You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@atlas.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/12/01 16:40:00 UTC

[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages

    [ https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985604#comment-16985604 ] 

ASF subversion and git services commented on ATLAS-3261:
--------------------------------------------------------

Commit 48df6544f92df81dc49820b8cd2900666cb14e0a in atlas's branch refs/heads/master from arempter
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=48df654 ]

ATLAS-3261: added option to authorize notifications using username given in the message

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


> Ranger Authorizer for Atlas is not checked for kafka messages
> -------------------------------------------------------------
>
>                 Key: ATLAS-3261
>                 URL: https://issues.apache.org/jira/browse/ATLAS-3261
>             Project: Atlas
>          Issue Type: Bug
>          Components: atlas-intg
>    Affects Versions: 1.1.0, 2.0.0
>            Reporter: Adam Rempter
>            Priority: Major
>              Labels: security
>             Fix For: 2.1.0, 3.0.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>  
> When I use user via REST it works:
> curl -X GET -u testuser:testuser http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>  
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>  
> Of course above is valid if another policy in ranger  (kafka plugin) allows puting messages to ATLAS_HOOK topic. 
>  
> But if I have one user (technical account) to produce to kafka and I want to deny access in Atlas based on user from message, atlas ranger authorizer doens't work.
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)