You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ma...@apache.org on 2018/05/15 15:06:57 UTC
atlas git commit: ATLAS-2463: documentation of Atlas authorization
model
Repository: atlas
Updated Branches:
refs/heads/master fccfe919d -> f756e9b36
ATLAS-2463: documentation of Atlas authorization model
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/f756e9b3
Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/f756e9b3
Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/f756e9b3
Branch: refs/heads/master
Commit: f756e9b36fa27ce6a01e081636884106990e936a
Parents: fccfe91
Author: nixonrodrigues <ni...@apache.org>
Authored: Tue May 15 06:52:00 2018 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue May 15 08:05:08 2018 -0700
----------------------------------------------------------------------
docs/src/site/twiki/Atlas-Authentication.twiki | 113 +++++++++++++
.../site/twiki/Atlas-Authorization-Model.twiki | 110 ++++++++++++
.../Atlas-Authorization-Simple-Authorizer.twiki | 141 ++++++++++++++++
.../twiki/Authentication-Authorization.twiki | 166 -------------------
docs/src/site/twiki/index.twiki | 4 +-
5 files changed, 367 insertions(+), 167 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/atlas/blob/f756e9b3/docs/src/site/twiki/Atlas-Authentication.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Atlas-Authentication.twiki b/docs/src/site/twiki/Atlas-Authentication.twiki
new file mode 100644
index 0000000..ddaa7fe
--- /dev/null
+++ b/docs/src/site/twiki/Atlas-Authentication.twiki
@@ -0,0 +1,113 @@
+---++ Authentication in Apache Atlas.
+
+---+++ Authentication
+
+Atlas supports following authentication methods
+
+ * *File*
+ * *Kerberos*
+ * *LDAP*
+
+
+Following properties should be set true to enable the authentication of that type in =atlas-application.properties= file.
+
+
+<verbatim>
+atlas.authentication.method.kerberos=true|false
+atlas.authentication.method.ldap=true|false
+atlas.authentication.method.file=true|false
+</verbatim>
+
+If two or more authentication methods are set to true, then the authentication falls back to the latter method if the earlier one fails.
+For example if Kerberos authentication is set to true and ldap authentication is also set to true then, if for a request without kerberos principal and keytab LDAP authentication will be used as a fallback scenario.
+
+---++++FILE method.
+
+File authentication requires users' login details in users credentials file in the format specified below and
+the file path should set to property =atlas.authentication.method.file.filename= in =atlas-application.properties=.
+
+<verbatim>
+atlas.authentication.method.file=true
+atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
+</verbatim>
+
+The users credentials file should have below format
+<verbatim>
+username=group::sha256-password
+</verbatim>
+
+For e.g.
+<verbatim>
+admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
+</verbatim>
+
+Users group can be either *ADMIN*, *DATA_STEWARD* OR *DATA_SCIENTIST*
+
+*Note*:-password is encoded with sha256 encoding method and can be generated using unix tool.
+
+For e.g.
+<verbatim>
+echo -n "Password" | sha256sum
+e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a -
+</verbatim>
+
+---++++ Kerberos Method.
+
+To enable the authentication in Kerberos mode in Atlas, set the property =atlas.authentication.method.kerberos= to true in =atlas-application.properties=
+
+<verbatim>
+atlas.authentication.method.kerberos = true
+</verbatim>
+
+Also following properties should be set.
+
+<verbatim>
+atlas.authentication.method.kerberos.principal=<principal>/<fqdn>@EXAMPLE.COM
+atlas.authentication.method.kerberos.keytab = /<key tab filepath>.keytab
+atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/
+atlas.authentication.method.kerberos.token.validity = 3600 [ in Seconds (optional)]
+</verbatim>
+
+
+---++++ LDAP Method.
+
+To enable the authentication in LDAP mode in Atlas, set the property =atlas.authentication.method.ldap= to true and also set Ldap type to property =atlas.authentication.method.ldap.type= to LDAP or AD in =atlas-application.properties=.
+Use AD if connecting to Active Directory.
+
+<verbatim>
+atlas.authentication.method.ldap=true
+atlas.authentication.method.ldap.type=ldap|ad
+</verbatim>
+
+
+For LDAP or AD the following configuration needs to be set in atlas application properties.
+
+*Active Directory*
+
+<verbatim>
+atlas.authentication.method.ldap.ad.domain= example.com
+atlas.authentication.method.ldap.ad.url=ldap://<AD server ip>:389
+atlas.authentication.method.ldap.ad.base.dn=DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.dn=CN=Administrator,CN=Users,DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.password=<password>
+atlas.authentication.method.ldap.ad.referral=ignore
+atlas.authentication.method.ldap.ad.user.searchfilter=(sAMAccountName={0})
+atlas.authentication.method.ldap.ad.default.role=ROLE_USER
+</verbatim>
+
+*LDAP Directroy*
+
+<verbatim>
+atlas.authentication.method.ldap.url=ldap://<Ldap server ip>:389
+atlas.authentication.method.ldap.userDNpattern=uid={0],ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchBase=dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchFilter=(member=cn={0},ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupRoleAttribute=cn
+atlas.authentication.method.ldap.base.dn=dc=example,dc=com
+atlas.authentication.method.ldap.bind.dn=cn=Manager,dc=example,dc=com
+atlas.authentication.method.ldap.bind.password=<password>
+atlas.authentication.method.ldap.referral=ignore
+atlas.authentication.method.ldap.user.searchfilter=(uid={0})
+atlas.authentication.method.ldap.default.role=ROLE_USER
+</verbatim>
+
http://git-wip-us.apache.org/repos/asf/atlas/blob/f756e9b3/docs/src/site/twiki/Atlas-Authorization-Model.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Atlas-Authorization-Model.twiki b/docs/src/site/twiki/Atlas-Authorization-Model.twiki
new file mode 100644
index 0000000..4a6a729
--- /dev/null
+++ b/docs/src/site/twiki/Atlas-Authorization-Model.twiki
@@ -0,0 +1,110 @@
+
+
+---++ Atlas Authorization Model
+
+
+
+---+++ Introduction
+
+Atlas is a scalable and extensible set of core foundational governance services – enabling enterprises to effectively and
+efficiently meet their compliance requirements within Hadoop and allows integration with the whole enterprise data ecosystem.
+Apache Atlas provides open metadata management and governance capabilities for organizations to build a catalog of their
+data assets, classify and govern these assets and provide collaboration capabilities around these data assets for data
+scientists, analysts and the data governance team.
+
+This document covers details of the authorization model supported by Apache Atlas to control access to metadata managed by Atlas.
+
+---+++ Authorization of access to Types
+Apache Atlas provides a type system that allows users to model the metadata objects they would like to manage. The model
+is composed of definitions called ‘types’. Apache Atlas type system supports following categories of types:
+ * Entity
+ * Classification
+ * Relationship
+ * Struct
+ * Enum
+
+The authorization model enables control of which users, groups can perform the following operations on types, based on
+type names and type categories:
+ * create
+ * update
+ * delete
+
+Here are few examples of access controls supported by the model:
+ * Admin users can create/update/delete types of all categories
+ * Data stewards can create/update/delete classification types
+ * Healthcare data stewards can create/update/delete types having names start with “hc”
+
+
+---+++ Authorization of access to Entities
+An entity is an instance of an entity-type and such instances represent objects in the real world – for example a table
+in Hive, a HDFS file, a Kafka topic. The authorization model enables control of which users, groups can perform the
+following operations on entities – based on entity-types, entity-classifications, entity-id:
+
+ * read
+ * create
+ * update
+ * delete
+ * read classification
+ * add classification
+ * update classification
+ * remove classification
+
+Here are few examples of access controls supported by the model:
+ * Admin users can perform all entity operations on entities of all types
+ * Data stewards can perform all entity operations, except delete, on entities of all types
+ * Data quality admins can add/update/remove DATA_QUALITY classification
+ * Users in specific groups can read/update entities with PII classification or its sub-classification
+ * Finance users can read/update entities whose ID start with ‘finance’
+
+---+++ Authorization of Admin operations
+The authorization model enables control of which users, groups can perform the following administrative operations:
+ * import entities
+ * export entities
+
+Users with above accesses can import/export entities without requiring them to be granted with fine-grained entity level accesses.
+
+---+++ Pluggable Authorization
+Apache Atlas supports a pluggable authorization interface, as shown below, that enable alternate implementations to handle authorizations.
+
+The name of the class implementing the authorization interface can be registered with Apache Atlas using configuration =atlas.authorizer.impl=. When this property is not set, Apache Atlas will use its default implementation in =org.apache.atlas.authorize.simple.AtlasSimpleAuthorizer=.
+
+<verbatim>
+
+package org.apache.atlas.authorize;
+
+public interface AtlasAuthorizer {
+ void init();
+
+ void cleanUp();
+
+ boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException;
+
+ boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException;
+
+ boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException;
+}
+</verbatim>
+
+---+++ Simple Authorizer
+
+Simple authorizer is the default authorizer implementation included in Apache Atlas. For details of setting up Apache Atlas
+to use simple authorizer, please see [[Atlas-Authorization-Simple-Authorizer][Setting up Atlas to use Simple Authorizer]]
+
+---+++ Ranger Authorizer
+
+To configure Apache Atlas to use authorization implementation provided by Apache Ranger, include the following property
+in application.properties config file:
+
+<verbatim>
+atlas.authorizer.impl=ranger
+</verbatim>
+
+Apache Ranger Authorizer requires configuration files to be setup, for example to specify Apache Ranger admin server URL,
+name of the service containing authorization policies, etc. For more details on this, please refer to Apache Ranger documentation.
+
+
+---+++ None authorizer
+In addition to the default authorizer, Apache Atlas includes an authorizer that permits all accesses to all users. This authorizer can be useful in test environments and unit tests. To use this authorizer, set the following configuration:
+<verbatim>
+atlas.authorizer.impl=NONE
+</verbatim>
http://git-wip-us.apache.org/repos/asf/atlas/blob/f756e9b3/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki b/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki
new file mode 100644
index 0000000..07753de
--- /dev/null
+++ b/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki
@@ -0,0 +1,141 @@
+---+++ Setting up Atlas to use Simple Authorizer
+
+As detailed in [[Atlas-Authorization-Model][Atlas Authorization Model]], Apache Atlas supports a pluggable authorization
+model. Simple authorizer is the default authorizer implementation included in Apache Atlas. Simple authorizer uses
+policies defined in a JSON file. This document provides details of steps to configure Apache Atlas to use the simple
+authorizer and details of the JSON file format containing authorization policies.
+
+
+---++++ Configure Apache Atlas
+
+To configure Apache Atlas to use simple authorizer, include the following properties in application.properties config file:
+
+<verbatim>
+atlas.authorizer.impl=simple
+atlas.authorizer.simple.authz.policy.file=/etc/atlas/conf/atlas-simple-authz-policy.json
+</verbatim>
+
+Please note that if the policy file location specified is not an absolute path, the file will be looked up in following paths:
+ * Apache Atlas configuration directory (specified by system property =atlas.conf=)
+ * Apache Atlas server's current directory
+ * CLASSPATH
+
+---++++ Policy file format
+
+Simple authorizer uses =roles= to group permissions, which can then be assigned to users and user-groups. Following examples
+would help to understand the details of the policy file format:
+
+---+++++ Roles
+Following policy file defines 3 roles:
+ * ROLE_ADMIN: has all permissions
+ * PROD_READ_ONLY: has access to read entities having qualifiedName ending with "@prod"
+ * TEST_ALL_ACCESS: has all access to entities having qualifiedName ending with "@test"
+
+Simple authorizer supports Java reg-ex to specify values for privilege/entity-type/entity-id/classification/typeName/typeCategory.
+
+<verbatim>
+{
+ "roles": {
+ "ROLE_ADMIN": {
+ "adminPermissions": [
+ {
+ "privileges": [ ".*" ]
+ }
+ ],
+
+ "entityPermissions": [
+ {
+ "privileges": [ ".*" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ],
+
+ "typePermissions": [
+ {
+ "privileges": [ ".*" ],
+ "typeCategories": [ ".*" ],
+ "typeNames": [ ".*" ]
+ }
+ ]
+ },
+
+ "PROD_READ_ONLY" : {
+ "entityPermissions": [
+ {
+ "privileges": [ "entity-read", "entity-read-classification" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*@prod" ],
+ "classifications": [ ".*" ]
+ }
+ }
+
+ "TEST_ALL_ACCESS" : {
+ "entityPermissions": [
+ {
+ "privileges": [ ".*" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*@test" ],
+ "classifications": [ ".*" ]
+ }
+ }
+ },
+
+ "userRoles": {
+ ...
+ },
+
+ "groupRoles": {
+ ...
+ }
+}
+
+</verbatim>
+
+---+++++ Assign Roles to Users and User Grips
+
+Roles defined above can be assigned (granted) to users as shown below:
+
+<verbatim>
+{
+ "roles": {
+ ...
+ },
+
+ "userRoles": {
+ "admin": [ "ROLE_ADMIN" ],
+ "steward": [ "DATA_STEWARD" ],
+ "user1": [ "PROD_READ_ONLY" ],
+ "user2": [ "TEST_ALL_ACCESS" ],
+ "user3": [ "PROD_READ_ONLY", "TEST_ALL_ACCESS" ],
+ },
+
+ "groupRoles": {
+ ...
+ }
+}
+</verbatim>
+
+Roles can be assigned (granted) to user-groups as shown below. An user can belong to multiple groups; roles assigned to
+all groups the user belongs to will be used to authorize the access.
+
+<verbatim>
+{
+ "roles": {
+ ...
+ },
+
+ "userRoles": {
+ ...
+ },
+
+ "groupRoles": {
+ "admins": [ "ROLE_ADMIN" ],
+ "dataStewards": [ "DATA_STEWARD" ],
+ "testUsers": [ "TEST_ALL_ACCESS" ],
+ "prodReadUsers": [ "PROD_READ_ONLY" ]
+ }
+}
+</verbatim>
+
http://git-wip-us.apache.org/repos/asf/atlas/blob/f756e9b3/docs/src/site/twiki/Authentication-Authorization.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Authentication-Authorization.twiki b/docs/src/site/twiki/Authentication-Authorization.twiki
deleted file mode 100644
index 9832a92..0000000
--- a/docs/src/site/twiki/Authentication-Authorization.twiki
+++ /dev/null
@@ -1,166 +0,0 @@
----++ Authentication & Authorization in Apache Atlas.
-
----+++ Authentication
-
-Atlas supports following authentication methods
-
- * *File*
- * *Kerberos*
- * *LDAP*
-
-
-Following properties should be set true to enable the authentication of that type in =atlas-application.properties= file.
-
-
-<verbatim>
-atlas.authentication.method.kerberos=true|false
-atlas.authentication.method.ldap=true|false
-atlas.authentication.method.file=true|false
-</verbatim>
-
-If two or more authentication methods are set to true, then the authentication falls back to the latter method if the earlier one fails.
-For example if Kerberos authentication is set to true and ldap authentication is also set to true then, if for a request without kerberos principal and keytab LDAP authentication will be used as a fallback scenario.
-
----++++FILE method.
-
-File authentication requires users' login details in users credentials file in the format specified below and
-the file path should set to property =atlas.authentication.method.file.filename= in =atlas-application.properties=.
-
-<verbatim>
-atlas.authentication.method.file=true
-atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
-</verbatim>
-
-The users credentials file should have below format
-<verbatim>
-username=group::sha256-password
-</verbatim>
-
-For e.g.
-<verbatim>
-admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
-</verbatim>
-
-Users group can be either *ADMIN*, *DATA_STEWARD* OR *DATA_SCIENTIST*
-
-*Note*:-password is encoded with sha256 encoding method and can be generated using unix tool.
-
-For e.g.
-<verbatim>
-echo -n "Password" | sha256sum
-e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a -
-</verbatim>
-
----++++ Kerberos Method.
-
-To enable the authentication in Kerberos mode in Atlas, set the property =atlas.authentication.method.kerberos= to true in =atlas-application.properties=
-
-<verbatim>
-atlas.authentication.method.kerberos = true
-</verbatim>
-
-Also following properties should be set.
-
-<verbatim>
-atlas.authentication.method.kerberos.principal=<principal>/<fqdn>@EXAMPLE.COM
-atlas.authentication.method.kerberos.keytab = /<key tab filepath>.keytab
-atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/
-atlas.authentication.method.kerberos.token.validity = 3600 [ in Seconds (optional)]
-</verbatim>
-
-
----++++ LDAP Method.
-
-To enable the authentication in LDAP mode in Atlas, set the property =atlas.authentication.method.ldap= to true and also set Ldap type to property =atlas.authentication.method.ldap.type= to LDAP or AD in =atlas-application.properties=.
-Use AD if connecting to Active Directory.
-
-<verbatim>
-atlas.authentication.method.ldap=true
-atlas.authentication.method.ldap.type=ldap|ad
-</verbatim>
-
-
-For LDAP or AD the following configuration needs to be set in atlas application properties.
-
-*Active Directory*
-
-<verbatim>
-atlas.authentication.method.ldap.ad.domain= example.com
-atlas.authentication.method.ldap.ad.url=ldap://<AD server ip>:389
-atlas.authentication.method.ldap.ad.base.dn=DC=example,DC=com
-atlas.authentication.method.ldap.ad.bind.dn=CN=Administrator,CN=Users,DC=example,DC=com
-atlas.authentication.method.ldap.ad.bind.password=<password>
-atlas.authentication.method.ldap.ad.referral=ignore
-atlas.authentication.method.ldap.ad.user.searchfilter=(sAMAccountName={0})
-atlas.authentication.method.ldap.ad.default.role=ROLE_USER
-</verbatim>
-
-*LDAP Directroy*
-
-<verbatim>
-atlas.authentication.method.ldap.url=ldap://<Ldap server ip>:389
-atlas.authentication.method.ldap.userDNpattern=uid={0],ou=users,dc=example,dc=com
-atlas.authentication.method.ldap.groupSearchBase=dc=example,dc=com
-atlas.authentication.method.ldap.groupSearchFilter=(member=cn={0},ou=users,dc=example,dc=com
-atlas.authentication.method.ldap.groupRoleAttribute=cn
-atlas.authentication.method.ldap.base.dn=dc=example,dc=com
-atlas.authentication.method.ldap.bind.dn=cn=Manager,dc=example,dc=com
-atlas.authentication.method.ldap.bind.password=<password>
-atlas.authentication.method.ldap.referral=ignore
-atlas.authentication.method.ldap.user.searchfilter=(uid={0})
-atlas.authentication.method.ldap.default.role=ROLE_USER
-</verbatim>
-
----+++ Authorization
-
-
----++++ Atlas Authorization Methods [Simple/Ranger]
-To set authorization in atlas, update the =atlas.authorizer.impl= properties in =atlas-application.properties=
- * *Simple*
- * *Ranger*
-
-
-
-<verbatim>
-atlas.authorizer.impl=simple | ranger | <Qualified Authorizer Class Name>
-</verbatim>
-
----++++ Simple Authorizer.
-
-In Simple Authorizer the policy store file is configured locally. The path of policy store file is set in
-=atlas.auth.policy.file= property of =atlas-application.properties=
-
-<verbatim>
-atlas.auth.policy.file={{conf_dir}}/policy-store.txt
-</verbatim>
-
-The policy store file format is as follows:
-
-<verbatim>
-Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name
-</verbatim>
-
-eg. of admin policy:
-<verbatim>
-adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
-</verbatim>
-
-Note : The User_Name, Group_Name and Operations_Allowed are comma(,) separated lists.
-
-Authorizer Resource Types:
- * Operation
- * Type
- * Entity
- * Taxonomy
- * Term
- * Unknown
-
-
-Operations_Allowed are r = read, w = write, u = update, d = delete
-
-
----++++ Ranger Authorizer.
-
-Ranger Authorizer is enabled by activating Atlas-Ranger plugin from Ambari.
-
-For more details visit the [[http://ranger.apache.org/][Apache-Ranger documentation]].
http://git-wip-us.apache.org/repos/asf/atlas/blob/f756e9b3/docs/src/site/twiki/index.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/index.twiki b/docs/src/site/twiki/index.twiki
index 258dfbb..4f74702 100755
--- a/docs/src/site/twiki/index.twiki
+++ b/docs/src/site/twiki/index.twiki
@@ -55,7 +55,9 @@ capabilities around these data assets for data scientists, analysts and the data
* [[Search - Basic][Search: Basic]]
* [[Search - Advanced][Search: Advanced]]
* [[security][Security]]
- * [[Authentication-Authorization][Authentication and Authorization]]
+ * [[Atlas-Authentication][Authentication]]
+ * [[Atlas-Authorization-Model][Atlas Authorization Model]]
+ * [[Configure-simple-authorizer][Steps to configure Atlas Simple Authorizer]]
* [[Configuration][Configuration]]
* [[Notifications][Notifications]]
* Hooks & Bridges