You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2018/03/12 18:16:30 UTC
Atlas policies to filter access
Hi all,
I'm using the Ranger plugin to secure access to Atlas. How can I create a
policy in Ranger to allow a user access to a subset of the entities? So for
example, I want to allow "alice" to "read" all entities that have a given
type. I created an authorization policy of "type" "Table", but I get the
following error:
curl -u alice:password "http://localhost:21000/api/atlas/entities?type=Table
"
<title>Error 403 {"AuthorizationError":"You are not
authorized for READ on [ENTITY] : *"}</title>
How can I allow authorization for a subset of the entities? I guess I need
an authorization policy for "Entity" but it's not clear what values apart
from "*" are supported here?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Atlas policies to filter access
Posted by Madhan Neethiraj <ma...@apache.org>.
Colm,
Authorizations are in place for following operations on entity:
- create/update/delete/get
- add/update/remove of classifications
Requirements on filtering of search results based on authorizations needs to be discussed further. If you have usecases, can you please file an Atlas JIRA?
Madhan
On 3/15/18, 6:19 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
I was able to get past the problems in the previous mail. I'm trying to use
the v2 API but authorization doesn't seem to kick in:
curl -v -u username:password
http://localhost:21000/api/atlas/v2/search/basic?typeName=hdfs_path
This call succeeds without the Ranger plugin being called. In
'conf/application.properties' I have "atlas.authorizer.impl = RANGER" and
there are no obvious errors in the logs. Is the Atlas authorization
framework integrated with the newer REST API yet?
Colm.
On Tue, Mar 13, 2018 at 5:49 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Thanks Madhan. Just to clarify - ATLAS-2459 is not yet applied, so do I
> have to apply this manually to get this to work?
>
> When trying to install the current Ranger 1.1.0-SNAPSHOT plugin with the
> latest Atlas SNAPSHOT distribution I see an error in application.log:
>
> java.lang.NoClassDefFoundError: org/codehaus/jackson/jaxrs/
> JacksonJsonProvider
> at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(
> RangerRESTClient.java:209)
>
> I'm wondering if there is a conflict between the jackson-jaxrs-1.9.13.jar
> in the Atlas plugin lib and the version of Jackson used in Atlas?
>
> Colm.
>
> On Mon, Mar 12, 2018 at 9:14 PM, Madhan Neethiraj <ma...@apache.org>
> wrote:
>
>> Colm,
>>
>> Perhaps you are using the Atlas service-def from Ranger master, against
>> Atlas from branch-0.8 (or from master before ATLAS-2459)? Earlier Atlas
>> versions use a different authorization model, which don't allow access
>> controls at instance/type levels. Please try with Atlas from master branch.
>>
>> Hope this helps.
>>
>> Madhan
>>
>>
>>
>>
>> On 3/12/18, 11:16 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm using the Ranger plugin to secure access to Atlas. How can I
>> create a
>> policy in Ranger to allow a user access to a subset of the entities?
>> So for
>> example, I want to allow "alice" to "read" all entities that have a
>> given
>> type. I created an authorization policy of "type" "Table", but I get
>> the
>> following error:
>>
>> curl -u alice:password "http://localhost:21000/api/at
>> las/entities?type=Table
>> "
>> <title>Error 403 {"AuthorizationError":"You are not
>> authorized for READ on [ENTITY] : *"}</title>
>>
>> How can I allow authorization for a subset of the entities? I guess I
>> need
>> an authorization policy for "Entity" but it's not clear what values
>> apart
>> from "*" are supported here?
>>
>> Colm.
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Atlas policies to filter access
Posted by Colm O hEigeartaigh <co...@apache.org>.
I was able to get past the problems in the previous mail. I'm trying to use
the v2 API but authorization doesn't seem to kick in:
curl -v -u username:password
http://localhost:21000/api/atlas/v2/search/basic?typeName=hdfs_path
This call succeeds without the Ranger plugin being called. In
'conf/application.properties' I have "atlas.authorizer.impl = RANGER" and
there are no obvious errors in the logs. Is the Atlas authorization
framework integrated with the newer REST API yet?
Colm.
On Tue, Mar 13, 2018 at 5:49 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Thanks Madhan. Just to clarify - ATLAS-2459 is not yet applied, so do I
> have to apply this manually to get this to work?
>
> When trying to install the current Ranger 1.1.0-SNAPSHOT plugin with the
> latest Atlas SNAPSHOT distribution I see an error in application.log:
>
> java.lang.NoClassDefFoundError: org/codehaus/jackson/jaxrs/
> JacksonJsonProvider
> at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(
> RangerRESTClient.java:209)
>
> I'm wondering if there is a conflict between the jackson-jaxrs-1.9.13.jar
> in the Atlas plugin lib and the version of Jackson used in Atlas?
>
> Colm.
>
> On Mon, Mar 12, 2018 at 9:14 PM, Madhan Neethiraj <ma...@apache.org>
> wrote:
>
>> Colm,
>>
>> Perhaps you are using the Atlas service-def from Ranger master, against
>> Atlas from branch-0.8 (or from master before ATLAS-2459)? Earlier Atlas
>> versions use a different authorization model, which don't allow access
>> controls at instance/type levels. Please try with Atlas from master branch.
>>
>> Hope this helps.
>>
>> Madhan
>>
>>
>>
>>
>> On 3/12/18, 11:16 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm using the Ranger plugin to secure access to Atlas. How can I
>> create a
>> policy in Ranger to allow a user access to a subset of the entities?
>> So for
>> example, I want to allow "alice" to "read" all entities that have a
>> given
>> type. I created an authorization policy of "type" "Table", but I get
>> the
>> following error:
>>
>> curl -u alice:password "http://localhost:21000/api/at
>> las/entities?type=Table
>> "
>> <title>Error 403 {"AuthorizationError":"You are not
>> authorized for READ on [ENTITY] : *"}</title>
>>
>> How can I allow authorization for a subset of the entities? I guess I
>> need
>> an authorization policy for "Entity" but it's not clear what values
>> apart
>> from "*" are supported here?
>>
>> Colm.
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Atlas policies to filter access
Posted by Colm O hEigeartaigh <co...@apache.org>.
Thanks Madhan. Just to clarify - ATLAS-2459 is not yet applied, so do I
have to apply this manually to get this to work?
When trying to install the current Ranger 1.1.0-SNAPSHOT plugin with the
latest Atlas SNAPSHOT distribution I see an error in application.log:
java.lang.NoClassDefFoundError:
org/codehaus/jackson/jaxrs/JacksonJsonProvider
at
org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:209)
I'm wondering if there is a conflict between the jackson-jaxrs-1.9.13.jar
in the Atlas plugin lib and the version of Jackson used in Atlas?
Colm.
On Mon, Mar 12, 2018 at 9:14 PM, Madhan Neethiraj <ma...@apache.org> wrote:
> Colm,
>
> Perhaps you are using the Atlas service-def from Ranger master, against
> Atlas from branch-0.8 (or from master before ATLAS-2459)? Earlier Atlas
> versions use a different authorization model, which don't allow access
> controls at instance/type levels. Please try with Atlas from master branch.
>
> Hope this helps.
>
> Madhan
>
>
>
>
> On 3/12/18, 11:16 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
>
> Hi all,
>
> I'm using the Ranger plugin to secure access to Atlas. How can I
> create a
> policy in Ranger to allow a user access to a subset of the entities?
> So for
> example, I want to allow "alice" to "read" all entities that have a
> given
> type. I created an authorization policy of "type" "Table", but I get
> the
> following error:
>
> curl -u alice:password "http://localhost:21000/api/
> atlas/entities?type=Table
> "
> <title>Error 403 {"AuthorizationError":"You are not
> authorized for READ on [ENTITY] : *"}</title>
>
> How can I allow authorization for a subset of the entities? I guess I
> need
> an authorization policy for "Entity" but it's not clear what values
> apart
> from "*" are supported here?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Atlas policies to filter access
Posted by Madhan Neethiraj <ma...@apache.org>.
Colm,
Perhaps you are using the Atlas service-def from Ranger master, against Atlas from branch-0.8 (or from master before ATLAS-2459)? Earlier Atlas versions use a different authorization model, which don't allow access controls at instance/type levels. Please try with Atlas from master branch.
Hope this helps.
Madhan
On 3/12/18, 11:16 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
Hi all,
I'm using the Ranger plugin to secure access to Atlas. How can I create a
policy in Ranger to allow a user access to a subset of the entities? So for
example, I want to allow "alice" to "read" all entities that have a given
type. I created an authorization policy of "type" "Table", but I get the
following error:
curl -u alice:password "http://localhost:21000/api/atlas/entities?type=Table
"
<title>Error 403 {"AuthorizationError":"You are not
authorized for READ on [ENTITY] : *"}</title>
How can I allow authorization for a subset of the entities? I guess I need
an authorization policy for "Entity" but it's not clear what values apart
from "*" are supported here?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com