You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by chaitali <ch...@freestoneinfotech.com> on 2020/09/23 16:34:48 UTC
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 23, 2020, 4:34 p.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs
-----
intg/src/main/java/org/apache/atlas/type/AtlasBusinessMetadataType.java f17300140
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
Diff: https://reviews.apache.org/r/72895/diff/7/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/#review221966
-----------------------------------------------------------
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java
Lines 63 (patched)
<https://reviews.apache.org/r/72895/#comment311033>
#63: consider adding null check for 'types'
#65: consider adding null check for 'def'
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java
Lines 102 (patched)
<https://reviews.apache.org/r/72895/#comment311034>
Instead of creating "Collection<AtlasEntityType> entityTypes" here, consider adding method:
class AtlasAbstractDefStoreV2 {
public void verifyTypeReadAccess(Collection<String> typeNames) {
if (typeNames != null) {
for (String typeName : typeNames) {
AtlasBaseTypeDef def = typeRegistry.getTypeDefByName(typeName);
if (def != null) {
AtlasAuthorizationUtils.verifyAccess(new AtlasTypeAccessRequest(AtlasPrivilege.TYPE_READ, def), "read type-def of category ", def.getCategory(), " ", def.getName());
}
}
}
}
and replace #96, #97, #102 - #110 with a call to verifyTypeReadAccess(classificationDef.getEntityTypes());
Same applies for AtlasEntityDefStoreV2.create() as well.
- Madhan Neethiraj
On Sept. 28, 2020, 8:11 a.m., chaitali wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72895/
> -----------------------------------------------------------
>
> (Updated Sept. 28, 2020, 8:11 a.m.)
>
>
> Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
>
>
> Bugs: ATLAS-3950
> https://issues.apache.org/jira/browse/ATLAS-3950
>
>
> Repository: atlas
>
>
> Description
> -------
>
> User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
>
> Steps to reproduce:
>
> User has following rights in ranger policy :
>
> CRUD permissions on hive_table type only
>
> CRUD permissions on all business_metadata type.
>
> hrt_qa creates a business metadata bm1
>
> hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
>
>
> Diffs
> -----
>
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
>
>
> Diff: https://reviews.apache.org/r/72895/diff/8/
>
>
> Testing
> -------
>
> Tested with following JSON :
>
> Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [
> {
> "category": "ENTITY",
> "createdBy": "admin",
> "updatedBy": "admin",
> "createTime": 1537261952180,
> "updateTime": 1537262097732,
> "version": 3,
> "name": "testtab",
> "description": "sport",
> "typeVersion": "1.4",
> "attributeDefs": [
> {
> "name": "test_name",
> "typeName": "string",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "year",
> "typeName": "int",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "place",
> "typeName": "array<string>",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> }
> ],
> "superTypes": [
> "DataSet"
> ],
> "subTypes": []
> }
> ],
> "relationshipDefs": []
> }
>
> Classification typedef creation with entitytypes for which doesn't have type-read rights for:
>
> {
> "classificationDefs": [
> {
> "name": "testclass",
> "description": "oif",
> "superTypes": [],
> "attributeDefs": [],
> "entityTypes": [
> "hdfs_path",
> "hive_table"
> ],
> "category": "CLASSIFICATION",
> "guid": "-123456789"
> }
> ],
> "entityDefs": [],
> "enumDefs": [],
> "structDefs": []
> }
>
> Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
>
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [],
> "businessMetadataDefs": [
> {
> "category": "BUSINESS_METADATA",
> "createdBy": "admin",
> "updatedBy": "admin",
> "version": 1,
> "typeVersion": "1.1",
> "name": "testBM",
> "description": "",
> "attributeDefs": [
> {
> "name": "attrtestBM",
> "typeName": "string",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": true,
> "options": {
> "maxStrLength": "50",
> "applicableEntityTypes": "[\"hive_table\"]"
> },
> "searchWeight": "5"
> }
> ]
> }
> ]
> }
>
> Expected Output :
>
> {
> "errorCode": "ATLAS-403-00-001",
> "errorMessage": "admin is not authorized to perform read type hive_table"
> }
>
>
> Thanks,
>
> chaitali
>
>
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/#review221970
-----------------------------------------------------------
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java
Lines 95 (patched)
<https://reviews.apache.org/r/72895/#comment311035>
- Attribute of struct-def/classification-def/relationship-def/business-metadata-def also need to be checked similarly. It will be useful to add another verifyTypeReadAccess() method, with Collection(AttributeDef attributeDefs), and call from relevant places
- in addition, please review handling the same in update() call as well.
- Madhan Neethiraj
On Sept. 28, 2020, 6:04 p.m., chaitali wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72895/
> -----------------------------------------------------------
>
> (Updated Sept. 28, 2020, 6:04 p.m.)
>
>
> Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
>
>
> Bugs: ATLAS-3950
> https://issues.apache.org/jira/browse/ATLAS-3950
>
>
> Repository: atlas
>
>
> Description
> -------
>
> User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
>
> Steps to reproduce:
>
> User has following rights in ranger policy :
>
> CRUD permissions on hive_table type only
>
> CRUD permissions on all business_metadata type.
>
> hrt_qa creates a business metadata bm1
>
> hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
>
>
> Diffs
> -----
>
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
>
>
> Diff: https://reviews.apache.org/r/72895/diff/10/
>
>
> Testing
> -------
>
> Tested with following JSON :
>
> Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [
> {
> "category": "ENTITY",
> "createdBy": "admin",
> "updatedBy": "admin",
> "createTime": 1537261952180,
> "updateTime": 1537262097732,
> "version": 3,
> "name": "testtab",
> "description": "sport",
> "typeVersion": "1.4",
> "attributeDefs": [
> {
> "name": "test_name",
> "typeName": "string",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "year",
> "typeName": "int",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "place",
> "typeName": "array<string>",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> }
> ],
> "superTypes": [
> "DataSet"
> ],
> "subTypes": []
> }
> ],
> "relationshipDefs": []
> }
>
> Classification typedef creation with entitytypes for which doesn't have type-read rights for:
>
> {
> "classificationDefs": [
> {
> "name": "testclass",
> "description": "oif",
> "superTypes": [],
> "attributeDefs": [],
> "entityTypes": [
> "hdfs_path",
> "hive_table"
> ],
> "category": "CLASSIFICATION",
> "guid": "-123456789"
> }
> ],
> "entityDefs": [],
> "enumDefs": [],
> "structDefs": []
> }
>
> Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
>
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [],
> "businessMetadataDefs": [
> {
> "category": "BUSINESS_METADATA",
> "createdBy": "admin",
> "updatedBy": "admin",
> "version": 1,
> "typeVersion": "1.1",
> "name": "testBM",
> "description": "",
> "attributeDefs": [
> {
> "name": "attrtestBM",
> "typeName": "string",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": true,
> "options": {
> "maxStrLength": "50",
> "applicableEntityTypes": "[\"hive_table\"]"
> },
> "searchWeight": "5"
> }
> ]
> }
> ]
> }
>
> Expected Output :
>
> {
> "errorCode": "ATLAS-403-00-001",
> "errorMessage": "admin is not authorized to perform read type hive_table"
> }
>
>
> Thanks,
>
> chaitali
>
>
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/#review221973
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Sept. 29, 2020, 10:53 a.m., chaitali wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72895/
> -----------------------------------------------------------
>
> (Updated Sept. 29, 2020, 10:53 a.m.)
>
>
> Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
>
>
> Bugs: ATLAS-3950
> https://issues.apache.org/jira/browse/ATLAS-3950
>
>
> Repository: atlas
>
>
> Description
> -------
>
> User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
>
> Steps to reproduce:
>
> User has following rights in ranger policy :
>
> CRUD permissions on hive_table type only
>
> CRUD permissions on all business_metadata type.
>
> hrt_qa creates a business metadata bm1
>
> hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
>
>
> Diffs
> -----
>
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 93e7012c2
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
>
>
> Diff: https://reviews.apache.org/r/72895/diff/15/
>
>
> Testing
> -------
>
> Tested with following JSON :
>
> Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [
> {
> "category": "ENTITY",
> "createdBy": "admin",
> "updatedBy": "admin",
> "createTime": 1537261952180,
> "updateTime": 1537262097732,
> "version": 3,
> "name": "testtab",
> "description": "sport",
> "typeVersion": "1.4",
> "attributeDefs": [
> {
> "name": "test_name",
> "typeName": "string",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "year",
> "typeName": "int",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "place",
> "typeName": "array<string>",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> }
> ],
> "superTypes": [
> "DataSet"
> ],
> "subTypes": []
> }
> ],
> "relationshipDefs": []
> }
>
> Classification typedef creation with entitytypes for which doesn't have type-read rights for:
>
> {
> "classificationDefs": [
> {
> "name": "testclass",
> "description": "oif",
> "superTypes": [],
> "attributeDefs": [],
> "entityTypes": [
> "hdfs_path",
> "hive_table"
> ],
> "category": "CLASSIFICATION",
> "guid": "-123456789"
> }
> ],
> "entityDefs": [],
> "enumDefs": [],
> "structDefs": []
> }
>
> Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
>
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [],
> "businessMetadataDefs": [
> {
> "category": "BUSINESS_METADATA",
> "createdBy": "admin",
> "updatedBy": "admin",
> "version": 1,
> "typeVersion": "1.1",
> "name": "testBM",
> "description": "",
> "attributeDefs": [
> {
> "name": "attrtestBM",
> "typeName": "string",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": true,
> "options": {
> "maxStrLength": "50",
> "applicableEntityTypes": "[\"hive_table\"]"
> },
> "searchWeight": "5"
> }
> ]
> }
> ]
> }
>
> Expected Output :
>
> {
> "errorCode": "ATLAS-403-00-001",
> "errorMessage": "admin is not authorized to perform read type hive_table"
> }
>
>
> Thanks,
>
> chaitali
>
>
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 29, 2020, 10:53 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 93e7012c2
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
Diff: https://reviews.apache.org/r/72895/diff/15/
Changes: https://reviews.apache.org/r/72895/diff/14-15/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 29, 2020, 10:46 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 93e7012c2
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
Diff: https://reviews.apache.org/r/72895/diff/14/
Changes: https://reviews.apache.org/r/72895/diff/13-14/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 29, 2020, 9:48 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
Diff: https://reviews.apache.org/r/72895/diff/13/
Changes: https://reviews.apache.org/r/72895/diff/12-13/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 29, 2020, 9:46 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
Diff: https://reviews.apache.org/r/72895/diff/12/
Changes: https://reviews.apache.org/r/72895/diff/11-12/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 29, 2020, 9:31 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7
Diff: https://reviews.apache.org/r/72895/diff/11/
Changes: https://reviews.apache.org/r/72895/diff/10-11/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 28, 2020, 6:04 p.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
Diff: https://reviews.apache.org/r/72895/diff/10/
Changes: https://reviews.apache.org/r/72895/diff/9-10/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 28, 2020, 5:28 p.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
intg/src/main/java/org/apache/atlas/type/AtlasBusinessMetadataType.java f17300140
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
Diff: https://reviews.apache.org/r/72895/diff/9/
Changes: https://reviews.apache.org/r/72895/diff/8-9/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by chaitali <ch...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------
(Updated Sept. 28, 2020, 8:11 a.m.)
Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
Bugs: ATLAS-3950
https://issues.apache.org/jira/browse/ATLAS-3950
Repository: atlas
Description
-------
User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
Steps to reproduce:
User has following rights in ranger policy :
CRUD permissions on hive_table type only
CRUD permissions on all business_metadata type.
hrt_qa creates a business metadata bm1
hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
Diffs (updated)
-----
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
Diff: https://reviews.apache.org/r/72895/diff/8/
Changes: https://reviews.apache.org/r/72895/diff/7-8/
Testing
-------
Tested with following JSON :
Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
{
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
{
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
"DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}
Classification typedef creation with entitytypes for which doesn't have type-read rights for:
{
"classificationDefs": [
{
"name": "testclass",
"description": "oif",
"superTypes": [],
"attributeDefs": [],
"entityTypes": [
"hdfs_path",
"hive_table"
],
"category": "CLASSIFICATION",
"guid": "-123456789"
}
],
"entityDefs": [],
"enumDefs": [],
"structDefs": []
}
Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [],
"businessMetadataDefs": [
{
"category": "BUSINESS_METADATA",
"createdBy": "admin",
"updatedBy": "admin",
"version": 1,
"typeVersion": "1.1",
"name": "testBM",
"description": "",
"attributeDefs": [
{
"name": "attrtestBM",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": true,
"options": {
"maxStrLength": "50",
"applicableEntityTypes": "[\"hive_table\"]"
},
"searchWeight": "5"
}
]
}
]
}
Expected Output :
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}
Thanks,
chaitali
Re: Review Request 72895: ATLAS-3950 : Read Type Auth :
Classification, Business metadata ,
Entity types are able to have attributes of type which are not permissible
to read
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/#review221960
-----------------------------------------------------------
intg/src/main/java/org/apache/atlas/type/AtlasBusinessMetadataType.java
Lines 168 (patched)
<https://reviews.apache.org/r/72895/#comment311026>
I suggest to avoid this method; instead add following version of verifyTypeReadAccess() in AtlasAbstractDefStoreV2; and call this new method from AtlasBusinessMetadataDefStoreV2, AtlasClassificationDefStoreV2 and AtlasEntityDefStoreV2:
class AtlasAbstractDefStoreV2 {
public void verifyTypeReadAccess(Collection<? extends AtlasType> types) throws AtlasBaseException {
for (AtlasType type : types) {
AtlasBaseTypeDef def = typeRegistry.getTypeDefByName(type.getTypeName());
AtlasAuthorizationUtils.verifyAccess(new AtlasTypeAccessRequest(AtlasPrivilege.TYPE_READ, def), "read type-def of category ", def.getCategory(), " ", def.getName());
}
}
- Madhan Neethiraj
On Sept. 23, 2020, 4:34 p.m., chaitali wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72895/
> -----------------------------------------------------------
>
> (Updated Sept. 23, 2020, 4:34 p.m.)
>
>
> Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian.
>
>
> Bugs: ATLAS-3950
> https://issues.apache.org/jira/browse/ATLAS-3950
>
>
> Repository: atlas
>
>
> Description
> -------
>
> User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename.
>
> Steps to reproduce:
>
> User has following rights in ranger policy :
>
> CRUD permissions on hive_table type only
>
> CRUD permissions on all business_metadata type.
>
> hrt_qa creates a business metadata bm1
>
> hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type.
>
>
> Diffs
> -----
>
> intg/src/main/java/org/apache/atlas/type/AtlasBusinessMetadataType.java f17300140
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e
>
>
> Diff: https://reviews.apache.org/r/72895/diff/7/
>
>
> Testing
> -------
>
> Tested with following JSON :
>
> Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for:
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [
> {
> "category": "ENTITY",
> "createdBy": "admin",
> "updatedBy": "admin",
> "createTime": 1537261952180,
> "updateTime": 1537262097732,
> "version": 3,
> "name": "testtab",
> "description": "sport",
> "typeVersion": "1.4",
> "attributeDefs": [
> {
> "name": "test_name",
> "typeName": "string",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "year",
> "typeName": "int",
> "isOptional": false,
> "cardinality": "SINGLE",
> "valuesMinCount": 1,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> },
> {
> "name": "place",
> "typeName": "array<string>",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": false,
> "includeInNotification": false
> }
> ],
> "superTypes": [
> "DataSet"
> ],
> "subTypes": []
> }
> ],
> "relationshipDefs": []
> }
>
> Classification typedef creation with entitytypes for which doesn't have type-read rights for:
>
> {
> "classificationDefs": [
> {
> "name": "testclass",
> "description": "oif",
> "superTypes": [],
> "attributeDefs": [],
> "entityTypes": [
> "hdfs_path",
> "hive_table"
> ],
> "category": "CLASSIFICATION",
> "guid": "-123456789"
> }
> ],
> "entityDefs": [],
> "enumDefs": [],
> "structDefs": []
> }
>
> Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for:
>
> {
> "enumDefs": [],
> "structDefs": [],
> "classificationDefs": [],
> "entityDefs": [],
> "businessMetadataDefs": [
> {
> "category": "BUSINESS_METADATA",
> "createdBy": "admin",
> "updatedBy": "admin",
> "version": 1,
> "typeVersion": "1.1",
> "name": "testBM",
> "description": "",
> "attributeDefs": [
> {
> "name": "attrtestBM",
> "typeName": "string",
> "isOptional": true,
> "cardinality": "SINGLE",
> "valuesMinCount": 0,
> "valuesMaxCount": 1,
> "isUnique": false,
> "isIndexable": true,
> "options": {
> "maxStrLength": "50",
> "applicableEntityTypes": "[\"hive_table\"]"
> },
> "searchWeight": "5"
> }
> ]
> }
> ]
> }
>
> Expected Output :
>
> {
> "errorCode": "ATLAS-403-00-001",
> "errorMessage": "admin is not authorized to perform read type hive_table"
> }
>
>
> Thanks,
>
> chaitali
>
>