You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/12/01 16:40:00 UTC
[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not
checked for kafka messages
[ https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985604#comment-16985604 ]
ASF subversion and git services commented on ATLAS-3261:
--------------------------------------------------------
Commit 48df6544f92df81dc49820b8cd2900666cb14e0a in atlas's branch refs/heads/master from arempter
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=48df654 ]
ATLAS-3261: added option to authorize notifications using username given in the message
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
> Ranger Authorizer for Atlas is not checked for kafka messages
> -------------------------------------------------------------
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
> Affects Versions: 1.1.0, 2.0.0
> Reporter: Adam Rempter
> Priority: Major
> Labels: security
> Fix For: 2.1.0, 3.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to deny access in Atlas based on user from message, atlas ranger authorizer doens't work.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)