You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Adam Rempter (JIRA)" <ji...@apache.org> on 2019/06/04 12:18:00 UTC
[jira] [Created] (ATLAS-3261) Ranger Authorizer for Atlas is not
checked for kafka messages
Adam Rempter created ATLAS-3261:
-----------------------------------
Summary: Ranger Authorizer for Atlas is not checked for kafka messages
Key: ATLAS-3261
URL: https://issues.apache.org/jira/browse/ATLAS-3261
Project: Atlas
Issue Type: Bug
Components: atlas-intg
Affects Versions: 2.0.0, 1.1.0
Reporter: Adam Rempter
Atlas can be configured to authorize user actions with Ranger ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
When I use user via REST it works:
curl -X GET -u testuser:testuser http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
{"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
When I send lineage to ATLAS_HOOK, I can create lineage successfully:
2019-06-04 14:01:38,974 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
In above, I think user is taken from lineage message field user in json.
Of course above is valid if another policy in ranger (kafka plugin) allows puting messages to ATLAS_HOOK topic.
But if I have one user (technical account) to produce to kafka and I want to deny access in Atlas based on user from message, atlas ranger authorizer doens't work.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)