NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id NUMERIC(19),
   permission_id NUMERIC(19) NOT NULL,
@@ -709,6 +719,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -986,8 +998,228 @@ insert into adminpermission(permission_id, permission_name, resource_type_id, pe
   union all
   select 3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'
   union all
-  select 4, 'VIEW.USER', 3, 'View User';
-
+  select 4, 'VIEW.USER', 3, 'View User'
+  union all
+  select 5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'
+  union all
+  select 6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'
+  union all
+  select 7, 'SERVICE.OPERATOR', 2, 'Service Operator';
+
+  INSERT INTO roleauthorization(authorization_id, authorization_name)
+    SELECT 'VIEW.USE', 'Use View' UNION ALL
+    SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+    SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+    SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+    SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+    SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+    SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+    SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+    SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+    SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+    SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+    SELECT 'SERVICE.MOVE', 'Move to another host' UNION ALL
+    SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+    SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+    SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+    SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+    SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+    SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+    SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+    SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+    SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+    SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+    SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+    SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+    SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+    SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+    SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+    SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+    SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+    SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+    SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+    SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+    SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+    SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs';
+
+  -- Set authorizations for View User role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+  -- Set authorizations for Cluster User role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+  -- Set authorizations for Service Operator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+  -- Set authorizations for Service Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+  -- Set authorizations for Cluster Operator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+  -- Set authorizations for Cluster Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+  -- Set authorizations for Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
+  
 insert into adminprivilege (privilege_id, permission_id, resource_id, principal_id)
   select 1, 1, 1, 1;
 

ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql

@@ -621,6 +621,16 @@ CREATE TABLE adminpermission (
   PRIMARY KEY CLUSTERED (permission_id)
   );
 
+CREATE TABLE roleauthorization (
+  authorization_id VARCHAR(100) NOT NULL,
+  authorization_name VARCHAR(255) NOT NULL,
+  PRIMARY KEY(authorization_id));
+
+CREATE TABLE permission_roleauthorization (
+  permission_id BIGINT NOT NULL,
+  authorization_id VARCHAR(100) NOT NULL,
+  PRIMARY KEY(permission_id, authorization_id));
+
 CREATE TABLE adminprivilege (
   privilege_id BIGINT,
   permission_id BIGINT NOT NULL,
@@ -817,6 +827,8 @@ ALTER TABLE viewentity ADD CONSTRAINT FK_viewentity_view_name FOREIGN KEY (view_
 ALTER TABLE adminresource ADD CONSTRAINT FK_resource_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
 ALTER TABLE adminprincipal ADD CONSTRAINT FK_principal_principal_type_id FOREIGN KEY (principal_type_id) REFERENCES adminprincipaltype(principal_type_id);
 ALTER TABLE adminpermission ADD CONSTRAINT FK_permission_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
+ALTER TABLE permission_roleauthorization ADD CONSTRAINT FK_permission_roleauthorization_authorization_id FOREIGN KEY (authorization_id) REFERENCES roleauthorization(authorization_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_permission_id FOREIGN KEY (permission_id) REFERENCES adminpermission(permission_id);
 ALTER TABLE adminprivilege ADD CONSTRAINT FK_privilege_resource_id FOREIGN KEY (resource_id) REFERENCES adminresource(resource_id);
 ALTER TABLE viewmain ADD CONSTRAINT FK_view_resource_type_id FOREIGN KEY (resource_type_id) REFERENCES adminresourcetype(resource_type_id);
@@ -1100,7 +1112,224 @@ BEGIN TRANSACTION
     (1, 'AMBARI.ADMINISTRATOR', 1, 'Administrator'),
     (2, 'CLUSTER.USER', 2, 'Cluster User'),
     (3, 'CLUSTER.ADMINISTRATOR', 2, 'Cluster Administrator'),
-    (4, 'VIEW.USER', 3, 'View User');
+    (4, 'VIEW.USER', 3, 'View User'),
+    (5, 'CLUSTER.OPERATOR', 2, 'Cluster Operator'),
+    (6, 'SERVICE.ADMINISTRATOR', 2, 'Service Administrator'),
+    (7, 'SERVICE.OPERATOR', 2, 'Service Operator');
+
+  INSERT INTO roleauthorization(authorization_id, authorization_name)
+    SELECT 'VIEW.USE', 'Use View' UNION ALL
+    SELECT 'SERVICE.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'SERVICE.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'SERVICE.VIEW_CONFIGS', 'View configurations' UNION ALL
+    SELECT 'SERVICE.COMPARE_CONFIGS', 'Compare configurations' UNION ALL
+    SELECT 'SERVICE.VIEW_ALERTS', 'View service alerts' UNION ALL
+    SELECT 'SERVICE.START_STOP', 'Start/Stop/Restart Service' UNION ALL
+    SELECT 'SERVICE.DECOMMISSION_RECOMMISSION', 'Decommission/recommission' UNION ALL
+    SELECT 'SERVICE.RUN_SERVICE_CHECK', 'Run service checks' UNION ALL
+    SELECT 'SERVICE.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+    SELECT 'SERVICE.RUN_CUSTOM_COMMAND', 'Perform service-specific tasks' UNION ALL
+    SELECT 'SERVICE.MODIFY_CONFIGS', 'Modify configurations' UNION ALL
+    SELECT 'SERVICE.MANAGE_CONFIG_GROUPS', 'Manage configuration groups' UNION ALL
+    SELECT 'SERVICE.MOVE', 'Move service to another host' UNION ALL
+    SELECT 'SERVICE.ENABLE_HA', 'Enable HA' UNION ALL
+    SELECT 'SERVICE.TOGGLE_ALERTS', 'Enable/disable service alerts' UNION ALL
+    SELECT 'SERVICE.ADD_DELETE_SERVICES', 'Add Service to cluster' UNION ALL
+    SELECT 'HOST.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'HOST.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'HOST.VIEW_CONFIGS', 'View configuration' UNION ALL
+    SELECT 'HOST.TOGGLE_MAINTENANCE', 'Turn on/off maintenance mode' UNION ALL
+    SELECT 'HOST.ADD_DELETE_COMPONENTS', 'Install components' UNION ALL
+    SELECT 'HOST.ADD_DELETE_HOSTS', 'Add/Delete hosts' UNION ALL
+    SELECT 'CLUSTER.VIEW_METRICS', 'View metrics' UNION ALL
+    SELECT 'CLUSTER.VIEW_STATUS_INFO', 'View status information' UNION ALL
+    SELECT 'CLUSTER.VIEW_CONFIGS', 'View configuration' UNION ALL
+    SELECT 'CLUSTER.VIEW_STACK_DETAILS', 'View stack version details' UNION ALL
+    SELECT 'CLUSTER.VIEW_ALERTS', 'View alerts' UNION ALL
+    SELECT 'CLUSTER.TOGGLE_ALERTS', 'Enable/disable alerts' UNION ALL
+    SELECT 'CLUSTER.TOGGLE_KERBEROS', 'Enable/disable Kerberos' UNION ALL
+    SELECT 'CLUSTER.UPGRADE_DOWNGRADE_STACK', 'Upgrade/downgrade stack' UNION ALL
+    SELECT 'AMBARI.ADD_DELETE_CLUSTERS', 'Create new clusters' UNION ALL
+    SELECT 'AMBARI.SET_SERVICE_USERS_GROUPS', 'Set service users and groups' UNION ALL
+    SELECT 'AMBARI.RENAME_CLUSTER', 'Rename clusters' UNION ALL
+    SELECT 'AMBARI.MANAGE_USERS', 'Manage users' UNION ALL
+    SELECT 'AMBARI.MANAGE_GROUPS', 'Manage groups' UNION ALL
+    SELECT 'AMBARI.MANAGE_VIEWS', 'Manage Ambari Views' UNION ALL
+    SELECT 'AMBARI.ASSIGN_ROLES', 'Assign roles' UNION ALL
+    SELECT 'AMBARI.MANAGE_STACK_VERSIONS', 'Manage stack versions' UNION ALL
+    SELECT 'AMBARI.EDIT_STACK_REPOS', 'Edit stack repository URLs';
+
+  -- Set authorizations for View User role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='VIEW.USER';
+
+  -- Set authorizations for Cluster User role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.USER' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.USER';
+
+  -- Set authorizations for Service Operator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.OPERATOR';
+
+  -- Set authorizations for Service Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='SERVICE.ADMINISTRATOR';
+
+  -- Set authorizations for Cluster Operator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.OPERATOR';
+
+  -- Set authorizations for Cluster Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='CLUSTER.ADMINISTRATOR';
+
+  -- Set authorizations for Administrator role
+  INSERT INTO permission_roleauthorization(permission_id, authorization_id)
+    SELECT permission_id, 'VIEW.USE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.COMPARE_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.START_STOP' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.DECOMMISSION_RECOMMISSION' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_SERVICE_CHECK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.RUN_CUSTOM_COMMAND' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MODIFY_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MANAGE_CONFIG_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.MOVE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ENABLE_HA' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'SERVICE.ADD_DELETE_SERVICES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.TOGGLE_MAINTENANCE' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_COMPONENTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'HOST.ADD_DELETE_HOSTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_METRICS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STATUS_INFO' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_CONFIGS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_STACK_DETAILS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.VIEW_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_ALERTS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.TOGGLE_KERBEROS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'CLUSTER.UPGRADE_DOWNGRADE_STACK' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.ADD_DELETE_CLUSTERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.SET_SERVICE_USERS_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.RENAME_CLUSTER' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_USERS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_GROUPS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_VIEWS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.ASSIGN_ROLES' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.MANAGE_STACK_VERSIONS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR' UNION ALL
+    SELECT permission_id, 'AMBARI.EDIT_STACK_REPOS' FROM adminpermission WHERE permission_name='AMBARI.ADMINISTRATOR';
 
   insert into adminprivilege (privilege_id, permission_id, resource_id, principal_id)
     select 1, 1, 1, 1;

ambari-server/src/main/resources/META-INF/persistence.xml

@@ -49,6 +49,7 @@
     <class>org.apache.ambari.server.orm.entities.MemberEntity</class>
     <class>org.apache.ambari.server.orm.entities.MetainfoEntity</class>
     <class>org.apache.ambari.server.orm.entities.PermissionEntity</class>
+    <class>org.apache.ambari.server.orm.entities.RoleAuthorizationEntity</class>
     <class>org.apache.ambari.server.orm.entities.PrincipalEntity</class>
     <class>org.apache.ambari.server.orm.entities.PrincipalTypeEntity</class>
     <class>org.apache.ambari.server.orm.entities.PrivilegeEntity</class>

ambari-server/src/test/java/org/apache/ambari/server/api/services/RoleAuthorizationServiceTest.java

@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.api.services;
+
+import org.apache.ambari.server.api.resources.ResourceInstance;
+import org.apache.ambari.server.api.services.parsers.RequestBodyParser;
+import org.apache.ambari.server.api.services.serializers.ResultSerializer;
+
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.UriInfo;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+
+
+/**
+ * Unit tests for RoleAuthorizationService.
+ */
+public class RoleAuthorizationServiceTest extends BaseServiceTest {
+
+  public List<ServiceTestInvocation> getTestInvocations() throws Exception {
+    List<ServiceTestInvocation> listInvocations = new ArrayList<ServiceTestInvocation>();
+
+    //getAuthorization
+    RoleAuthorizationService service = new TestRoleAuthorizationService("id");
+    Method m = service.getClass().getMethod("getAuthorization", HttpHeaders.class, UriInfo.class, String.class);
+    Object[] args = new Object[] {getHttpHeaders(), getUriInfo(), "id"};
+    listInvocations.add(new ServiceTestInvocation(Request.Type.GET, service, m, args, null));
+
+    //getAuthorizations
+    service = new TestRoleAuthorizationService(null);
+    m = service.getClass().getMethod("getAuthorizations", HttpHeaders.class, UriInfo.class);
+    args = new Object[] {getHttpHeaders(), getUriInfo()};
+    listInvocations.add(new ServiceTestInvocation(Request.Type.GET, service, m, args, null));
+
+    return listInvocations;
+  }
+
+
+  private class TestRoleAuthorizationService extends RoleAuthorizationService {
+    private String id;
+
+    private TestRoleAuthorizationService(String id) {
+      this.id = id;
+    }
+
+    @Override
+    protected ResourceInstance createAuthorizationResource(String id) {
+      assertEquals(this.id, id);
+      return getTestResource();
+    }
+
+    @Override
+    RequestFactory getRequestFactory() {
+      return getTestRequestFactory();
+    }
+
+    @Override
+    protected RequestBodyParser getBodyParser() {
+      return getTestBodyParser();
+    }
+
+    @Override
+    protected ResultSerializer getResultSerializer() {
+      return getTestResultSerializer();
+    }
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/api/services/UserAuthorizationServiceTest.java

@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.api.services;
+
+import org.apache.ambari.server.api.resources.ResourceInstance;
+import org.apache.ambari.server.api.services.parsers.RequestBodyParser;
+import org.apache.ambari.server.api.services.serializers.ResultSerializer;
+
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.UriInfo;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+
+
+/**
+ * Unit tests for UserAuthorizationService.
+ */
+public class UserAuthorizationServiceTest extends BaseServiceTest {
+
+  public List<ServiceTestInvocation> getTestInvocations() throws Exception {
+    List<ServiceTestInvocation> listInvocations = new ArrayList<ServiceTestInvocation>();
+
+    //getAuthorization
+    UserAuthorizationService service = new TestUserAuthorizationService("id");
+    Method m = service.getClass().getMethod("getAuthorization", HttpHeaders.class, UriInfo.class, String.class);
+    Object[] args = new Object[] {getHttpHeaders(), getUriInfo(), "id"};
+    listInvocations.add(new ServiceTestInvocation(Request.Type.GET, service, m, args, null));
+
+    //getAuthorizations
+    service = new TestUserAuthorizationService(null);
+    m = service.getClass().getMethod("getAuthorizations", HttpHeaders.class, UriInfo.class);
+    args = new Object[] {getHttpHeaders(), getUriInfo()};
+    listInvocations.add(new ServiceTestInvocation(Request.Type.GET, service, m, args, null));
+
+    return listInvocations;
+  }
+
+
+  private class TestUserAuthorizationService extends UserAuthorizationService {
+    private String id;
+
+    private TestUserAuthorizationService(String id) {
+      super("jdoe");
+      this.id = id;
+    }
+
+    @Override
+    protected ResourceInstance createAuthorizationResource(String id) {
+      assertEquals(this.id, id);
+      return getTestResource();
+    }
+
+    @Override
+    RequestFactory getRequestFactory() {
+      return getTestRequestFactory();
+    }
+
+    @Override
+    protected RequestBodyParser getBodyParser() {
+      return getTestBodyParser();
+    }
+
+    @Override
+    protected ResultSerializer getResultSerializer() {
+      return getTestResultSerializer();
+    }
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RoleAuthorizationResourceProviderTest.java

@@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import com.google.inject.util.Modules;
+import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.spi.Predicate;
+import org.apache.ambari.server.controller.spi.Request;
+import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.utilities.PredicateBuilder;
+import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
+import org.apache.ambari.server.orm.dao.RoleAuthorizationDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.easymock.EasyMockSupport;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.persistence.EntityManager;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import static org.easymock.EasyMock.*;
+
+
+/**
+ * RoleAuthorizationResourceProvider tests.
+ */
+public class RoleAuthorizationResourceProviderTest extends EasyMockSupport {
+  private static Injector injector;
+
+  @Before
+  public void setup() {
+    reset();
+
+    injector = Guice.createInjector(Modules.override(new InMemoryDefaultTestModule())
+        .with(new AbstractModule() {
+          @Override
+          protected void configure() {
+            AmbariManagementController managementController = createNiceMock(AmbariManagementController.class);
+
+            bind(AmbariManagementController.class).toInstance(managementController);
+            bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+            bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+            bind(PermissionDAO.class).toInstance(createStrictMock(PermissionDAO.class));
+            bind(RoleAuthorizationDAO.class).toInstance(createStrictMock(RoleAuthorizationDAO.class));
+          }
+        }));
+  }
+
+
+  @Test
+  public void testGetResources() throws Exception {
+    RoleAuthorizationEntity roleAuthorizationEntity = createNiceMock(RoleAuthorizationEntity.class);
+    expect(roleAuthorizationEntity.getAuthorizationId()).andReturn("TEST.DO_SOMETHING");
+    expect(roleAuthorizationEntity.getAuthorizationName()).andReturn("Do Something");
+
+    List<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
+    authorizationEntities.add(roleAuthorizationEntity);
+
+    RoleAuthorizationDAO roleAuthorizationDAO = injector.getInstance(RoleAuthorizationDAO.class);
+    expect(roleAuthorizationDAO.findAll()).andReturn(authorizationEntities);
+
+    replayAll();
+
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    RoleAuthorizationResourceProvider provider = new RoleAuthorizationResourceProvider(managementController);
+    injector.injectMembers(provider);
+
+    Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), null);
+
+    Assert.assertEquals(1, resources.size());
+    Resource resource = resources.iterator().next();
+
+    Assert.assertEquals("TEST.DO_SOMETHING", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_ID_PROPERTY_ID));
+    Assert.assertEquals("Do Something", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+    Assert.assertNull(resource.getPropertyValue(RoleAuthorizationResourceProvider.PERMISSION_ID_PROPERTY_ID));
+
+    verifyAll();
+  }
+
+  @Test
+  public void testGetResourcesForPermission() throws Exception {
+    RoleAuthorizationEntity roleAuthorizationEntity = createNiceMock(RoleAuthorizationEntity.class);
+    expect(roleAuthorizationEntity.getAuthorizationId()).andReturn("TEST.DO_SOMETHING").once();
+    expect(roleAuthorizationEntity.getAuthorizationName()).andReturn("Do Something").once();
+
+    List<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
+    authorizationEntities.add(roleAuthorizationEntity);
+
+    PermissionEntity permissionEntry = createStrictMock(PermissionEntity.class);
+    expect(permissionEntry.getAuthorizations()).andReturn(authorizationEntities).once();
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    expect(permissionDAO.findById(1)).andReturn(permissionEntry).once();
+
+    replayAll();
+
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    RoleAuthorizationResourceProvider provider = new RoleAuthorizationResourceProvider(managementController);
+
+    Predicate predicate = new PredicateBuilder()
+        .property(RoleAuthorizationResourceProvider.PERMISSION_ID_PROPERTY_ID).equals("1")
+        .toPredicate();
+
+    Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), predicate);
+
+    Assert.assertEquals(1, resources.size());
+    Resource resource = resources.iterator().next();
+
+    Assert.assertEquals("TEST.DO_SOMETHING", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_ID_PROPERTY_ID));
+    Assert.assertEquals("Do Something", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+    Assert.assertEquals(1, resource.getPropertyValue(RoleAuthorizationResourceProvider.PERMISSION_ID_PROPERTY_ID));
+
+    verifyAll();
+  }
+
+  @Test
+  public void testGetResource() throws Exception {
+    RoleAuthorizationEntity roleAuthorizationEntity1 = createNiceMock(RoleAuthorizationEntity.class);
+    expect(roleAuthorizationEntity1.getAuthorizationId()).andReturn("TEST.DO_SOMETHING").anyTimes();
+    expect(roleAuthorizationEntity1.getAuthorizationName()).andReturn("Do Something").anyTimes();
+
+    RoleAuthorizationEntity roleAuthorizationEntity2 = createNiceMock(RoleAuthorizationEntity.class);
+    expect(roleAuthorizationEntity2.getAuthorizationId()).andReturn("TEST.DO_SOMETHING_ELSE").anyTimes();
+    expect(roleAuthorizationEntity2.getAuthorizationName()).andReturn("Do Something Else").anyTimes();
+
+    List<RoleAuthorizationEntity> authorizationEntities = new ArrayList<RoleAuthorizationEntity>();
+    authorizationEntities.add(roleAuthorizationEntity1);
+    authorizationEntities.add(roleAuthorizationEntity2);
+
+    PermissionEntity permissionEntry = createStrictMock(PermissionEntity.class);
+    expect(permissionEntry.getAuthorizations()).andReturn(authorizationEntities).once();
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    expect(permissionDAO.findById(1)).andReturn(permissionEntry).once();
+
+    replayAll();
+
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    RoleAuthorizationResourceProvider provider = new RoleAuthorizationResourceProvider(managementController);
+
+    Predicate predicate = new PredicateBuilder().begin()
+        .property(RoleAuthorizationResourceProvider.AUTHORIZATION_ID_PROPERTY_ID).equals("TEST.DO_SOMETHING")
+        .and()
+        .property(RoleAuthorizationResourceProvider.PERMISSION_ID_PROPERTY_ID).equals("1")
+        .end()
+        .toPredicate();
+
+    Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), predicate);
+
+    Assert.assertEquals(1, resources.size());
+    Resource resource = resources.iterator().next();
+
+    Assert.assertEquals("TEST.DO_SOMETHING", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_ID_PROPERTY_ID));
+    Assert.assertEquals("Do Something", resource.getPropertyValue(RoleAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+    Assert.assertEquals(1, resource.getPropertyValue(RoleAuthorizationResourceProvider.PERMISSION_ID_PROPERTY_ID));
+
+    verifyAll();
+  }
+
+  @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
+  public void testUpdateResources() throws Exception {
+    replayAll();
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    RoleAuthorizationResourceProvider provider = new RoleAuthorizationResourceProvider(managementController);
+    provider.updateResources(createNiceMock(Request.class), null);
+  }
+
+  @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
+  public void testDeleteResources() throws Exception {
+    replayAll();
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    RoleAuthorizationResourceProvider provider = new RoleAuthorizationResourceProvider(managementController);
+    provider.deleteResources(null);
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java

@@ -0,0 +1,315 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.controller.internal;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import com.google.inject.util.Modules;
+import org.apache.ambari.server.controller.AmbariManagementController;
+import org.apache.ambari.server.controller.spi.ClusterController;
+import org.apache.ambari.server.controller.spi.Predicate;
+import org.apache.ambari.server.controller.spi.Request;
+import org.apache.ambari.server.controller.spi.Resource;
+import org.apache.ambari.server.controller.spi.ResourceProvider;
+import org.apache.ambari.server.controller.utilities.PredicateBuilder;
+import org.apache.ambari.server.controller.utilities.PropertyHelper;
+import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
+import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
+import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity;
+import org.easymock.EasyMockSupport;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.persistence.EntityManager;
+import java.lang.reflect.Field;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.Set;
+
+import static org.easymock.EasyMock.*;
+
+
+/**
+ * UserAuthorizationResourceProvider tests.
+ */
+public class UserAuthorizationResourceProviderTest extends EasyMockSupport {
+  private Injector injector;
+
+  @Before
+  public void setup() {
+    reset();
+
+    injector = Guice.createInjector(Modules.override(new InMemoryDefaultTestModule())
+        .with(new AbstractModule() {
+          @Override
+          protected void configure() {
+            AmbariManagementController managementController = createNiceMock(AmbariManagementController.class);
+
+            bind(AmbariManagementController.class).toInstance(managementController);
+            bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+            bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+            bind(PermissionDAO.class).toInstance(createMock(PermissionDAO.class));
+            bind(ResourceTypeDAO.class).toInstance(createMock(ResourceTypeDAO.class));
+          }
+        }));
+  }
+
+
+  @Test
+  public void testGetResources() throws Exception {
+
+    Resource clusterResource = createMock(Resource.class);
+    expect(clusterResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
+        .andReturn("CLUSTER.DO_SOMETHING")
+        .anyTimes();
+    expect(clusterResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID))
+        .andReturn("CLUSTER")
+        .anyTimes();
+    expect(clusterResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID))
+        .andReturn("Cluster Name")
+        .anyTimes();
+
+    Resource viewResource = createMock(Resource.class);
+    expect(viewResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
+        .andReturn("VIEW.DO_SOMETHING")
+        .anyTimes();
+    expect(viewResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID))
+        .andReturn("VIEW")
+        .anyTimes();
+    expect(viewResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_VIEW_NAME_PROPERTY_ID))
+        .andReturn("View Name")
+        .anyTimes();
+    expect(viewResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_VIEW_VERSION_PROPERTY_ID))
+        .andReturn("View Version")
+        .anyTimes();
+    expect(viewResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_INSTANCE_NAME_PROPERTY_ID))
+        .andReturn("View Instance Name")
+        .anyTimes();
+
+    Resource adminResource = createMock(Resource.class);
+    expect(adminResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
+        .andReturn("ADMIN.DO_SOMETHING")
+        .anyTimes();
+    expect(adminResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID))
+        .andReturn("ADMIN")
+        .anyTimes();
+    expect(adminResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID))
+        .andReturn(null)
+        .anyTimes();
+
+    Resource emptyResource = createMock(Resource.class);
+    expect(emptyResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
+        .andReturn("EMPTY.DO_SOMETHING")
+        .anyTimes();
+    expect(emptyResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID))
+        .andReturn("ADMIN")
+        .anyTimes();
+    expect(emptyResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID))
+        .andReturn(null)
+        .anyTimes();
+
+    Resource nullResource = createMock(Resource.class);
+    expect(nullResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_PERMISSION_NAME_PROPERTY_ID))
+        .andReturn("NULL.DO_SOMETHING")
+        .anyTimes();
+    expect(nullResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_TYPE_PROPERTY_ID))
+        .andReturn("ADMIN")
+        .anyTimes();
+    expect(nullResource.getPropertyValue(UserPrivilegeResourceProvider.PRIVILEGE_CLUSTER_NAME_PROPERTY_ID))
+        .andReturn(null)
+        .anyTimes();
+
+    Set<Resource> userPrivilegeResources = new HashSet<Resource>();
+    userPrivilegeResources.add(clusterResource);
+    userPrivilegeResources.add(viewResource);
+    userPrivilegeResources.add(adminResource);
+    userPrivilegeResources.add(emptyResource);
+    userPrivilegeResources.add(nullResource);
+
+    ResourceProvider userPrivilegeProvider = createMock(ResourceProvider.class);
+    expect(userPrivilegeProvider.getResources(anyObject(Request.class), anyObject(Predicate.class)))
+        .andReturn(userPrivilegeResources);
+
+    ClusterController clusterController = createMock(ClusterController.class);
+    expect(clusterController.ensureResourceProvider(Resource.Type.UserPrivilege))
+        .andReturn(userPrivilegeProvider)
+        .anyTimes();
+
+    ResourceTypeEntity clusterResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(clusterResourceTypeEntity.getId()).andReturn(1).anyTimes();
+
+    ResourceTypeEntity viewResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(viewResourceTypeEntity.getId()).andReturn(2).anyTimes();
+
+    ResourceTypeEntity adminResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(adminResourceTypeEntity.getId()).andReturn(3).anyTimes();
+
+    ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+    expect(resourceTypeDAO.findByName("CLUSTER")).andReturn(clusterResourceTypeEntity).anyTimes();
+    expect(resourceTypeDAO.findByName("VIEW")).andReturn(viewResourceTypeEntity).anyTimes();
+    expect(resourceTypeDAO.findByName("ADMIN")).andReturn(adminResourceTypeEntity).anyTimes();
+
+    RoleAuthorizationEntity clusterRoleAuthorizationEntity = createMock(RoleAuthorizationEntity.class);
+    expect(clusterRoleAuthorizationEntity.getAuthorizationId()).andReturn("CLUSTER.DO_SOMETHING").anyTimes();
+    expect(clusterRoleAuthorizationEntity.getAuthorizationName()).andReturn("CLUSTER DO_SOMETHING").anyTimes();
+
+    RoleAuthorizationEntity viewRoleAuthorizationEntity = createMock(RoleAuthorizationEntity.class);
+    expect(viewRoleAuthorizationEntity.getAuthorizationId()).andReturn("VIEW.DO_SOMETHING").anyTimes();
+    expect(viewRoleAuthorizationEntity.getAuthorizationName()).andReturn("VIEW DO_SOMETHING").anyTimes();
+
+    RoleAuthorizationEntity adminRoleAuthorizationEntity = createMock(RoleAuthorizationEntity.class);
+    expect(adminRoleAuthorizationEntity.getAuthorizationId()).andReturn("ADMIN.DO_SOMETHING").anyTimes();
+    expect(adminRoleAuthorizationEntity.getAuthorizationName()).andReturn("ADMIN DO_SOMETHING").anyTimes();
+
+    Collection<RoleAuthorizationEntity> clusterPermissionAuthorizations = Collections.singleton(clusterRoleAuthorizationEntity);
+    Collection<RoleAuthorizationEntity> viewPermissionAuthorizations = Collections.singleton(viewRoleAuthorizationEntity);
+    Collection<RoleAuthorizationEntity> adminPermissionAuthorizations = Collections.singleton(adminRoleAuthorizationEntity);
+
+    PermissionEntity clusterPermissionEntity = createMock(PermissionEntity.class);
+    expect(clusterPermissionEntity.getAuthorizations())
+        .andReturn(clusterPermissionAuthorizations)
+        .anyTimes();
+
+    PermissionEntity viewPermissionEntity = createMock(PermissionEntity.class);
+    expect(viewPermissionEntity.getAuthorizations())
+        .andReturn(viewPermissionAuthorizations)
+        .anyTimes();
+
+    PermissionEntity adminPermissionEntity = createMock(PermissionEntity.class);
+    expect(adminPermissionEntity.getAuthorizations())
+        .andReturn(adminPermissionAuthorizations)
+        .anyTimes();
+
+    PermissionEntity emptyPermissionEntity = createMock(PermissionEntity.class);
+    expect(emptyPermissionEntity.getAuthorizations())
+        .andReturn(Collections.<RoleAuthorizationEntity>emptyList())
+        .anyTimes();
+
+    PermissionEntity nullPermissionEntity = createMock(PermissionEntity.class);
+    expect(nullPermissionEntity.getAuthorizations())
+        .andReturn(null)
+        .anyTimes();
+
+    PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    expect(permissionDAO.findPermissionByNameAndType("CLUSTER.DO_SOMETHING", clusterResourceTypeEntity))
+        .andReturn(clusterPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("VIEW.DO_SOMETHING", viewResourceTypeEntity))
+        .andReturn(viewPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("ADMIN.DO_SOMETHING", adminResourceTypeEntity))
+        .andReturn(adminPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("EMPTY.DO_SOMETHING", adminResourceTypeEntity))
+        .andReturn(emptyPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("NULL.DO_SOMETHING", adminResourceTypeEntity))
+        .andReturn(nullPermissionEntity)
+        .anyTimes();
+
+    replayAll();
+
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+    setClusterController(provider, clusterController);
+
+    Predicate predicate = new PredicateBuilder()
+        .property(UserAuthorizationResourceProvider.USERNAME_PROPERTY_ID).equals("jdoe")
+        .toPredicate();
+
+    Set<Resource> resources = provider.getResources(PropertyHelper.getReadRequest(), predicate);
+
+    Assert.assertEquals(3, resources.size());
+
+    LinkedList<String> expectedIds = new LinkedList<String>();
+    expectedIds.add("CLUSTER.DO_SOMETHING");
+    expectedIds.add("VIEW.DO_SOMETHING");
+    expectedIds.add("ADMIN.DO_SOMETHING");
+
+    for (Resource resource : resources) {
+      String authorizationId = (String) resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_ID_PROPERTY_ID);
+
+      switch (authorizationId) {
+        case "CLUSTER.DO_SOMETHING":
+          Assert.assertEquals("CLUSTER DO_SOMETHING", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+          Assert.assertEquals("CLUSTER", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_RESOURCE_TYPE_PROPERTY_ID));
+          Assert.assertEquals("Cluster Name", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_CLUSTER_NAME_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_NAME_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_VERSION_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_INSTANCE_NAME_PROPERTY_ID));
+          break;
+        case "VIEW.DO_SOMETHING":
+          Assert.assertEquals("VIEW DO_SOMETHING", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+          Assert.assertEquals("VIEW", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_RESOURCE_TYPE_PROPERTY_ID));
+          Assert.assertEquals("View Name", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_NAME_PROPERTY_ID));
+          Assert.assertEquals("View Version", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_VERSION_PROPERTY_ID));
+          Assert.assertEquals("View Instance Name", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_INSTANCE_NAME_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_CLUSTER_NAME_PROPERTY_ID));
+          break;
+        case "ADMIN.DO_SOMETHING":
+          Assert.assertEquals("ADMIN DO_SOMETHING", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_NAME_PROPERTY_ID));
+          Assert.assertEquals("ADMIN", resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_RESOURCE_TYPE_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_CLUSTER_NAME_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_NAME_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_VERSION_PROPERTY_ID));
+          Assert.assertNull(resource.getPropertyValue(UserAuthorizationResourceProvider.AUTHORIZATION_VIEW_INSTANCE_NAME_PROPERTY_ID));
+          break;
+      }
+
+      expectedIds.remove();
+    }
+
+    Assert.assertEquals(0, expectedIds.size());
+
+    verifyAll();
+  }
+
+  @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
+  public void testUpdateResources() throws Exception {
+    replayAll();
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+    provider.updateResources(createNiceMock(Request.class), null);
+  }
+
+  @Test(expected = org.apache.ambari.server.controller.spi.SystemException.class)
+  public void testDeleteResources() throws Exception {
+    replayAll();
+    AmbariManagementController managementController = injector.getInstance(AmbariManagementController.class);
+    UserAuthorizationResourceProvider provider = new UserAuthorizationResourceProvider(managementController);
+    provider.deleteResources(null);
+  }
+
+
+  private void setClusterController(UserAuthorizationResourceProvider provider, ClusterController clusterController) throws Exception {
+    Class<?> c = provider.getClass();
+    Field f = c.getDeclaredField("clusterController");
+    f.setAccessible(true);
+    f.set(provider, clusterController);
+  }
+
+}

ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog220Test.java

@@ -17,25 +17,26 @@
  */
 package org.apache.ambari.server.upgrade;
 
-import static org.easymock.EasyMock.capture;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.eq;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.expectLastCall;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.verify;
+import static org.easymock.EasyMock.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 import java.lang.reflect.Field;
+import java.util.List;
 
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.DaoUtils;
+import org.apache.ambari.server.orm.dao.PermissionDAO;
+import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
+import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
 import org.apache.ambari.server.state.stack.OsFamily;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
+import org.easymock.EasyMockSupport;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 
 import com.google.inject.Binder;
@@ -43,37 +44,76 @@ import com.google.inject.Guice;
 import com.google.inject.Injector;
 import com.google.inject.Module;
 
+import javax.persistence.EntityManager;
+
 /**
  * UpgradeCatalog220 tests.
  */
-public class UpgradeCatalog220Test {
+public class UpgradeCatalog220Test extends EasyMockSupport {
+
+  private Injector injector;
 
+  @Before
+  public void setup() {
+    resetAll();
+
+    Module module = new Module() {
+      @Override
+      public void configure(Binder binder) {
+        binder.bind(DBAccessor.class).toInstance(createNiceMock(DBAccessor.class));
+        binder.bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
+        binder.bind(EntityManager.class).toInstance(createNiceMock(EntityManager.class));
+        binder.bind(DaoUtils.class).toInstance(createNiceMock(DaoUtils.class));
+        binder.bind(PermissionDAO.class).toInstance(createNiceMock(PermissionDAO.class));
+        binder.bind(ResourceTypeDAO.class).toInstance(createMock(ResourceTypeDAO.class));
+      }
+    };
+
+    injector = Guice.createInjector(module);
+  }
 
   @Test
   public void testExecuteDDLUpdates() throws Exception {
 
-    final DBAccessor dbAccessor = createNiceMock(DBAccessor.class);
+    final DBAccessor dbAccessor = injector.getInstance(DBAccessor.class);
 
     Configuration configuration = createNiceMock(Configuration.class);
     expect(configuration.getDatabaseUrl()).andReturn(Configuration.JDBC_IN_MEMORY_URL).anyTimes();
 
-    Capture<DBAccessor.DBColumnInfo> columnCapture = new Capture<DBAccessor.DBColumnInfo>();
+    Capture<DBAccessor.DBColumnInfo> columnCapture = EasyMock.newCapture();
     Capture<DBAccessor.DBColumnInfo> columnCapturePermissionLabel = EasyMock.newCapture();
+    Capture<List<DBAccessor.DBColumnInfo>> columnsCaptureRoleAuthorization = EasyMock.newCapture();
+    Capture<List<DBAccessor.DBColumnInfo>> columnsCapturePermissionRoleAuthorization = EasyMock.newCapture();
 
     dbAccessor.alterColumn(eq("host_role_command"), capture(columnCapture));
+    expectLastCall();
+
     dbAccessor.addColumn(eq("adminpermission"), capture(columnCapturePermissionLabel));
     expectLastCall();
 
+    dbAccessor.createTable(eq("roleauthorization"), capture(columnsCaptureRoleAuthorization), eq("authorization_id"));
+    expectLastCall();
+
+    dbAccessor.createTable(eq("permission_roleauthorization"), capture(columnsCapturePermissionRoleAuthorization), eq("permission_id"), eq("authorization_id"));
+    expectLastCall();
+
+    dbAccessor.addFKConstraint("permission_roleauthorization", "FK_permission_roleauthorization_permission_id",
+        "permission_id", "adminpermission", "permission_id", false);
+    expectLastCall();
+
+    dbAccessor.addFKConstraint("permission_roleauthorization", "FK_permission_roleauthorization_authorization_id",
+        "authorization_id", "roleauthorization", "authorization_id", false);
+    expectLastCall();
 
-    replay(dbAccessor, configuration);
-    AbstractUpgradeCatalog upgradeCatalog = getUpgradeCatalog(dbAccessor);
+    replayAll();
+    AbstractUpgradeCatalog upgradeCatalog = injector.getInstance(UpgradeCatalog220.class);
     Class<?> c = AbstractUpgradeCatalog.class;
     Field f = c.getDeclaredField("configuration");
     f.setAccessible(true);
     f.set(upgradeCatalog, configuration);
 
     upgradeCatalog.executeDDLUpdates();
-    verify(dbAccessor, configuration);
+    verifyAll();
 
     assertTrue(columnCapture.getValue().isNullable());
 
@@ -81,12 +121,101 @@ public class UpgradeCatalog220Test {
     assertEquals(columnCapturePermissionLabel.getValue().getType(), String.class);
     assertEquals(columnCapturePermissionLabel.getValue().getLength(), Integer.valueOf(255));
     assertEquals(columnCapturePermissionLabel.getValue().isNullable(), true);
+
+    List<DBAccessor.DBColumnInfo> columnInfos;
+    DBAccessor.DBColumnInfo columnInfo;
+
+    // Verify roleauthorization table
+    columnInfos = columnsCaptureRoleAuthorization.getValue();
+    assertEquals(2, columnInfos.size());
+
+    columnInfo = columnInfos.get(0);
+    assertEquals("authorization_id", columnInfo.getName());
+    assertEquals(String.class, columnInfo.getType());
+    assertEquals(Integer.valueOf(100), columnInfo.getLength());
+
+    columnInfo = columnInfos.get(1);
+    assertEquals("authorization_name", columnInfo.getName());
+    assertEquals(String.class, columnInfo.getType());
+    assertEquals(Integer.valueOf(255), columnInfo.getLength());
+
+    // Verify permission_roleauthorization table
+    columnInfos = columnsCapturePermissionRoleAuthorization.getValue();
+    assertEquals(2, columnInfos.size());
+
+    columnInfo = columnInfos.get(0);
+    assertEquals("permission_id", columnInfo.getName());
+    assertEquals(Long.class, columnInfo.getType());
+    assertEquals(null, columnInfo.getLength());
+
+    columnInfo = columnInfos.get(1);
+    assertEquals("authorization_id", columnInfo.getName());
+    assertEquals(String.class, columnInfo.getType());
+    assertEquals(Integer.valueOf(100), columnInfo.getLength());
   }
 
   @Test
   public void testExecuteDMLUpdates() throws Exception {
-    final DBAccessor dbAccessor     = createNiceMock(DBAccessor.class);
-    UpgradeCatalog220 upgradeCatalog = (UpgradeCatalog220) getUpgradeCatalog(dbAccessor);
+    final DBAccessor dbAccessor = injector.getInstance(DBAccessor.class);
+    UpgradeCatalog220 upgradeCatalog = injector.getInstance(UpgradeCatalog220.class);
+
+    final ResourceTypeEntity ambariResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(ambariResourceTypeEntity.getId()).andReturn(1).anyTimes();
+
+    final ResourceTypeEntity clusterResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(clusterResourceTypeEntity.getId()).andReturn(2).anyTimes();
+
+    final ResourceTypeEntity viewResourceTypeEntity = createMock(ResourceTypeEntity.class);
+    expect(viewResourceTypeEntity.getId()).andReturn(3).anyTimes();
+
+    final ResourceTypeDAO resourceTypeDAO = injector.getInstance(ResourceTypeDAO.class);
+    expect(resourceTypeDAO.findByName("AMBARI")).andReturn(ambariResourceTypeEntity).anyTimes();
+    expect(resourceTypeDAO.findByName("CLUSTER")).andReturn(clusterResourceTypeEntity).anyTimes();
+    expect(resourceTypeDAO.findByName("VIEW")).andReturn(viewResourceTypeEntity).anyTimes();
+
+    final PermissionEntity viewUserPermissionEntity = createMock(PermissionEntity.class);
+    expect(viewUserPermissionEntity.getId()).andReturn(1).anyTimes();
+
+    final PermissionEntity ambariAdministratorPermissionEntity = createMock(PermissionEntity.class);
+    expect(ambariAdministratorPermissionEntity.getId()).andReturn(2).anyTimes();
+
+    final PermissionEntity clusterUserPermissionEntity = createMock(PermissionEntity.class);
+    expect(clusterUserPermissionEntity.getId()).andReturn(3).anyTimes();
+
+    final PermissionEntity clusterOperatorPermissionEntity = createMock(PermissionEntity.class);
+    expect(clusterOperatorPermissionEntity.getId()).andReturn(4).anyTimes();
+
+    final PermissionEntity clusterAdministratorPermissionEntity = createMock(PermissionEntity.class);
+    expect(clusterAdministratorPermissionEntity.getId()).andReturn(5).anyTimes();
+
+    final PermissionEntity serviceAdministratorPermissionEntity = createMock(PermissionEntity.class);
+    expect(serviceAdministratorPermissionEntity.getId()).andReturn(6).anyTimes();
+
+    final PermissionEntity serviceOperatorPermissionEntity = createMock(PermissionEntity.class);
+    expect(serviceOperatorPermissionEntity.getId()).andReturn(7).anyTimes();
+
+    final PermissionDAO permissionDAO = injector.getInstance(PermissionDAO.class);
+    expect(permissionDAO.findPermissionByNameAndType("VIEW.USER", viewResourceTypeEntity))
+        .andReturn(viewUserPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("AMBARI.ADMINISTRATOR", ambariResourceTypeEntity))
+        .andReturn(ambariAdministratorPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("CLUSTER.USER", clusterResourceTypeEntity))
+        .andReturn(clusterUserPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("CLUSTER.OPERATOR", clusterResourceTypeEntity))
+        .andReturn(clusterOperatorPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("CLUSTER.ADMINISTRATOR", clusterResourceTypeEntity))
+        .andReturn(clusterAdministratorPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("SERVICE.ADMINISTRATOR", clusterResourceTypeEntity))
+        .andReturn(serviceAdministratorPermissionEntity)
+        .anyTimes();
+    expect(permissionDAO.findPermissionByNameAndType("SERVICE.OPERATOR", clusterResourceTypeEntity))
+        .andReturn(serviceOperatorPermissionEntity)
+        .anyTimes();
 
     String updateQueryPattern;
 
@@ -97,7 +226,7 @@ public class UpgradeCatalog220Test {
         .andReturn(1).once();
     expect(dbAccessor.executeUpdate(String.format(updateQueryPattern,
         "Cluster User", PermissionEntity.CLUSTER_USER_PERMISSION)))
-            .andReturn(1).once();
+        .andReturn(1).once();
     expect(dbAccessor.executeUpdate(String.format(updateQueryPattern,
         "Cluster Administrator", PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION)))
         .andReturn(1).once();
@@ -120,37 +249,21 @@ public class UpgradeCatalog220Test {
         PermissionEntity.VIEW_USER_PERMISSION_NAME, PermissionEntity.VIEW_USER_PERMISSION)))
         .andReturn(1).once();
 
-    replay(dbAccessor);
+    replayAll();
     upgradeCatalog.executeDMLUpdates();
-    verify(dbAccessor);
+    verifyAll();
   }
 
   @Test
   public void testGetTargetVersion() throws Exception {
-    final DBAccessor dbAccessor     = createNiceMock(DBAccessor.class);
-    UpgradeCatalog   upgradeCatalog = getUpgradeCatalog(dbAccessor);
-
+    UpgradeCatalog upgradeCatalog = injector.getInstance(UpgradeCatalog220.class);
     Assert.assertEquals("2.2.0", upgradeCatalog.getTargetVersion());
   }
 
   @Test
   public void testGetSourceVersion() {
-    final DBAccessor dbAccessor     = createNiceMock(DBAccessor.class);
-    UpgradeCatalog upgradeCatalog = getUpgradeCatalog(dbAccessor);
+    UpgradeCatalog upgradeCatalog = injector.getInstance(UpgradeCatalog220.class);
     Assert.assertEquals("2.1.3", upgradeCatalog.getSourceVersion());
   }
 
-  private AbstractUpgradeCatalog getUpgradeCatalog(final DBAccessor dbAccessor) {
-    Module module = new Module() {
-      @Override
-      public void configure(Binder binder) {
-        binder.bind(DBAccessor.class).toInstance(dbAccessor);
-        binder.bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
-      }
-    };
-    Injector injector = Guice.createInjector(module);
-    return injector.getInstance(UpgradeCatalog220.class);
-  }
-
-
 }