Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals

Authorizations given to roles, should use generic role-based principals rather than hard-coded resource types.

Access to views can be assigned to all users with a given role. The implementation for this lead to the creation of hard-coded principals that represent the current set of roles. This is not dynamic enough for possibly future enhancements where new roles may be created by administrators.

This needs to be changed such that rather that using the hard-coded pseudo-role-principals, the dynamically generated role-principals are to be used.

The hard-coded pseudo-role-principals have the following adminprincipaltype values as opposed to "ROLE":

• ALL.CLUSTER.ADMINISTRATOR
• ALL.CLUSTER.OPERATOR
• ALL.SERVICE.ADMINISTRATOR
• ALL.SERVICE.OPERATOR
• ALL.CLUSTER.USER

These should be removed along with the associated adminprincipal records.

Also, the FE should be updated to set permissions using the dynamic role-principals.

Finally, code should be cleaned up to remove unneeded code in

• org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
• org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
• org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
• org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
• org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
• org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
• ...