This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch atlas-2.5
in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/atlas-2.5 by this push:
new 97486c9e2 ATLAS-4961: checkstyle compliance updates -
atlas-authorization module (#286)
97486c9e2 is described below
commit 97486c9e2a2928fa03ba8028c6d0a18f65160b27
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Wed Feb 12 18:49:04 2025 -0800
ATLAS-4961: checkstyle compliance updates - atlas-authorization module
(#286)
(cherry picked from commit 7058cb9ef178197758d8178d27ceb59f37da564c)
---
authorization/pom.xml | 5 +
.../apache/atlas/authorize/AtlasAccessRequest.java | 45 ++--
.../atlas/authorize/AtlasAdminAccessRequest.java | 10 +-
.../authorize/AtlasAuthorizationException.java | 9 +-
.../atlas/authorize/AtlasAuthorizationUtils.java | 45 ++--
.../apache/atlas/authorize/AtlasAuthorizer.java | 29 +--
.../atlas/authorize/AtlasAuthorizerFactory.java | 25 +-
.../atlas/authorize/AtlasEntityAccessRequest.java | 9 +-
.../atlas/authorize/AtlasNoneAuthorizer.java | 13 +-
.../org/apache/atlas/authorize/AtlasPrivilege.java | 66 ++---
.../authorize/AtlasRelationshipAccessRequest.java | 10 +-
.../authorize/AtlasSearchResultScrubRequest.java | 13 +-
.../atlas/authorize/AtlasTypeAccessRequest.java | 7 +-
.../authorize/AtlasTypesDefFilterRequest.java | 7 +-
.../authorize/simple/AtlasSimpleAuthorizer.java | 265 +++++++++------------
.../authorize/simple/AtlasSimpleAuthzPolicy.java | 53 ++---
.../simple/AtlasSimpleAuthzUpdateTool.java | 83 +++----
.../simple/AtlasSimpleAuthorizerTest.java | 141 ++++++-----
18 files changed, 389 insertions(+), 446 deletions(-)
diff --git a/authorization/pom.xml b/authorization/pom.xml
index a067b3521..dd38b81bf 100644
--- a/authorization/pom.xml
+++ b/authorization/pom.xml
@@ -30,6 +30,11 @@
<name>Apache Atlas Authorization</name>
+ <properties>
+ <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
+ <checkstyle.skip>false</checkstyle.skip>
+ </properties>
+
<dependencies>
<dependency>
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index c76a8715b..0f3f8d4dc 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,8 +24,6 @@ import org.apache.atlas.type.AtlasEntityType;
import org.apache.atlas.type.AtlasStructType.AtlasAttribute;
import org.apache.atlas.type.AtlasTypeRegistry;
import org.apache.commons.collections.MapUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import java.util.Collections;
import java.util.Date;
@@ -35,19 +33,16 @@ import java.util.Map;
import java.util.Set;
public class AtlasAccessRequest {
- private static Logger LOG =
LoggerFactory.getLogger(AtlasAccessRequest.class);
-
private static final String DEFAULT_ENTITY_ID_ATTRIBUTE = "qualifiedName";
private final AtlasPrivilege action;
private final Date accessTime;
- private String user = null;
- private Set<String> userGroups = null;
- private String clientIPAddress = null;
+ private String user;
+ private Set<String> userGroups;
+ private String clientIPAddress;
private List<String> forwardedAddresses;
private String remoteIPAddress;
-
protected AtlasAccessRequest(AtlasPrivilege action) {
this(action, null, null, new Date(), null);
}
@@ -56,11 +51,11 @@ public class AtlasAccessRequest {
this(action, user, userGroups, new Date(), null, null, null);
}
- protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups, Date accessTime,
- String clientIPAddress, List<String>
forwardedAddresses, String remoteIPAddress) {
+ protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups, Date accessTime, String clientIPAddress, List<String>
forwardedAddresses, String remoteIPAddress) {
this(action, user, userGroups, accessTime, clientIPAddress);
- this.forwardedAddresses = forwardedAddresses;
- this.remoteIPAddress = remoteIPAddress;
+
+ this.forwardedAddresses = forwardedAddresses;
+ this.remoteIPAddress = remoteIPAddress;
}
protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups, Date accessTime, String clientIPAddress) {
@@ -96,22 +91,22 @@ public class AtlasAccessRequest {
return forwardedAddresses;
}
- public String getRemoteIPAddress() {
- return remoteIPAddress;
- }
-
- public String getClientIPAddress() {
- return clientIPAddress;
- }
-
public void setForwardedAddresses(List<String> forwardedAddresses) {
this.forwardedAddresses = forwardedAddresses;
}
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
public void setRemoteIPAddress(String remoteIPAddress) {
this.remoteIPAddress = remoteIPAddress;
}
+ public String getClientIPAddress() {
+ return clientIPAddress;
+ }
+
public void setClientIPAddress(String clientIPAddress) {
this.clientIPAddress = clientIPAddress;
}
@@ -169,7 +164,6 @@ public class AtlasAccessRequest {
break;
}
}
-
}
}
@@ -194,10 +188,9 @@ public class AtlasAccessRequest {
@Override
public String toString() {
- return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" +
accessTime +", user='" + user + '\'' +
+ return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" +
accessTime + ", user='" + user + '\'' +
", userGroups=" + userGroups + ", clientIPAddress='" +
clientIPAddress + '\'' +
", forwardedAddresses=" + forwardedAddresses + ",
remoteIPAddress='" + remoteIPAddress + '\'' +
']';
-
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
index 5f571fb64..e6e34dbc7 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,11 +17,9 @@
*/
package org.apache.atlas.authorize;
-
import java.util.Set;
public class AtlasAdminAccessRequest extends AtlasAccessRequest {
-
public AtlasAdminAccessRequest(AtlasPrivilege action) {
super(action);
}
@@ -33,7 +31,7 @@ public class AtlasAdminAccessRequest extends
AtlasAccessRequest {
@Override
public String toString() {
return "AtlasAdminAccessRequest[action=" + getAction() + ",
accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ",
clientIPAddress=" + getClientIPAddress() +
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" +
getClientIPAddress() +
", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
index ff35e7d09..c82776748 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -29,8 +29,7 @@ public class AtlasAuthorizationException extends Exception {
super(message, exception);
}
- public AtlasAuthorizationException(String message, Throwable exception,
boolean enableSuppression,
- boolean writableStackTrace) {
+ public AtlasAuthorizationException(String message, Throwable exception,
boolean enableSuppression, boolean writableStackTrace) {
super(message, exception, enableSuppression, writableStackTrace);
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
index b1a3eb5fb..581c6235f 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -1,5 +1,5 @@
/**
-/**
+ * /**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -7,9 +7,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -31,18 +31,23 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.http.HttpServletRequest;
+
import java.net.InetAddress;
import java.net.UnknownHostException;
+import java.util.Arrays;
import java.util.HashSet;
-import java.util.Set;
import java.util.List;
-import java.util.Arrays;
+import java.util.Set;
public class AtlasAuthorizationUtils {
private static final Logger LOG =
LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
+ private AtlasAuthorizationUtils() {
+ // to block instantiation
+ }
+
public static void verifyAccess(AtlasAdminAccessRequest request, Object...
errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length
> 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS,
request.getUser(), message);
@@ -50,7 +55,7 @@ public class AtlasAuthorizationUtils {
}
public static void verifyAccess(AtlasTypeAccessRequest request, Object...
errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length
> 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS,
request.getUser(), message);
@@ -58,7 +63,7 @@ public class AtlasAuthorizationUtils {
}
public static void verifyAccess(AtlasEntityAccessRequest request,
Object... errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length
> 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS,
request.getUser(), message);
@@ -68,11 +73,12 @@ public class AtlasAuthorizationUtils {
public static void verifyAccess(AtlasRelationshipAccessRequest request,
Object... errorMsgParams) throws AtlasBaseException {
if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length
> 0) ? StringUtils.join(errorMsgParams) : "";
+
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS,
request.getUser(), message);
}
}
- public static void scrubSearchResults(AtlasSearchResultScrubRequest
request) throws AtlasBaseException {
+ public static void scrubSearchResults(AtlasSearchResultScrubRequest
request) {
String userName = getCurrentUserName();
if (StringUtils.isNotEmpty(userName)) {
@@ -105,6 +111,7 @@ public class AtlasAuthorizationUtils {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -132,6 +139,7 @@ public class AtlasAuthorizationUtils {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -159,6 +167,7 @@ public class AtlasAuthorizationUtils {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -186,6 +195,7 @@ public class AtlasAuthorizationUtils {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -200,8 +210,8 @@ public class AtlasAuthorizationUtils {
}
public static void filterTypesDef(AtlasTypesDefFilterRequest request) {
- MetricRecorder metric =
RequestContext.get().startMetricRecord("filterTypesDef");
- String userName = getCurrentUserName();
+ MetricRecorder metric =
RequestContext.get().startMetricRecord("filterTypesDef");
+ String userName = getCurrentUserName();
if (StringUtils.isNotEmpty(userName) &&
!RequestContext.get().isImportInProgress()) {
try {
@@ -221,13 +231,14 @@ public class AtlasAuthorizationUtils {
RequestContext.get().endMetricRecord(metric);
}
- public static List<String>
getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){
- String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
- String[] forwardedAddresses = null ;
+ public static List<String>
getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest) {
+ String ipAddress =
httpServletRequest.getHeader("X-FORWARDED-FOR");
+ String[] forwardedAddresses = null;
- if(!StringUtils.isEmpty(ipAddress)){
+ if (!StringUtils.isEmpty(ipAddress)) {
forwardedAddresses = ipAddress.split(",");
}
+
return forwardedAddresses != null ? Arrays.asList(forwardedAddresses)
: null;
}
@@ -245,8 +256,6 @@ public class AtlasAuthorizationUtils {
return ret;
}
-
-
public static String getCurrentUserName() {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
index 21b8cf905..845b05f9a 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,7 +18,6 @@
package org.apache.atlas.authorize;
-
import org.apache.atlas.model.instance.AtlasEntityHeader;
public interface AtlasAuthorizer {
@@ -62,8 +61,7 @@ public interface AtlasAuthorizer {
* @return
* @throws AtlasAuthorizationException
*/
- default
- boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws
AtlasAuthorizationException {
+ default boolean isAccessAllowed(AtlasRelationshipAccessRequest request)
throws AtlasAuthorizationException {
return true;
}
@@ -73,36 +71,33 @@ public interface AtlasAuthorizer {
* @return
* @throws AtlasAuthorizationException
*/
- default
- void scrubSearchResults(AtlasSearchResultScrubRequest request) throws
AtlasAuthorizationException {
+ default void scrubSearchResults(AtlasSearchResultScrubRequest request)
throws AtlasAuthorizationException {
}
- default
- void scrubEntityHeader(AtlasEntityHeader entity) {
+ default void scrubEntityHeader(AtlasEntityHeader entity) {
entity.setGuid("-1");
- if(entity.getAttributes() != null) {
+ if (entity.getAttributes() != null) {
entity.getAttributes().clear();
}
- if(entity.getClassifications() != null) {
+ if (entity.getClassifications() != null) {
entity.getClassifications().clear();
}
- if(entity.getClassificationNames() != null) {
+ if (entity.getClassificationNames() != null) {
entity.getClassificationNames().clear();
}
- if(entity.getMeanings() != null) {
+ if (entity.getMeanings() != null) {
entity.getMeanings().clear();
}
- if(entity.getMeaningNames() != null) {
+ if (entity.getMeaningNames() != null) {
entity.getMeaningNames().clear();
}
}
- default
- void filterTypesDef(AtlasTypesDefFilterRequest request) throws
AtlasAuthorizationException {
+ default void filterTypesDef(AtlasTypesDefFilterRequest request) throws
AtlasAuthorizationException {
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
index 72037eabb..d72fdda74 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
@@ -26,7 +26,6 @@ import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
public class AtlasAuthorizerFactory {
private static final Logger LOG =
LoggerFactory.getLogger(AtlasAuthorizerFactory.class);
@@ -34,14 +33,20 @@ public class AtlasAuthorizerFactory {
private static final String SIMPLE_AUTHORIZER =
AtlasSimpleAuthorizer.class.getName();
private static final String RANGER_AUTHORIZER =
"org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
- private static volatile AtlasAuthorizer INSTANCE = null;
+ private static volatile AtlasAuthorizer instance;
+
+ private AtlasAuthorizerFactory() {
+ // to block instantiation
+ }
public static AtlasAuthorizer getAtlasAuthorizer() throws
AtlasAuthorizationException {
- AtlasAuthorizer ret = INSTANCE;
+ AtlasAuthorizer ret = AtlasAuthorizerFactory.instance;
if (ret == null) {
synchronized (AtlasAuthorizerFactory.class) {
- if (INSTANCE == null) {
+ ret = AtlasAuthorizerFactory.instance;
+
+ if (ret == null) {
Configuration configuration = null;
try {
@@ -67,21 +72,19 @@ public class AtlasAuthorizerFactory {
LOG.info("Initializing Authorizer {}", authorizerClass);
try {
- Class authorizerMetaObject =
Class.forName(authorizerClass);
+ Class<?> authorizerMetaObject =
Class.forName(authorizerClass);
- if (authorizerMetaObject != null) {
- INSTANCE = (AtlasAuthorizer)
authorizerMetaObject.newInstance();
+ ret = (AtlasAuthorizer)
authorizerMetaObject.newInstance();
- INSTANCE.init();
- }
+ ret.init();
+
+ AtlasAuthorizerFactory.instance = ret;
} catch (Exception e) {
LOG.error("Error while creating authorizer of type
{}", authorizerClass, e);
throw new AtlasAuthorizationException("Error while
creating authorizer of type '" + authorizerClass + "'", e);
}
}
-
- ret = INSTANCE;
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
index 6d49d54b1..10b8d4792 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -34,7 +34,6 @@ public class AtlasEntityAccessRequest extends
AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
private final Set<String> entityClassifications;
-
public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry,
AtlasPrivilege action) {
this(typeRegistry, action, null, null, null, null, null, null, null);
}
@@ -197,5 +196,3 @@ public class AtlasEntityAccessRequest extends
AtlasAccessRequest {
}
}
}
-
-
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
index a37104944..86909d924 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
@@ -21,7 +21,6 @@ package org.apache.atlas.authorize;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
public class AtlasNoneAuthorizer implements AtlasAuthorizer {
private static final Logger LOG =
LoggerFactory.getLogger(AtlasNoneAuthorizer.class);
@@ -33,24 +32,24 @@ public class AtlasNoneAuthorizer implements AtlasAuthorizer
{
LOG.info("AtlasNoneAuthorizer.cleanUp()");
}
- public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws
AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) {
return true;
}
- public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws
AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) {
return true;
}
- public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws
AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) {
return true;
}
@Override
- public boolean isAccessAllowed(AtlasRelationshipAccessRequest request)
throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
return true;
}
- public void scrubSearchResults(AtlasSearchResultScrubRequest request)
throws AtlasAuthorizationException {
-
+ @Override
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) {
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
index f270844c5..68402fd50 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,45 +18,45 @@
package org.apache.atlas.authorize;
public enum AtlasPrivilege {
- TYPE_CREATE("type-create"),
- TYPE_UPDATE("type-update"),
- TYPE_DELETE("type-delete"),
+ TYPE_CREATE("type-create"),
+ TYPE_UPDATE("type-update"),
+ TYPE_DELETE("type-delete"),
- ENTITY_READ("entity-read"),
- ENTITY_CREATE("entity-create"),
- ENTITY_UPDATE("entity-update"),
- ENTITY_DELETE("entity-delete"),
- ENTITY_READ_CLASSIFICATION("entity-read-classification"),
- ENTITY_ADD_CLASSIFICATION("entity-add-classification"),
- ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"),
- ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"),
+ ENTITY_READ("entity-read"),
+ ENTITY_CREATE("entity-create"),
+ ENTITY_UPDATE("entity-update"),
+ ENTITY_DELETE("entity-delete"),
+ ENTITY_READ_CLASSIFICATION("entity-read-classification"),
+ ENTITY_ADD_CLASSIFICATION("entity-add-classification"),
+ ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"),
+ ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"),
- ADMIN_EXPORT("admin-export"),
- ADMIN_IMPORT("admin-import"),
+ ADMIN_EXPORT("admin-export"),
+ ADMIN_IMPORT("admin-import"),
- RELATIONSHIP_ADD("add-relationship"),
- RELATIONSHIP_UPDATE("update-relationship"),
- RELATIONSHIP_REMOVE("remove-relationship"),
+ RELATIONSHIP_ADD("add-relationship"),
+ RELATIONSHIP_UPDATE("update-relationship"),
+ RELATIONSHIP_REMOVE("remove-relationship"),
- ADMIN_PURGE("admin-purge"),
+ ADMIN_PURGE("admin-purge"),
- ENTITY_ADD_LABEL("entity-add-label"),
- ENTITY_REMOVE_LABEL("entity-remove-label"),
- ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"),
+ ENTITY_ADD_LABEL("entity-add-label"),
+ ENTITY_REMOVE_LABEL("entity-remove-label"),
+ ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"),
- TYPE_READ("type-read"),
+ TYPE_READ("type-read"),
- ADMIN_AUDITS("admin-audits"),
+ ADMIN_AUDITS("admin-audits"),
- SERVICE_NOTIFICATION_POST("service-notification-post");
+ SERVICE_NOTIFICATION_POST("service-notification-post");
- private final String type;
+ private final String type;
- AtlasPrivilege(String actionType){
- this.type = actionType;
- }
+ AtlasPrivilege(String actionType) {
+ this.type = actionType;
+ }
- public String getType() {
- return type;
- }
+ public String getType() {
+ return type;
+ }
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
index b530c01dd..de4389797 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -25,11 +25,10 @@ import java.util.Set;
public class AtlasRelationshipAccessRequest extends AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
- private final String relationshipType ;
+ private final String relationshipType;
private final AtlasEntityHeader end1Entity;
private final AtlasEntityHeader end2Entity;
-
public AtlasRelationshipAccessRequest(AtlasTypeRegistry typeRegistry,
AtlasPrivilege action, String relationshipType, AtlasEntityHeader end1Entity,
AtlasEntityHeader end2Entity) {
this(typeRegistry, action, relationshipType, end1Entity, end2Entity,
null, null);
}
@@ -55,7 +54,6 @@ public class AtlasRelationshipAccessRequest extends
AtlasAccessRequest {
return relationshipType;
}
-
public Set<String> getEnd1EntityTypeAndAllSuperTypes() {
return super.getEntityTypeAndAllSuperTypes(end1Entity == null ? null :
end1Entity.getTypeName(), typeRegistry);
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
index 63468a7a3..52849dea4 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -26,7 +26,6 @@ public class AtlasSearchResultScrubRequest extends
AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
private final AtlasSearchResult searchResult;
-
public AtlasSearchResultScrubRequest(AtlasTypeRegistry typeRegistry,
AtlasSearchResult searchResult) {
this(typeRegistry, searchResult, null, null);
}
@@ -38,7 +37,9 @@ public class AtlasSearchResultScrubRequest extends
AtlasAccessRequest {
this.searchResult = searchResult;
}
- public AtlasTypeRegistry getTypeRegistry() { return typeRegistry; }
+ public AtlasTypeRegistry getTypeRegistry() {
+ return typeRegistry;
+ }
public AtlasSearchResult getSearchResult() {
return searchResult;
@@ -51,5 +52,3 @@ public class AtlasSearchResultScrubRequest extends
AtlasAccessRequest {
", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
-
-
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
index 510be3522..e645e3087 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,7 +24,6 @@ import java.util.Set;
public class AtlasTypeAccessRequest extends AtlasAccessRequest {
private final AtlasBaseTypeDef typeDef;
-
public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef
typeDef) {
super(action);
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
index a2dc11f8f..ed40a5c68 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,7 +24,6 @@ import java.util.Set;
public class AtlasTypesDefFilterRequest extends AtlasAccessRequest {
private final AtlasTypesDef typesDef;
-
public AtlasTypesDefFilterRequest(AtlasTypesDef typesDef) {
super(AtlasPrivilege.TYPE_READ);
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
index d80cab4bc..e5687249d 100755
---
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,18 +18,22 @@
package org.apache.atlas.authorize.simple;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Set;
-
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
-import org.apache.atlas.authorize.*;
-import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.*;
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAdminAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasPrivilege;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
+import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasTypeAccessRequest;
+import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
+import
org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAdminPermission;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole;
+import
org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasEntityPermission;
+import
org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission;
+import
org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasTypePermission;
import org.apache.atlas.model.discovery.AtlasSearchResult;
import org.apache.atlas.model.discovery.AtlasSearchResult.AtlasFullTextResult;
import org.apache.atlas.model.instance.AtlasEntityHeader;
@@ -42,6 +46,13 @@ import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashSet;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Set;
+
import static
org.apache.atlas.authorize.AtlasPrivilege.ENTITY_ADD_CLASSIFICATION;
import static
org.apache.atlas.authorize.AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION;
import static
org.apache.atlas.authorize.AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION;
@@ -50,22 +61,15 @@ import static
org.apache.atlas.authorize.AtlasPrivilege.TYPE_DELETE;
import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_READ;
import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_UPDATE;
-
public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
private static final Logger LOG =
LoggerFactory.getLogger(AtlasSimpleAuthorizer.class);
- private final static String WILDCARD_ASTERISK = "*";
-
- private final static Set<AtlasPrivilege> CLASSIFICATION_PRIVILEGES = new
HashSet<AtlasPrivilege>() {{
-
add(ENTITY_ADD_CLASSIFICATION);
-
add(ENTITY_REMOVE_CLASSIFICATION);
-
add(ENTITY_UPDATE_CLASSIFICATION);
- }};
+ private static final Set<AtlasPrivilege> CLASSIFICATION_PRIVILEGES = new
HashSet<>();
+ private static final String REGEX_MATCHALL = ".*";
+ private static final String WILDCARD_ASTERISK = "*";
private AtlasSimpleAuthzPolicy authzPolicy;
- private final static String REGEX_MATCHALL = ".*";
-
public AtlasSimpleAuthorizer() {
}
@@ -73,11 +77,7 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
public void init() {
LOG.info("==> SimpleAtlasAuthorizer.init()");
- InputStream inputStream = null;
-
- try {
- inputStream =
ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(),
"atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json");
-
+ try (InputStream inputStream =
ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(),
"atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json"))
{
authzPolicy = AtlasJson.fromJson(inputStream,
AtlasSimpleAuthzPolicy.class);
addImpliedTypeReadPrivilege(authzPolicy);
@@ -85,14 +85,6 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
LOG.error("SimpleAtlasAuthorizer.init(): initialization failed",
e);
throw new RuntimeException(e);
- } finally {
- if (inputStream != null) {
- try {
- inputStream.close();
- } catch (IOException excp) {
- // ignore
- }
- }
}
LOG.info("<== SimpleAtlasAuthorizer.init()");
@@ -108,13 +100,10 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
@Override
- public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws
AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})",
request);
- }
-
- boolean ret = false;
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ boolean ret = false;
Set<String> roles = getRoles(request.getUser(),
request.getUserGroups());
for (String role : roles) {
@@ -133,19 +122,60 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
return ret;
}
@Override
- public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws
AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})",
request);
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+
+ boolean ret = false;
+ final String action = request.getAction() != null ?
request.getAction().getType() : null;
+ final Set<String> entityTypes =
request.getEntityTypeAndAllSuperTypes();
+ final String entityId = request.getEntityId();
+ final String attribute = request.getAttributeName();
+ final Set<String> entClsToAuthz = new
HashSet<>(request.getEntityClassifications());
+ final Set<String> roles = getRoles(request.getUser(),
request.getUserGroups());
+
+ for (String role : roles) {
+ List<AtlasEntityPermission> permissions =
getEntityPermissionsForRole(role);
+
+ if (permissions != null) {
+ for (AtlasEntityPermission permission : permissions) {
+ if (isMatch(action, permission.getPrivileges()) &&
isMatchAny(entityTypes, permission.getEntityTypes()) &&
+ isMatch(entityId, permission.getEntityIds()) &&
isMatch(attribute, permission.getAttributes()) &&
+ isLabelMatch(request, permission) &&
isBusinessMetadataMatch(request, permission) && isClassificationMatch(request,
permission)) {
+ // 1. entity could have multiple classifications
+ // 2. access for these classifications could be
granted by multiple AtlasEntityPermission entries
+ // 3. classifications allowed by the current
permission will be removed from entClsToAuthz
+ // 4. request will be allowed once entClsToAuthz is
empty i.e. user has permission for all classifications
+ entClsToAuthz.removeIf(entityClassification ->
isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEntityClassifications()));
+
+ ret = CollectionUtils.isEmpty(entClsToAuthz);
+
+ if (ret) {
+ break;
+ }
+ }
+ }
+ }
}
+ if (!ret) {
+ LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}",
ret, entClsToAuthz);
+ }
+
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
+
+ return ret;
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+
boolean ret = false;
Set<String> roles = getRoles(request.getUser(),
request.getUserGroups());
@@ -160,8 +190,8 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
for (AtlasTypePermission permission : permissions) {
if (isMatch(action, permission.getPrivileges()) &&
- isMatch(typeCategory, permission.getTypeCategories())
&&
- isMatch(typeName, permission.getTypeNames())) {
+ isMatch(typeCategory,
permission.getTypeCategories()) &&
+ isMatch(typeName, permission.getTypeNames())) {
ret = true;
break;
@@ -170,15 +200,13 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
return ret;
}
@Override
- public boolean isAccessAllowed(AtlasRelationshipAccessRequest request)
throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
final Set<String> roles =
getRoles(request.getUser(), request.getUserGroups());
final String relationShipType =
request.getRelationshipType();
final Set<String> end1EntityTypeAndSuperTypes =
request.getEnd1EntityTypeAndAllSuperTypes();
@@ -203,29 +231,17 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
if (isMatch(relationShipType,
permission.getRelationshipTypes()) && isMatch(action,
permission.getPrivileges())) {
//End1 permission check
if (!hasEnd1EntityAccess) {
- if (isMatchAny(end1EntityTypeAndSuperTypes,
permission.getEnd1EntityType()) && isMatch(end1EntityId,
permission.getEnd1EntityId())) {
- for (Iterator<String> iter =
end1Classifications.iterator(); iter.hasNext();) {
- String entityClassification = iter.next();
+ if (isMatchAny(end1EntityTypeAndSuperTypes,
permission.getEnd1EntityType()) && isMatch(end1EntityId,
permission.getEnd1EntityId())) {
+ end1Classifications.removeIf(entityClassification
->
isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEnd1EntityClassification()));
- if
(isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEnd1EntityClassification())) {
- iter.remove();
- }
- }
-
- hasEnd1EntityAccess =
CollectionUtils.isEmpty(end1Classifications);
+ hasEnd1EntityAccess =
CollectionUtils.isEmpty(end1Classifications);
}
}
//End2 permission chech
if (!hasEnd2EntityAccess) {
if (isMatchAny(end2EntityTypeAndSuperTypes,
permission.getEnd2EntityType()) && isMatch(end2EntityId,
permission.getEnd2EntityId())) {
- for (Iterator<String> iter =
end2Classifications.iterator(); iter.hasNext();) {
- String entityClassification = iter.next();
-
- if
(isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEnd2EntityClassification())) {
- iter.remove();
- }
- }
+ end2Classifications.removeIf(entityClassification
->
isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEnd2EntityClassification()));
hasEnd2EntityAccess =
CollectionUtils.isEmpty(end2Classifications);
}
@@ -238,66 +254,8 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
@Override
- public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws
AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})",
request);
- }
-
- boolean ret = false;
- final String action = request.getAction() != null ?
request.getAction().getType() : null;
- final Set<String> entityTypes =
request.getEntityTypeAndAllSuperTypes();
- final String entityId = request.getEntityId();
- final String attribute = request.getAttributeName();
- final Set<String> entClsToAuthz = new
HashSet<>(request.getEntityClassifications());
- final Set<String> roles = getRoles(request.getUser(),
request.getUserGroups());
-
- for (String role : roles) {
- List<AtlasEntityPermission> permissions =
getEntityPermissionsForRole(role);
-
- if (permissions != null) {
- for (AtlasEntityPermission permission : permissions) {
- if (isMatch(action, permission.getPrivileges()) &&
isMatchAny(entityTypes, permission.getEntityTypes()) &&
- isMatch(entityId, permission.getEntityIds()) &&
isMatch(attribute, permission.getAttributes()) &&
- isLabelMatch(request, permission) &&
isBusinessMetadataMatch(request, permission) && isClassificationMatch(request,
permission)) {
-
- // 1. entity could have multiple classifications
- // 2. access for these classifications could be
granted by multiple AtlasEntityPermission entries
- // 3. classifications allowed by the current
permission will be removed from entClsToAuthz
- // 4. request will be allowed once entClsToAuthz is
empty i.e. user has permission for all classifications
- for (Iterator<String> iter = entClsToAuthz.iterator();
iter.hasNext(); ) {
- String entityClassification = iter.next();
-
- if
(isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification),
permission.getEntityClassifications())) {
- iter.remove();
- }
- }
-
- ret = CollectionUtils.isEmpty(entClsToAuthz);
-
- if (ret) {
- break;
- }
- }
- }
- }
- }
-
- if (LOG.isDebugEnabled()) {
- if (!ret) {
- LOG.debug("isAccessAllowed={};
classificationsWithNoAccess={}", ret, entClsToAuthz);
- }
-
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}",
request, ret);
- }
-
- return ret;
- }
-
- @Override
- public void scrubSearchResults(AtlasSearchResultScrubRequest request)
throws AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})",
request);
- }
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", request);
final AtlasSearchResult result = request.getSearchResult();
@@ -321,13 +279,11 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}",
request, result);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}",
request, result);
}
@Override
- public void filterTypesDef(AtlasTypesDefFilterRequest request) throws
AtlasAuthorizationException {
+ public void filterTypesDef(AtlasTypesDefFilterRequest request) {
AtlasTypesDef typesDef = request.getTypesDef();
filterTypes(request, typesDef.getEnumDefs());
@@ -361,9 +317,7 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret);
- }
+ LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret);
return ret;
}
@@ -404,7 +358,6 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
return ret;
}
-
private List<AtlasRelationshipPermission>
getRelationshipPermissionsForRole(String roleName) {
List<AtlasRelationshipPermission> ret = null;
@@ -418,11 +371,9 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
private boolean isMatch(String value, List<String> patterns) {
- boolean ret = false;
+ boolean ret = value == null;
- if (value == null) {
- ret = true;
- } if (CollectionUtils.isNotEmpty(patterns)) {
+ if (CollectionUtils.isNotEmpty(patterns)) {
for (String pattern : patterns) {
if (isMatch(value, pattern)) {
ret = true;
@@ -432,7 +383,7 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (!ret && LOG.isDebugEnabled()) {
+ if (!ret) {
LOG.debug("<== isMatch({}, {}): {}", value, patterns, ret);
}
@@ -440,11 +391,9 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
private boolean isMatchAny(Set<String> values, List<String> patterns) {
- boolean ret = false;
+ boolean ret = CollectionUtils.isEmpty(values);
- if (CollectionUtils.isEmpty(values)) {
- ret = true;
- }if (CollectionUtils.isNotEmpty(patterns)) {
+ if (CollectionUtils.isNotEmpty(patterns)) {
for (String value : values) {
if (isMatch(value, patterns)) {
ret = true;
@@ -454,7 +403,7 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
- if (!ret && LOG.isDebugEnabled()) {
+ if (!ret) {
LOG.debug("<== isMatchAny({}, {}): {}", values, patterns, ret);
}
@@ -473,7 +422,7 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
return ret;
}
- private void checkAccessAndScrub(AtlasEntityHeader entity,
AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ private void checkAccessAndScrub(AtlasEntityHeader entity,
AtlasSearchResultScrubRequest request) {
if (entity != null && request != null) {
final AtlasEntityAccessRequest entityAccessRequest = new
AtlasEntityAccessRequest(request.getTypeRegistry(), AtlasPrivilege.ENTITY_READ,
entity, request.getUser(), request.getUserGroups());
@@ -486,20 +435,20 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
private boolean isLabelMatch(AtlasEntityAccessRequest request,
AtlasEntityPermission permission) {
- return (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) ||
AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) ?
isMatch(request.getLabel(), permission.getLabels()) : true;
+ return !AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) &&
!AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction()) ||
isMatch(request.getLabel(), permission.getLabels());
}
private boolean isBusinessMetadataMatch(AtlasEntityAccessRequest request,
AtlasEntityPermission permission) {
- return
AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) ?
isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata()) : true;
+ return
!AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) ||
isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata());
}
private boolean isClassificationMatch(AtlasEntityAccessRequest request,
AtlasEntityPermission permission) {
- return (CLASSIFICATION_PRIVILEGES.contains(request.getAction()) &&
request.getClassification() != null) ?
isMatch(request.getClassification().getTypeName(),
permission.getClassifications()) : true;
+ return !CLASSIFICATION_PRIVILEGES.contains(request.getAction()) ||
request.getClassification() == null ||
isMatch(request.getClassification().getTypeName(),
permission.getClassifications());
}
- private void filterTypes(AtlasAccessRequest request, List<? extends
AtlasBaseTypeDef> typeDefs)throws AtlasAuthorizationException {
+ private void filterTypes(AtlasAccessRequest request, List<? extends
AtlasBaseTypeDef> typeDefs) {
if (typeDefs != null) {
- for (ListIterator<? extends AtlasBaseTypeDef> iter =
typeDefs.listIterator(); iter.hasNext();) {
+ for (ListIterator<? extends AtlasBaseTypeDef> iter =
typeDefs.listIterator(); iter.hasNext(); ) {
AtlasBaseTypeDef typeDef = iter.next();
AtlasTypeAccessRequest typeRequest = new
AtlasTypeAccessRequest(request.getAction(), typeDef, request.getUser(),
request.getUserGroups());
@@ -536,6 +485,10 @@ public final class AtlasSimpleAuthorizer implements
AtlasAuthorizer {
}
}
}
-}
-
+ static {
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_ADD_CLASSIFICATION);
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_REMOVE_CLASSIFICATION);
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_UPDATE_CLASSIFICATION);
+ }
+}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
index ee13233ef..b4899a8bd 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
@@ -1,13 +1,14 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,11 +19,12 @@ package org.apache.atlas.authorize.simple;
import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.annotation.JsonInclude;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
+
import java.io.Serializable;
import java.util.List;
import java.util.Map;
@@ -30,9 +32,9 @@ import java.util.Map;
import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE;
import static
com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY;
-@JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY,
fieldVisibility=NONE)
-@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
-@JsonIgnoreProperties(ignoreUnknown=true)
+@JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public class AtlasSimpleAuthzPolicy implements Serializable {
@@ -42,7 +44,6 @@ public class AtlasSimpleAuthzPolicy implements Serializable {
private Map<String, List<String>> userRoles;
private Map<String, List<String>> groupRoles;
-
public Map<String, AtlasAuthzRole> getRoles() {
return roles;
}
@@ -67,10 +68,9 @@ public class AtlasSimpleAuthzPolicy implements Serializable {
this.groupRoles = groupRoles;
}
-
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY,
setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasAuthzRole implements Serializable {
@@ -122,12 +122,11 @@ public class AtlasSimpleAuthzPolicy implements
Serializable {
public void
setRelationshipPermissions(List<AtlasRelationshipPermission>
relationshipPermissions) {
this.relationshipPermissions = relationshipPermissions;
}
-
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY,
setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasAdminPermission implements Serializable {
@@ -151,9 +150,9 @@ public class AtlasSimpleAuthzPolicy implements Serializable
{
}
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY,
setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasTypePermission implements Serializable {
@@ -197,9 +196,9 @@ public class AtlasSimpleAuthzPolicy implements Serializable
{
}
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY,
setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasEntityPermission implements Serializable {
@@ -297,10 +296,9 @@ public class AtlasSimpleAuthzPolicy implements
Serializable {
}
}
-
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY,
setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility =
PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasRelationshipPermission implements Serializable {
@@ -315,7 +313,6 @@ public class AtlasSimpleAuthzPolicy implements Serializable
{
private List<String> end2EntityId; // value of end2
entity-unique attribute, wildcards supported
private List<String> end2EntityClassification; // name of end2
classification-type, wildcards supported
-
public AtlasRelationshipPermission() {
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
index fddde986b..83f3786a8 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
@@ -1,13 +1,14 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,52 +18,46 @@
package org.apache.atlas.authorize.simple;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole;
+import
org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission;
import java.io.File;
+import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
-
import java.util.ArrayList;
+import java.util.Collections;
import java.util.List;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.*;
-import com.fasterxml.jackson.databind.SerializationFeature;
-
public class AtlasSimpleAuthzUpdateTool {
-
+ private AtlasSimpleAuthzUpdateTool() {
+ // to block instantiation
+ }
public static void main(String[] args) {
-
- if (args != null & args.length > 0) {
+ if (args != null && args.length > 0) {
updateSimpleAuthzJsonWithRelationshipPermissions(args[0]);
} else {
System.out.println("Provide Atlas conf path");
}
-
}
-
public static void updateSimpleAuthzJsonWithRelationshipPermissions(String
jsonConfPath) {
-
- List<String> wildCard = new ArrayList<String>();
- wildCard.add(".*");
+ List<String> wildCard = new
ArrayList<>(Collections.singletonList(".*"));
try {
-
- ObjectMapper mapper = new ObjectMapper();
- AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new
File(jsonConfPath + "/atlas-simple-authz-policy.json"),
AtlasSimpleAuthzPolicy.class);
-
-
- AtlasSimpleAuthzPolicy.AtlasAuthzRole dataAdmin =
authzPolicy.getRoles().get("ROLE_ADMIN");
- boolean permissionUpdated = false;
-
+ ObjectMapper mapper = new ObjectMapper();
+ AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new
File(jsonConfPath + "/atlas-simple-authz-policy.json"),
AtlasSimpleAuthzPolicy.class);
+ AtlasAuthzRole dataAdmin =
authzPolicy.getRoles().get("ROLE_ADMIN");
+ boolean permissionUpdated = false;
if (dataAdmin != null && dataAdmin.getRelationshipPermissions() ==
null) {
- AtlasSimpleAuthzPolicy.AtlasRelationshipPermission
relationshipPermissions = new
AtlasSimpleAuthzPolicy.AtlasRelationshipPermission();
- relationshipPermissions.setPrivileges(wildCard);
+ AtlasRelationshipPermission relationshipPermissions = new
AtlasRelationshipPermission();
+ relationshipPermissions.setPrivileges(wildCard);
relationshipPermissions.setRelationshipTypes(wildCard);
relationshipPermissions.setEnd1EntityClassification(wildCard);
@@ -73,25 +68,23 @@ public class AtlasSimpleAuthzUpdateTool {
relationshipPermissions.setEnd2EntityId(wildCard);
relationshipPermissions.setEnd2EntityType(wildCard);
- List<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission>
relationshipPermissionsList = new
ArrayList<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission>();
-
-
- relationshipPermissionsList.add(relationshipPermissions);
+ List<AtlasRelationshipPermission> relationshipPermissionsList
= new ArrayList<>(Collections.singletonList(relationshipPermissions));
dataAdmin.setRelationshipPermissions(relationshipPermissionsList);
+
permissionUpdated = true;
}
-
- AtlasSimpleAuthzPolicy.AtlasAuthzRole dataSteward =
authzPolicy.getRoles().get("DATA_STEWARD");
- List<String> permissiondataSteward = new ArrayList<String>();
+ AtlasAuthzRole dataSteward =
authzPolicy.getRoles().get("DATA_STEWARD");
+ List<String> permissiondataSteward = new ArrayList<>();
permissiondataSteward.add("add-relationship");
permissiondataSteward.add("update-relationship");
permissiondataSteward.add("remove-relationship");
if (dataSteward != null &&
dataSteward.getRelationshipPermissions() == null) {
- AtlasSimpleAuthzPolicy.AtlasRelationshipPermission
relationshipPermissions = new
AtlasSimpleAuthzPolicy.AtlasRelationshipPermission();
+ AtlasRelationshipPermission relationshipPermissions = new
AtlasRelationshipPermission();
+
relationshipPermissions.setPrivileges(permissiondataSteward);
relationshipPermissions.setRelationshipTypes(wildCard);
@@ -103,29 +96,26 @@ public class AtlasSimpleAuthzUpdateTool {
relationshipPermissions.setEnd2EntityId(wildCard);
relationshipPermissions.setEnd2EntityType(wildCard);
+ List<AtlasRelationshipPermission> relationshipPermissionsList
= new ArrayList<>(Collections.singletonList(relationshipPermissions));
- List<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission>
relationshipPermissionsList = new
ArrayList<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission>();
- relationshipPermissionsList.add(relationshipPermissions);
dataSteward.setRelationshipPermissions(relationshipPermissionsList);
+
permissionUpdated = true;
}
- if(permissionUpdated) {
+ if (permissionUpdated) {
writeUsingFiles(jsonConfPath +
"/atlas-simple-authz-policy.json", toJson(authzPolicy, mapper));
}
-
-
} catch (Exception e) {
System.err.println(" Error while updating JSON " + e.getMessage());
}
-
}
-
public static String toJson(Object obj, ObjectMapper mapper) {
mapper.enable(SerializationFeature.INDENT_OUTPUT); // to beautify json
String ret;
+
try {
if (obj instanceof JsonNode && ((JsonNode) obj).isTextual()) {
ret = ((JsonNode) obj).textValue();
@@ -133,18 +123,17 @@ public class AtlasSimpleAuthzUpdateTool {
ret = mapper.writeValueAsString(obj);
}
} catch (IOException e) {
-
ret = null;
}
+
return ret;
}
-
private static void writeUsingFiles(String file, String data) {
try {
- Files.write(Paths.get( file ), data.getBytes());
+ Files.write(Paths.get(file), data.getBytes());
} catch (IOException e) {
System.err.println(" Error while writeUsingFiles JSON " +
e.getMessage());
}
}
-}
\ No newline at end of file
+}
diff --git
a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
index 8d38ebe8c..406af0f7f 100644
---
a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
+++
b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
@@ -16,16 +16,22 @@
*/
package org.apache.atlas.authorize.simple;
-import org.apache.atlas.authorize.*;
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasAuthorizerFactory;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasPrivilege;
import org.apache.atlas.model.instance.AtlasClassification;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.testng.AssertJUnit;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
-import org.testng.AssertJUnit;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -34,7 +40,7 @@ import java.util.Map;
import java.util.Set;
public class AtlasSimpleAuthorizerTest {
- private static Logger LOG =
LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
+ private static final Logger LOG =
LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
private static final String USER_ADMIN = "admin";
private static final String USER_DATA_SCIENTIST = "dataScientist";
@@ -45,29 +51,9 @@ public class AtlasSimpleAuthorizerTest {
private static final String USER_IN_ADMIN_GROUP = "admin-group-user";
private static final String USER_IN_UNKNOWN_GROUP = "unknown-group-user";
- private static final Map<String, Set<String>> USER_GROUPS = new
HashMap<String, Set<String>>() {{
-
put(USER_ADMIN, Collections.singleton("ROLE_ADMIN"));
-
put(USER_DATA_STEWARD, Collections.emptySet());
-
put(USER_DATA_SCIENTIST, Collections.emptySet());
-
put(USER_DATA_STEWARD_EX, Collections.singleton("DATA_STEWARD_EX"));
-
put(USER_FINANCE, Collections.singleton("FINANCE"));
-
put(USER_FINANCE_PII, Collections.singleton("FINANCE_PII"));
-
put(USER_IN_ADMIN_GROUP, Collections.singleton("ROLE_ADMIN"));
-
put(USER_IN_UNKNOWN_GROUP, Collections.singleton("UNKNOWN_GROUP"));
- }};
-
- private static final List<AtlasPrivilege> ENTITY_PRIVILEGES =
Arrays.asList(AtlasPrivilege.ENTITY_CREATE,
-
AtlasPrivilege.ENTITY_UPDATE,
-
AtlasPrivilege.ENTITY_READ,
-
AtlasPrivilege.ENTITY_ADD_CLASSIFICATION,
-
AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION,
-
AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION,
-
AtlasPrivilege.ENTITY_READ_CLASSIFICATION,
-
AtlasPrivilege.ENTITY_ADD_LABEL,
-
AtlasPrivilege.ENTITY_REMOVE_LABEL,
-
AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
-
- private static final List<AtlasPrivilege> LABEL_PRIVILEGES =
Arrays.asList(AtlasPrivilege.ENTITY_ADD_LABEL,
AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ private static final Map<String, Set<String>> USER_GROUPS = new
HashMap<>();
+ private static final List<AtlasPrivilege> ENTITY_PRIVILEGES = new
ArrayList<>();
+ private static final List<AtlasPrivilege> LABEL_PRIVILEGES = new
ArrayList<>();
private String originalConf;
private AtlasAuthorizer authorizer;
@@ -94,7 +80,7 @@ public class AtlasSimpleAuthorizerTest {
authorizer = null;
}
- @Test(enabled = true)
+ @Test
public void testAllAllowedForAdminUser() {
try {
for (AtlasPrivilege privilege : AtlasPrivilege.values()) {
@@ -104,7 +90,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals(privilege.name() + " should have been
allowed for user " + USER_DATA_SCIENTIST, true, isAccessAllowed);
+ AssertJUnit.assertTrue(privilege.name() + " should have been
allowed for user " + USER_DATA_SCIENTIST, isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -113,16 +99,16 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testAddPIIForStewardExUser() {
try {
- AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null,
new AtlasClassification("PII"));
+ AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null,
new AtlasClassification("PII"));
setUser(request, USER_DATA_STEWARD_EX);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should
have been allowed to add PII", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should
have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -130,11 +116,11 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void
testAddClassificationOnEntityWithClassificationForStewardExUser() {
try {
-
AtlasEntityHeader entityHeader = new AtlasEntityHeader();
+
entityHeader.setClassifications(Arrays.asList(new
AtlasClassification("PII_1"), new AtlasClassification("PII_2")));
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION,
entityHeader, new AtlasClassification("PII"));
@@ -143,7 +129,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should
have been allowed to add PII", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should
have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -151,11 +137,11 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void
testAddClassificationOnEntityWithClassificationForStewardExUserShouldFail() {
try {
-
AtlasEntityHeader entityHeader = new AtlasEntityHeader();
+
entityHeader.setClassifications(Arrays.asList(new
AtlasClassification("TAG1"), new AtlasClassification("TAG2")));
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION,
entityHeader, new AtlasClassification("PII"));
@@ -164,7 +150,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should
have not been allowed to add PII on entity with TAG1,TAG2 classification ",
false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_DATA_STEWARD_EX + " should
have not been allowed to add PII on entity with TAG1,TAG2 classification ",
isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -172,16 +158,16 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testAddPIIForStewardUser() {
try {
- AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null,
new AtlasClassification("PII"));
+ AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null,
new AtlasClassification("PII"));
setUser(request, USER_DATA_STEWARD);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should
not have been allowed to add PII", false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_DATA_STEWARD + " should not
have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -189,12 +175,12 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testFinancePIIEntityAccessForFinancePIIUser() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
-
setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new
AtlasClassification("PII")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Arrays.asList(new
AtlasClassification("FINANCE"), new AtlasClassification("PII")));
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, privilege, entity, new
AtlasClassification("PII"));
@@ -203,7 +189,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_FINANCE_PII + " should
have been allowed " + privilege + " on entity with FINANCE & PII", true,
isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_FINANCE_PII + " should
have been allowed " + privilege + " on entity with FINANCE & PII",
isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -212,12 +198,12 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testFinancePIIEntityAccessForFinanceUser() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
-
setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new
AtlasClassification("PII")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Arrays.asList(new
AtlasClassification("FINANCE"), new AtlasClassification("PII")));
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, privilege, entity, new
AtlasClassification("PII"));
@@ -226,7 +212,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_FINANCE + " should not
have been allowed " + privilege + " on entity with FINANCE & PII", false,
isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_FINANCE + " should not
have been allowed " + privilege + " on entity with FINANCE & PII",
isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -235,12 +221,12 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testFinanceEntityAccess() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
- setClassifications(Arrays.asList(new
AtlasClassification("FINANCE")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Collections.singletonList(new
AtlasClassification("FINANCE")));
for (String userName : Arrays.asList(USER_FINANCE_PII,
USER_FINANCE)) {
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
@@ -250,7 +236,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed =
authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should
have been allowed " + privilege + " on entity with FINANCE", true,
isAccessAllowed);
+ AssertJUnit.assertTrue("user " + userName + " should have
been allowed " + privilege + " on entity with FINANCE", isAccessAllowed);
}
}
} catch (Exception e) {
@@ -260,7 +246,7 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testAccessForUserInAdminGroup() {
try {
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
@@ -269,7 +255,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_IN_ADMIN_GROUP + " should
have been allowed " + AtlasPrivilege.ENTITY_UPDATE, true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_IN_ADMIN_GROUP + " should
have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -277,7 +263,7 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testAccessForUserInUnknownGroup() {
try {
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
@@ -286,7 +272,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_IN_UNKNOWN_GROUP + "
should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, false,
isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_IN_UNKNOWN_GROUP + " should
not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -294,7 +280,7 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testLabels() {
try {
for (AtlasPrivilege privilege : LABEL_PRIVILEGES) {
@@ -305,7 +291,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed =
authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should not
have been allowed " + privilege, false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + userName + " should not
have been allowed " + privilege, isAccessAllowed);
}
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, privilege);
@@ -314,7 +300,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + "
should have been allowed " + privilege, true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + "
should have been allowed " + privilege, isAccessAllowed);
}
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -323,7 +309,7 @@ public class AtlasSimpleAuthorizerTest {
}
}
- @Test(enabled = true)
+ @Test
public void testBusinessMetadata() {
try {
for (String userName : Arrays.asList(USER_DATA_SCIENTIST,
USER_DATA_STEWARD)) {
@@ -333,7 +319,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should not
have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, false,
isAccessAllowed);
+ AssertJUnit.assertFalse("user " + userName + " should not have
been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA,
isAccessAllowed);
}
AtlasEntityAccessRequest request = new
AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
@@ -342,7 +328,7 @@ public class AtlasSimpleAuthorizerTest {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should
have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, true,
isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should
have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA,
isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -355,4 +341,29 @@ public class AtlasSimpleAuthorizerTest {
request.setUser(userName, userGroups != null ? userGroups :
Collections.emptySet());
}
+
+ static {
+ USER_GROUPS.put(USER_ADMIN, Collections.singleton("ROLE_ADMIN"));
+ USER_GROUPS.put(USER_DATA_STEWARD, Collections.emptySet());
+ USER_GROUPS.put(USER_DATA_SCIENTIST, Collections.emptySet());
+ USER_GROUPS.put(USER_DATA_STEWARD_EX,
Collections.singleton("DATA_STEWARD_EX"));
+ USER_GROUPS.put(USER_FINANCE, Collections.singleton("FINANCE"));
+ USER_GROUPS.put(USER_FINANCE_PII,
Collections.singleton("FINANCE_PII"));
+ USER_GROUPS.put(USER_IN_ADMIN_GROUP,
Collections.singleton("ROLE_ADMIN"));
+ USER_GROUPS.put(USER_IN_UNKNOWN_GROUP,
Collections.singleton("UNKNOWN_GROUP"));
+
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_CREATE);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
+
+ LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL);
+ LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ }
}
