You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by sh...@apache.org on 2016/05/20 17:57:21 UTC
[3/3] incubator-atlas git commit: ATLAS-495 Atlas Ranger
Authorization Plugin (nixonrodrigues via shwethags)
ATLAS-495 Atlas Ranger Authorization Plugin (nixonrodrigues via shwethags)
Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/353ea964
Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/353ea964
Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/353ea964
Branch: refs/heads/master
Commit: 353ea964e594cb33096263791fae95720203d2cc
Parents: 19751c6
Author: Shwetha GS <ss...@hortonworks.com>
Authored: Fri May 20 23:25:31 2016 +0530
Committer: Shwetha GS <ss...@hortonworks.com>
Committed: Fri May 20 23:25:31 2016 +0530
----------------------------------------------------------------------
authorization/pom.xml | 57 +++
.../atlas/authorize/AtlasAccessRequest.java | 125 ++++++
.../atlas/authorize/AtlasActionTypes.java | 22 ++
.../authorize/AtlasAuthorizationException.java | 40 ++
.../apache/atlas/authorize/AtlasAuthorizer.java | 42 ++
.../atlas/authorize/AtlasAuthorizerFactory.java | 84 ++++
.../atlas/authorize/AtlasResourceTypes.java | 23 ++
.../simple/AtlasAuthorizationUtils.java | 131 +++++++
.../atlas/authorize/simple/FileReaderUtil.java | 56 +++
.../atlas/authorize/simple/PolicyDef.java | 70 ++++
.../atlas/authorize/simple/PolicyParser.java | 265 +++++++++++++
.../atlas/authorize/simple/PolicyUtil.java | 103 +++++
.../authorize/simple/SimpleAtlasAuthorizer.java | 387 +++++++++++++++++++
.../simple/AtlasAuthorizationUtilsTest.java | 118 ++++++
.../authorize/simple/PolicyParserTest.java | 172 +++++++++
.../atlas/authorize/simple/PolicyUtilTest.java | 100 +++++
.../simple/SimpleAtlasAuthorizerTest.java | 208 ++++++++++
common/pom.xml | 6 +
.../org/apache/atlas/utils/PropertiesUtil.java | 137 +++++++
.../apache/atlas/utils/XMLPropertiesUtil.java | 85 ++++
distro/src/conf/atlas-application.properties | 3 +
distro/src/conf/policy-store.txt | 2 -
distro/src/conf/users-credentials.properties | 2 -
pom.xml | 3 +
release-log.txt | 1 +
webapp/pom.xml | 6 +
.../atlas/authorize/AtlasAccessRequest.java | 117 ------
.../atlas/authorize/AtlasAccessorTypes.java | 22 --
.../atlas/authorize/AtlasActionTypes.java | 22 --
.../authorize/AtlasAuthorizationException.java | 40 --
.../authorize/AtlasAuthorizationUtils.java | 149 -------
.../apache/atlas/authorize/AtlasAuthorizer.java | 43 ---
.../atlas/authorize/AtlasResourceTypes.java | 23 --
.../org/apache/atlas/authorize/PolicyDef.java | 67 ----
.../apache/atlas/authorize/PolicyParser.java | 238 ------------
.../org/apache/atlas/authorize/PolicyUtil.java | 164 --------
.../atlas/authorize/SimpleAtlasAuthorizer.java | 380 ------------------
.../org/apache/atlas/util/FileReaderUtil.java | 56 ---
.../org/apache/atlas/util/PropertiesUtil.java | 135 -------
.../apache/atlas/util/XMLPropertiesUtil.java | 85 ----
.../web/filters/AtlasAuthorizationFilter.java | 96 +++--
.../security/AtlasADAuthenticationProvider.java | 2 +-
.../AtlasLdapAuthenticationProvider.java | 2 +-
.../main/webapp/WEB-INF/applicationContext.xml | 4 +-
.../authorize/AtlasAuthorizationUtilsTest.java | 121 ------
.../atlas/authorize/PolicyParserTest.java | 167 --------
.../apache/atlas/authorize/PolicyUtilTest.java | 95 -----
.../authorize/SimpleAtlasAuthorizerTest.java | 185 ---------
48 files changed, 2303 insertions(+), 2158 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/pom.xml
----------------------------------------------------------------------
diff --git a/authorization/pom.xml b/authorization/pom.xml
new file mode 100644
index 0000000..74c433b
--- /dev/null
+++ b/authorization/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
+ xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>apache-atlas</artifactId>
+ <version>0.7-incubating-SNAPSHOT</version>
+ </parent>
+ <artifactId>atlas-authorization</artifactId>
+ <name>Apache Atlas Authorization</name>
+ <packaging>jar</packaging>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-common</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-client</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
+ <version>${javax.servlet.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.testng</groupId>
+ <artifactId>testng</artifactId>
+ </dependency>
+
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
new file mode 100644
index 0000000..377aca7
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -0,0 +1,125 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+import java.util.Date;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.atlas.authorize.simple.AtlasAuthorizationUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AtlasAccessRequest {
+
+ private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+ private Set<AtlasResourceTypes> resourceType = null;
+ private String resource = null;
+ private AtlasActionTypes action = null;
+ private String user = null;
+ private Set<String> userGroups = null;
+ private Date accessTime = null;
+ private String clientIPAddress = null;
+
+ public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) {
+ this(AtlasAuthorizationUtils.getAtlasResourceType(request.getServletPath()), "*", AtlasAuthorizationUtils
+ .getAtlasAction(request.getMethod()), user, userGroups);
+ }
+
+ public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
+ String user, Set<String> userGroups) {
+ if (isDebugEnabled) {
+ LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
+ }
+ setResource(resource);
+ setAction(action);
+ setUser(user);
+ setUserGroups(userGroups);
+ setResourceType(resourceType);
+
+ // set remaining fields to default value
+ setAccessTime(null);
+ setClientIPAddress(null);
+ }
+
+ public Set<AtlasResourceTypes> getResourceTypes() {
+ return resourceType;
+ }
+
+ public void setResourceType(Set<AtlasResourceTypes> resourceType) {
+ this.resourceType = resourceType;
+ }
+
+ public String getResource() {
+ return resource;
+ }
+
+ public void setResource(String resource) {
+ this.resource = resource;
+ }
+
+ public AtlasActionTypes getAction() {
+ return action;
+ }
+
+ public void setAction(AtlasActionTypes action) {
+ this.action = action;
+ }
+
+ public String getUser() {
+ return user;
+ }
+
+ public void setUser(String user) {
+ this.user = user;
+ }
+
+ public void setUserGroups(Set<String> userGroups) {
+ this.userGroups = userGroups;
+ }
+
+ public Set<String> getUserGroups() {
+ return userGroups;
+ }
+
+ public Date getAccessTime() {
+ return accessTime;
+ }
+
+ public void setAccessTime(Date accessTime) {
+ this.accessTime = accessTime;
+ }
+
+ public String getClientIPAddress() {
+ return clientIPAddress;
+ }
+
+ public void setClientIPAddress(String clientIPAddress) {
+ this.clientIPAddress = clientIPAddress;
+ }
+
+ @Override
+ public String toString() {
+ return "AtlasAccessRequest [resourceType=" + resourceType + ", resource=" + resource + ", action=" + action
+ + ", user=" + user + ", userGroups=" + userGroups + ", accessTime=" + accessTime + ", clientIPAddress="
+ + clientIPAddress + "]";
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
new file mode 100644
index 0000000..b42162f
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
@@ -0,0 +1,22 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+public enum AtlasActionTypes {
+ READ, CREATE, UPDATE, DELETE;
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
new file mode 100644
index 0000000..ff35e7d
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+public class AtlasAuthorizationException extends Exception {
+ private static final long serialVersionUID = 1L;
+
+ public AtlasAuthorizationException(String message) {
+ super(message);
+ }
+
+ public AtlasAuthorizationException(String message, Throwable exception) {
+ super(message, exception);
+ }
+
+ public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression,
+ boolean writableStackTrace) {
+ super(message, exception, enableSuppression, writableStackTrace);
+ }
+
+ public AtlasAuthorizationException(AtlasAccessRequest request) {
+ super("Unauthorized Request : " + request);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
new file mode 100644
index 0000000..9c50a04
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+
+public interface AtlasAuthorizer {
+
+
+ /**
+ * This method will load the policy file and would initialize the required data-structures.
+ */
+ public void init();
+
+ /**
+ * This method is responsible to perform the actual authorization for every REST API call. It will check if
+ * user can perform action on resource.
+ */
+ public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException;
+
+ /**
+ * This method is responsible to perform the cleanup and release activities. It must be called when you are done
+ * with the Authorization activity and once it's called a restart would be required. Try to invoke this while
+ * destroying the context.
+ */
+ public void cleanUp();
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
new file mode 100644
index 0000000..5aad72d
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+import org.apache.atlas.ApplicationProperties;
+import org.apache.atlas.AtlasException;
+import org.apache.commons.configuration.Configuration;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AtlasAuthorizerFactory {
+
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class);
+ private static final String SIMPLE_AUTHORIZER = "org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer";
+ private static final String RANGER_AUTHORIZER =
+ "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
+ private static volatile AtlasAuthorizer INSTANCE = null;
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+
+ public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException {
+ Configuration configuration = null;
+ try {
+ configuration = ApplicationProperties.get();
+ } catch (AtlasException e) {
+ if (LOG.isErrorEnabled()) {
+ LOG.error("Exception while fetching configuration. ", e);
+ }
+ }
+ AtlasAuthorizer ret = INSTANCE;
+
+ if (ret == null) {
+ synchronized (AtlasAuthorizerFactory.class) {
+ if (INSTANCE == null) {
+ String authorizerClass =
+ configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE";
+
+ if (StringUtils.isNotEmpty(authorizerClass)) {
+ if (StringUtils.equalsIgnoreCase(authorizerClass, "SIMPLE")) {
+ authorizerClass = SIMPLE_AUTHORIZER;
+ } else if (StringUtils.equalsIgnoreCase(authorizerClass, "RANGER")) {
+ authorizerClass = RANGER_AUTHORIZER;
+ }
+ } else {
+ authorizerClass = SIMPLE_AUTHORIZER;
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("Initializing Authorizer :: " + authorizerClass);
+ }
+ try {
+ Class authorizerMetaObject = Class.forName(authorizerClass);
+ if (authorizerMetaObject != null) {
+ INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance();
+ }
+ } catch (Exception e) {
+ LOG.error("Error while creating authorizer of type '" + authorizerClass + "'", e);
+ throw new AtlasAuthorizationException("Error while creating authorizer of type '"
+ + authorizerClass + "'", e);
+ }
+ ret = INSTANCE;
+ }
+ }
+ }
+ return ret;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
new file mode 100644
index 0000000..e34c740
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+public enum AtlasResourceTypes {
+ UNKNOWN, ENTITY, TYPE, OPERATION, TAXONOMY, TERM;
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
new file mode 100644
index 0000000..48b536f
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
@@ -0,0 +1,131 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize.simple;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.atlas.AtlasClient;
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AtlasAuthorizationUtils {
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+ private static final String BASE_URL = "/" + AtlasClient.BASE_URI;
+
+ public static String getApi(String contextPath) {
+ if (isDebugEnabled) {
+ LOG.debug("==> getApi from " + contextPath);
+ }
+ if (contextPath.startsWith(BASE_URL)) {
+ contextPath = contextPath.substring(BASE_URL.length());
+ } else {
+ // strip of leading '/'
+ if (contextPath.startsWith("/")) {
+ contextPath = contextPath.substring(1);
+ }
+ }
+ String[] split = contextPath.split("/", 3);
+ String api = split[0];
+ if (split.length > 1) {
+ return (!api.equals("v1")) ? api : String.format("v1/%s", split[1]);
+ } else {
+ return api;
+ }
+ }
+
+ public static AtlasActionTypes getAtlasAction(String method) {
+ AtlasActionTypes action = null;
+
+ switch (method.toUpperCase()) {
+ case "POST":
+ action = AtlasActionTypes.CREATE;
+ break;
+ case "GET":
+ action = AtlasActionTypes.READ;
+ break;
+ case "PUT":
+ action = AtlasActionTypes.UPDATE;
+ break;
+ case "DELETE":
+ action = AtlasActionTypes.DELETE;
+ break;
+ default:
+ if (isDebugEnabled) {
+ LOG.debug("getAtlasAction(): Invalid HTTP method '" + method + "'");
+ }
+ break;
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== AtlasAuthorizationFilter getAtlasAction HTTP Method " + method + " mapped to AtlasAction : "
+ + action);
+ }
+ return action;
+ }
+
+ /**
+ * @param contextPath
+ * @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/*
+ *
+ * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
+ * /api/atlas/discovery/search/gremlin /api/atlas/graph/*
+ *
+ * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
+ * /api/atlas/entities/{guid}* /api/atlas/discovery/*
+ *
+ * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
+ */
+ public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) {
+ Set<AtlasResourceTypes> resourceTypes = new HashSet<AtlasResourceTypes>();
+ if (isDebugEnabled) {
+ LOG.debug("==> getAtlasResourceType for " + contextPath);
+ }
+ String api = getApi(contextPath);
+ if (api.startsWith("types")) {
+ resourceTypes.add(AtlasResourceTypes.TYPE);
+ } else if ((api.startsWith("discovery") && contextPath.contains("/gremlin")) || api.startsWith("admin")
+ || api.startsWith("graph")) {
+ resourceTypes.add(AtlasResourceTypes.OPERATION);
+ } else if (api.startsWith("entities") || api.startsWith("lineage") || api.startsWith("discovery")) {
+ resourceTypes.add(AtlasResourceTypes.ENTITY);
+ } else if (api.startsWith("v1/taxonomies")) {
+ resourceTypes.add(AtlasResourceTypes.TAXONOMY);
+ // taxonomies are modeled as entities
+ resourceTypes.add(AtlasResourceTypes.ENTITY);
+ if (contextPath.contains("/terms")) {
+ resourceTypes.add(AtlasResourceTypes.TERM);
+ }
+ } else if (api.startsWith("v1/entities")) {
+ resourceTypes.add(AtlasResourceTypes.ENTITY);
+ } else {
+ LOG.error("Unable to find Atlas Resource corresponding to : " + api + "\nSetting "
+ + AtlasResourceTypes.UNKNOWN.name());
+ resourceTypes.add(AtlasResourceTypes.UNKNOWN);
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== Returning AtlasResources " + resourceTypes + " for api " + api);
+ }
+ return resourceTypes;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
new file mode 100644
index 0000000..cda0b1c
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize.simple;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Pattern;
+
+import org.apache.log4j.Logger;
+
+public class FileReaderUtil {
+ private static Logger LOG = Logger.getLogger(FileReaderUtil.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+
+ public static List<String> readFile(String path) throws IOException {
+ if (isDebugEnabled) {
+ LOG.debug("==> FileReaderUtil readFile");
+ }
+ List<String> list = new ArrayList<String>();
+ LOG.info("reading the file" + path);
+ List<String> fileLines = Files.readAllLines(Paths.get(path), Charset.forName("UTF-8"));
+ if (fileLines != null) {
+ for (String line : fileLines) {
+ if ((!line.startsWith("##")) && Pattern.matches(".+;;.*;;.*;;.+", line))
+ list.add(line);
+ }
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== FileReaderUtil readFile");
+ LOG.debug("Policies read :: " + list);
+ }
+
+ return list;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
new file mode 100644
index 0000000..6b2b8b3
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
@@ -0,0 +1,70 @@
+/** Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+
+public class PolicyDef {
+
+ private String policyName;
+ private Map<String, List<AtlasActionTypes>> users;
+ private Map<String, List<AtlasActionTypes>> groups;
+ private Map<AtlasResourceTypes, List<String>> resources;
+
+ public String getPolicyName() {
+ return policyName;
+ }
+
+ public void setPolicyName(String policyName) {
+ this.policyName = policyName;
+ }
+
+ public Map<String, List<AtlasActionTypes>> getUsers() {
+ return users;
+ }
+
+ public void setUsers(Map<String, List<AtlasActionTypes>> users) {
+ this.users = users;
+ }
+
+ public Map<String, List<AtlasActionTypes>> getGroups() {
+ return groups;
+ }
+
+ public void setGroups(Map<String, List<AtlasActionTypes>> groups) {
+ this.groups = groups;
+ }
+
+ public Map<AtlasResourceTypes, List<String>> getResources() {
+ return resources;
+ }
+
+ public void setResources(Map<AtlasResourceTypes, List<String>> resources) {
+ this.resources = resources;
+ }
+
+ @Override
+ public String toString() {
+ return "PolicyDef [policyName=" + policyName + ", users=" + users + ", groups=" + groups + ", resources="
+ + resources + "]";
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
new file mode 100644
index 0000000..25692e1
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import scala.tools.jline.internal.Log;
+
+public class PolicyParser {
+
+ private static Logger LOG = LoggerFactory.getLogger(PolicyParser.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+ public static final int POLICYNAME = 0;
+
+ public static final int USER_INDEX = 1;
+ public static final int USERNAME = 0;
+ public static final int USER_AUTHORITIES = 1;
+
+ public static final int GROUP_INDEX = 2;
+ public static final int GROUPNAME = 0;
+ public static final int GROUP_AUTHORITIES = 1;
+
+ public static final int RESOURCE_INDEX = 3;
+ public static final int RESOURCE_TYPE = 0;
+ public static final int RESOURCE_NAME = 1;
+
+ private List<AtlasActionTypes> getListOfAutorities(String auth) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser getListOfAutorities");
+ }
+ List<AtlasActionTypes> authorities = new ArrayList<AtlasActionTypes>();
+
+ for (int i = 0; i < auth.length(); i++) {
+ char access = auth.toLowerCase().charAt(i);
+ switch (access) {
+ case 'r':
+ authorities.add(AtlasActionTypes.READ);
+ break;
+ case 'w':
+ authorities.add(AtlasActionTypes.CREATE);
+ break;
+ case 'u':
+ authorities.add(AtlasActionTypes.UPDATE);
+ break;
+ case 'd':
+ authorities.add(AtlasActionTypes.DELETE);
+ break;
+
+ default:
+ if (LOG.isErrorEnabled()) {
+ LOG.error("Invalid action: '" + access + "'");
+ }
+ break;
+ }
+ }
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser getListOfAutorities");
+ }
+ return authorities;
+ }
+
+ public List<PolicyDef> parsePolicies(List<String> policies) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser parsePolicies");
+ }
+ List<PolicyDef> policyDefs = new ArrayList<PolicyDef>();
+ for (String policy : policies) {
+ PolicyDef policyDef = parsePolicy(policy);
+ if (policyDef != null) {
+ policyDefs.add(policyDef);
+ }
+ }
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser parsePolicies");
+ LOG.debug(policyDefs.toString());
+ }
+ return policyDefs;
+ }
+
+ private PolicyDef parsePolicy(String data) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser parsePolicy");
+ }
+ PolicyDef def = null;
+ String[] props = data.split(";;");
+
+ if (props.length < RESOURCE_INDEX) {
+ LOG.warn("skipping invalid policy line: " + data);
+ } else {
+ def = new PolicyDef();
+ def.setPolicyName(props[POLICYNAME]);
+ parseUsers(props[USER_INDEX], def);
+ parseGroups(props[GROUP_INDEX], def);
+ parseResources(props[RESOURCE_INDEX], def);
+ if (isDebugEnabled) {
+ LOG.debug("policy successfully parsed!!!");
+ LOG.debug("<== PolicyParser parsePolicy");
+ }
+ }
+ return def;
+ }
+
+ private boolean validateEntity(String entity) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser validateEntity");
+ }
+ boolean isValidEntity = Pattern.matches("(.+:.+)+", entity);
+ boolean isEmpty = entity.isEmpty();
+ if (isValidEntity == false || isEmpty == true) {
+ if (isDebugEnabled) {
+ LOG.debug("group/user/resource not properly define in Policy");
+ LOG.debug("<== PolicyParser validateEntity");
+ }
+ return false;
+ } else {
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser validateEntity");
+ }
+ return true;
+ }
+
+ }
+
+ private void parseUsers(String usersDef, PolicyDef def) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser parseUsers");
+ }
+ String[] users = usersDef.split(",");
+ String[] userAndRole = null;
+ Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
+ if (validateEntity(usersDef)) {
+ for (String user : users) {
+ if (!Pattern.matches("(.+:.+)+", user)) {
+ continue;
+ }
+ userAndRole = user.split(":");
+ if (def.getUsers() != null) {
+ usersMap = def.getUsers();
+ }
+ List<AtlasActionTypes> userAutorities = usersMap.get(userAndRole[USERNAME]);
+ if (userAutorities == null) {
+
+ userAutorities = new ArrayList<AtlasActionTypes>();
+ }
+ userAutorities = getListOfAutorities(userAndRole[USER_AUTHORITIES]);
+ usersMap.put(userAndRole[USERNAME], userAutorities);
+ def.setUsers(usersMap);
+ }
+
+ } else {
+ def.setUsers(usersMap);
+ }
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser parseUsers");
+ }
+ }
+
+ private void parseGroups(String groupsDef, PolicyDef def) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser parseGroups");
+ }
+ String[] groups = groupsDef.split("\\,");
+ String[] groupAndRole = null;
+ Map<String, List<AtlasActionTypes>> groupsMap = new HashMap<String, List<AtlasActionTypes>>();
+ if (validateEntity(groupsDef.trim())) {
+ for (String group : groups) {
+ if (!Pattern.matches("(.+:.+)+", group)) {
+ continue;
+ }
+ groupAndRole = group.split("[:]");
+ if (def.getGroups() != null) {
+ groupsMap = def.getGroups();
+ }
+ List<AtlasActionTypes> groupAutorities = groupsMap.get(groupAndRole[GROUPNAME]);
+ if (groupAutorities == null) {
+ groupAutorities = new ArrayList<AtlasActionTypes>();
+ }
+ groupAutorities = getListOfAutorities(groupAndRole[GROUP_AUTHORITIES]);
+ groupsMap.put(groupAndRole[GROUPNAME], groupAutorities);
+ def.setGroups(groupsMap);
+ }
+
+ } else {
+ def.setGroups(groupsMap);
+ }
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser parseGroups");
+ }
+
+ }
+
+ private void parseResources(String resourceDef, PolicyDef def) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyParser parseResources");
+ }
+ String[] resources = resourceDef.split(",");
+ String[] resourceTypeAndName = null;
+ Map<AtlasResourceTypes, List<String>> resourcesMap = new HashMap<AtlasResourceTypes, List<String>>();
+ if (validateEntity(resourceDef)) {
+ for (String resource : resources) {
+ if (!Pattern.matches("(.+:.+)+", resource)) {
+ continue;
+ }
+ resourceTypeAndName = resource.split("[:]");
+ if (def.getResources() != null) {
+ resourcesMap = def.getResources();
+ }
+ AtlasResourceTypes resourceType = null;
+ String type = resourceTypeAndName[RESOURCE_TYPE].toUpperCase();
+ if (type.equalsIgnoreCase("ENTITY")) {
+ resourceType = AtlasResourceTypes.ENTITY;
+ } else if (type.equalsIgnoreCase("OPERATION")) {
+ resourceType = AtlasResourceTypes.OPERATION;
+ } else if (type.equalsIgnoreCase("TYPE")) {
+ resourceType = AtlasResourceTypes.TYPE;
+ } else if (type.equalsIgnoreCase("TAXONOMY")) {
+ resourceType = AtlasResourceTypes.TAXONOMY;
+ } else if (type.equalsIgnoreCase("TERM")) {
+ resourceType = AtlasResourceTypes.TERM;
+ } else {
+ Log.warn(type + " is invalid resource please check PolicyStore file");
+ continue;
+ }
+
+ List<String> resourceList = resourcesMap.get(resourceType);
+ if (resourceList == null) {
+ resourceList = new ArrayList<String>();
+ }
+ resourceList.add(resourceTypeAndName[RESOURCE_NAME]);
+ resourcesMap.put(resourceType, resourceList);
+ def.setResources(resourcesMap);
+ }
+ } else {
+ def.setResources(resourcesMap);
+ }
+ if (isDebugEnabled) {
+ LOG.debug("<== PolicyParser parseResources");
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
new file mode 100644
index 0000000..9508eb3
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
@@ -0,0 +1,103 @@
+/** Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class PolicyUtil {
+
+ private static Logger LOG = LoggerFactory.getLogger(PolicyUtil.class);
+ private static boolean isDebugEnabled = LOG.isDebugEnabled();
+
+
+ public Map<String, Map<AtlasResourceTypes, List<String>>> createPermissionMap(List<PolicyDef> policyDefList,
+ AtlasActionTypes permissionType, SimpleAtlasAuthorizer.AtlasAccessorTypes principalType) {
+ if (isDebugEnabled) {
+ LOG.debug("==> PolicyUtil createPermissionMap" + "\nCreating Permission Map for :: " + permissionType
+ + " & " + principalType);
+ }
+ Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap =
+ new HashMap<String, Map<AtlasResourceTypes, List<String>>>();
+
+ // Iterate over the list of policies to create map
+ for (PolicyDef policyDef : policyDefList) {
+ LOG.info("Processing policy def : " + policyDef);
+ Map<String, List<AtlasActionTypes>> principalMap =
+ principalType.equals(SimpleAtlasAuthorizer.AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef
+ .getGroups();
+ // For every policy extract the resource list and populate the user map
+ for (Entry<String, List<AtlasActionTypes>> e : principalMap.entrySet()) {
+ // Check if the user has passed permission type like READ
+ if (!e.getValue().contains(permissionType)) {
+ continue;
+ }
+ // See if the current user is already added to map
+ String username = e.getKey();
+ Map<AtlasResourceTypes, List<String>> userResourceList = userReadMap.get(username);
+
+ // If its not added then create a new resource list
+ if (userResourceList == null) {
+ if (isDebugEnabled) {
+ LOG.debug("Resource list not found for " + username + ", creating it");
+ }
+ userResourceList = new HashMap<AtlasResourceTypes, List<String>>();
+ }
+ /*
+ * Iterate over resources from the current policy def and update the resource list for the current user
+ */
+ for (Entry<AtlasResourceTypes, List<String>> resourceTypeMap : policyDef.getResources().entrySet()) {
+ // For the current resourceType in the policyDef, get the
+ // current list of resources already added
+ AtlasResourceTypes type = resourceTypeMap.getKey();
+ List<String> resourceList = userResourceList.get(type);
+
+ if (resourceList == null) {
+ // if the resource list was not added for this type then
+ // create and add all the resources in this policy
+ resourceList = new ArrayList<String>();
+ resourceList.addAll(resourceTypeMap.getValue());
+ } else {
+ // if the resource list is present then merge both the
+ // list
+ resourceList.removeAll(resourceTypeMap.getValue());
+ resourceList.addAll(resourceTypeMap.getValue());
+ }
+
+ userResourceList.put(type, resourceList);
+ }
+ userReadMap.put(username, userResourceList);
+ LOG.info("userReadMap " + userReadMap);
+ }
+ }
+ if (isDebugEnabled) {
+ LOG.debug("Returning Map for " + principalType + " :: " + userReadMap);
+ LOG.debug("<== PolicyUtil createPermissionMap");
+ }
+ return userReadMap;
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
new file mode 100644
index 0000000..23fc924
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
@@ -0,0 +1,387 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize.simple;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.Map;
+
+import org.apache.atlas.ApplicationProperties;
+import org.apache.atlas.AtlasException;
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.apache.atlas.utils.PropertiesUtil;
+import org.apache.commons.configuration.Configuration;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOCase;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public final class SimpleAtlasAuthorizer implements AtlasAuthorizer {
+
+ public enum AtlasAccessorTypes {
+ USER, GROUP;
+ }
+
+ private static final Logger LOG = LoggerFactory.getLogger(SimpleAtlasAuthorizer.class);
+ private boolean isDebugEnabled = LOG.isDebugEnabled();
+ private final static String WILDCARD_ASTERISK = "*";
+ private final static String WILDCARDS = "*?";
+ private boolean optIgnoreCase = false;
+
+ private Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> userWriteMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> userUpdateMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> userDeleteMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> groupWriteMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> groupUpdateMap = null;
+ private Map<String, Map<AtlasResourceTypes, List<String>>> groupDeleteMap = null;
+
+ public SimpleAtlasAuthorizer() {
+ }
+
+
+ @Override
+ public void init() {
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer init");
+ }
+ try {
+
+ PolicyUtil util = new PolicyUtil();
+ PolicyParser parser = new PolicyParser();
+ optIgnoreCase = Boolean.valueOf(PropertiesUtil.getProperty("optIgnoreCase", "false"));
+
+ if (isDebugEnabled) {
+ LOG.debug("Read from PropertiesUtil --> optIgnoreCase :: " + optIgnoreCase);
+ }
+
+ Configuration configuration = ApplicationProperties.get();
+ String policyStorePath = configuration.getString("atlas.auth.policy.file", System.getProperty("atlas.conf")+"/policy-store.txt");
+
+ if (isDebugEnabled) {
+ LOG.debug("Loading Apache Atlas policies from : " + policyStorePath);
+ }
+
+ List<String> policies = FileReaderUtil.readFile(policyStorePath);
+ List<PolicyDef> policyDef = parser.parsePolicies(policies);
+
+ userReadMap = util.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
+ userWriteMap = util.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.USER);
+ userUpdateMap = util.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.USER);
+ userDeleteMap = util.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.USER);
+
+ groupReadMap = util.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
+ groupWriteMap = util.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.GROUP);
+ groupUpdateMap = util.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.GROUP);
+ groupDeleteMap = util.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.GROUP);
+
+ if (isDebugEnabled) {
+ LOG.debug("\n\nUserReadMap :: " + userReadMap + "\nGroupReadMap :: " + groupReadMap);
+ LOG.debug("\n\nUserWriteMap :: " + userWriteMap + "\nGroupWriteMap :: " + groupWriteMap);
+ LOG.debug("\n\nUserUpdateMap :: " + userUpdateMap + "\nGroupUpdateMap :: " + groupUpdateMap);
+ LOG.debug("\n\nUserDeleteMap :: " + userDeleteMap + "\nGroupDeleteMap :: " + groupDeleteMap);
+ }
+
+ } catch (IOException | AtlasException e) {
+ if (LOG.isErrorEnabled()) {
+ LOG.error("SimpleAtlasAuthorizer could not be initialized properly due to : ", e);
+ }
+ }
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException {
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer isAccessAllowed");
+ LOG.debug("isAccessAllowd(" + request + ")");
+ }
+ String user = request.getUser();
+ Set<String> groups = request.getUserGroups();
+ AtlasActionTypes action = request.getAction();
+ String resource = request.getResource();
+ Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes();
+ if (isDebugEnabled)
+ LOG.debug("Checking for :: \nUser :: " + user + "\nGroups :: " + groups + "\nAction :: " + action
+ + "\nResource :: " + resource);
+
+ boolean isAccessAllowed = false;
+ boolean isUser = user == null ? false : true;
+ boolean isGroup = groups == null ? false : true;
+
+ if ((!isUser && !isGroup) || action == null || resource == null) {
+ if (isDebugEnabled) {
+ LOG.debug("Please check the formation AtlasAccessRequest.");
+ }
+ return isAccessAllowed;
+ } else {
+ if (isDebugEnabled) {
+ LOG.debug("checkAccess for Operation :: " + action + " on Resource " + resourceTypes + ":" + resource);
+ }
+ switch (action) {
+ case READ:
+ isAccessAllowed = checkAccess(user, resourceTypes, resource, userReadMap);
+ isAccessAllowed =
+ isAccessAllowed == false ? checkAccessForGroups(groups, resourceTypes, resource, groupReadMap)
+ : isAccessAllowed;
+ break;
+ case CREATE:
+ isAccessAllowed = checkAccess(user, resourceTypes, resource, userWriteMap);
+ isAccessAllowed =
+ isAccessAllowed == false ? checkAccessForGroups(groups, resourceTypes, resource, groupWriteMap)
+ : isAccessAllowed;
+ break;
+ case UPDATE:
+ isAccessAllowed = checkAccess(user, resourceTypes, resource, userUpdateMap);
+ isAccessAllowed =
+ isAccessAllowed == false
+ ? checkAccessForGroups(groups, resourceTypes, resource, groupUpdateMap) : isAccessAllowed;
+ break;
+ case DELETE:
+ isAccessAllowed = checkAccess(user, resourceTypes, resource, userDeleteMap);
+ isAccessAllowed =
+ isAccessAllowed == false
+ ? checkAccessForGroups(groups, resourceTypes, resource, groupDeleteMap) : isAccessAllowed;
+ break;
+ default:
+ if (isDebugEnabled) {
+ LOG.debug("Invalid Action " + action+"\nRaising AtlasAuthorizationException!!!");
+ }
+ throw new AtlasAuthorizationException("Invalid Action :: " + action);
+ }
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== SimpleAtlasAuthorizer isAccessAllowed = " + isAccessAllowed);
+ }
+
+ return isAccessAllowed;
+ }
+
+ private boolean checkAccess(String accessor, Set<AtlasResourceTypes> resourceTypes, String resource,
+ Map<String, Map<AtlasResourceTypes, List<String>>> map) {
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer checkAccess");
+ LOG.debug("Now checking access for accessor : " + accessor + "\nResource Types : " + resourceTypes
+ + "\nResource : " + resource + "\nMap : " + map);
+ }
+ boolean result = true;
+ Map<AtlasResourceTypes, List<String>> rescMap = map.get(accessor);
+ if (rescMap != null) {
+ for (AtlasResourceTypes resourceType : resourceTypes) {
+ List<String> accessList = rescMap.get(resourceType);
+ if (isDebugEnabled) {
+ LOG.debug("\nChecking for resource : " + resource + " in list : " + accessList + "\n");
+ }
+ if (accessList != null) {
+ result = result && isMatch(resource, accessList);
+ } else {
+ result = false;
+ }
+ }
+ } else {
+ result = false;
+ if (isDebugEnabled)
+ LOG.debug("Key " + accessor + " missing. Returning with result : " + result);
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("Check for " + accessor + " :: " + result);
+ LOG.debug("<== SimpleAtlasAuthorizer checkAccess");
+ }
+ return result;
+ }
+
+ private boolean checkAccessForGroups(Set<String> groups, Set<AtlasResourceTypes> resourceType, String resource,
+ Map<String, Map<AtlasResourceTypes, List<String>>> map) {
+ boolean isAccessAllowed = false;
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer checkAccessForGroups");
+ }
+
+ for (String group : groups) {
+ isAccessAllowed = checkAccess(group, resourceType, resource, map);
+ if (isAccessAllowed) {
+ break;
+ }
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== SimpleAtlasAuthorizer checkAccessForGroups");
+ }
+ return isAccessAllowed;
+ }
+
+ private boolean resourceMatchHelper(List<String> policyResource) {
+ boolean isMatchAny = false;
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer resourceMatchHelper");
+ }
+
+ boolean optWildCard = true;
+
+ List<String> policyValues = new ArrayList<String>();
+
+ if (policyResource != null) {
+ boolean isWildCardPresent = !optWildCard;
+ for (String policyValue : policyResource) {
+ if (StringUtils.isEmpty(policyValue)) {
+ continue;
+ }
+ if (StringUtils.containsOnly(policyValue, WILDCARD_ASTERISK)) {
+ isMatchAny = true;
+ } else if (!isWildCardPresent && StringUtils.containsAny(policyValue, WILDCARDS)) {
+ isWildCardPresent = true;
+ }
+ policyValues.add(policyValue);
+ }
+ optWildCard = optWildCard && isWildCardPresent;
+ } else {
+ isMatchAny = false;
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== SimpleAtlasAuthorizer resourceMatchHelper");
+ }
+ return isMatchAny;
+ }
+
+ private boolean isMatch(String resource, List<String> policyValues) {
+ if (isDebugEnabled) {
+ LOG.debug("==> SimpleAtlasAuthorizer isMatch");
+ }
+ boolean isMatchAny = resourceMatchHelper(policyValues);
+ boolean isMatch = false;
+ boolean allValuesRequested = isAllValuesRequested(resource);
+
+ if (allValuesRequested || isMatchAny) {
+ isMatch = isMatchAny;
+ } else {
+ for (String policyValue : policyValues) {
+ if (policyValue.contains("*")) {
+ isMatch =
+ optIgnoreCase ? FilenameUtils.wildcardMatch(resource, policyValue, IOCase.INSENSITIVE)
+ : FilenameUtils.wildcardMatch(resource, policyValue, IOCase.SENSITIVE);
+ } else {
+ isMatch =
+ optIgnoreCase ? StringUtils.equalsIgnoreCase(resource, policyValue) : StringUtils.equals(
+ resource, policyValue);
+ }
+ if (isMatch) {
+ break;
+ }
+ }
+ }
+
+ if (isMatch == false) {
+
+ if (isDebugEnabled) {
+ StringBuilder sb = new StringBuilder();
+ sb.append("[");
+ for (String policyValue : policyValues) {
+ sb.append(policyValue);
+ sb.append(" ");
+ }
+ sb.append("]");
+
+ LOG.debug("AtlasDefaultResourceMatcher.isMatch returns FALSE, (resource=" + resource
+ + ", policyValues=" + sb.toString() + ")");
+ }
+
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== SimpleAtlasAuthorizer isMatch(" + resource + "): " + isMatch);
+ }
+
+ return isMatch;
+ }
+
+ private boolean isAllValuesRequested(String resource) {
+ boolean result = StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource);
+ return result;
+ }
+
+ @Override
+ public void cleanUp() {
+ if (isDebugEnabled) {
+ LOG.debug("==> +SimpleAtlasAuthorizer cleanUp");
+ }
+ userReadMap = null;
+ userWriteMap = null;
+ userUpdateMap = null;
+ userDeleteMap = null;
+ groupReadMap = null;
+ groupWriteMap = null;
+ groupUpdateMap = null;
+ groupDeleteMap = null;
+ if (isDebugEnabled) {
+ LOG.debug("<== +SimpleAtlasAuthorizer cleanUp");
+ }
+ }
+
+ /*
+ * NOTE :: This method is added for setting the maps for testing purpose.
+ */
+ @VisibleForTesting
+ public void setResourcesForTesting(Map<String, Map<AtlasResourceTypes, List<String>>> userMap,
+ Map<String, Map<AtlasResourceTypes, List<String>>> groupMap, AtlasActionTypes actionTypes) {
+
+ switch (actionTypes) {
+ case READ:
+ this.userReadMap = userMap;
+ this.groupReadMap = groupMap;
+ break;
+
+ case CREATE:
+
+ this.userWriteMap = userMap;
+ this.groupWriteMap = groupMap;
+ break;
+ case UPDATE:
+
+ this.userUpdateMap = userMap;
+ this.groupUpdateMap = groupMap;
+ break;
+ case DELETE:
+
+ this.userDeleteMap = userMap;
+ this.groupDeleteMap = groupMap;
+ break;
+
+ default:
+ if (isDebugEnabled) {
+ LOG.debug("No such action available");
+ }
+ break;
+ }
+ }
+
+}
+
+
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
new file mode 100644
index 0000000..326cb3c
--- /dev/null
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize.simple;
+
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.testng.annotations.Test;
+
+import java.util.Set;
+
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertTrue;
+
+/**
+ * Unit tests for AtlasAuthorizationUtils.
+ */
+public class AtlasAuthorizationUtilsTest {
+ @Test
+ public void testGetApi() {
+ String contextPath = "/api/atlas/entities";
+ assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
+
+ contextPath = "/api/atlas/entities/111/traits";
+ assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
+
+ contextPath = "/api/atlas/v1/entities";
+ assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "v1/entities");
+
+ contextPath = "/api/atlas/v1/entities/111/tags";
+ assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "v1/entities");
+
+ // not sure of this use case but the code appears to support url's that don't
+ // begin with base url.
+ contextPath = "/foo/bar";
+ assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "foo");
+ }
+
+ @Test
+ public void testGetAtlasResourceType() throws Exception {
+ String contextPath = "/api/atlas/types";
+ Set<AtlasResourceTypes> resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
+
+ contextPath = "/api/atlas/admin/foo";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
+
+ contextPath = "/api/atlas/graph/foo";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
+
+ contextPath = "/api/atlas/discovery/search/gremlin";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
+
+ contextPath = "/api/atlas/entities/111/traits";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/discovery/search";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/entities?type=Column";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/lineage";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/v1/taxonomies";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 2);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.TAXONOMY));
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/v1/taxonomies/taxonomy1/terms";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 3);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.TAXONOMY));
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.TERM));
+
+ contextPath = "/api/atlas/v1/entities/111";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+
+ contextPath = "/api/atlas/v1/entities/111/tags/foo";
+ resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
+ assertEquals(resourceTypes.size(), 1);
+ assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
new file mode 100644
index 0000000..453364d
--- /dev/null
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
@@ -0,0 +1,172 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.apache.atlas.authorize.simple.PolicyDef;
+import org.apache.atlas.authorize.simple.PolicyParser;
+import org.testng.annotations.Test;
+
+public class PolicyParserTest {
+
+ @Test
+ public void testParsePoliciesWithAllProperties() {
+ List<String> policies = new ArrayList<String>();
+ policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
+ /* Creating group data */
+ Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
+ List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
+ accessList1.add(AtlasActionTypes.READ);
+ accessList1.add(AtlasActionTypes.CREATE);
+ accessList1.add(AtlasActionTypes.UPDATE);
+
+ groupMap.put("grp1", accessList1);
+ List<AtlasActionTypes> accessList2 = new ArrayList<AtlasActionTypes>();
+ accessList2.add(AtlasActionTypes.UPDATE);
+ groupMap.put("grp2", accessList2);
+
+ /* Creating user data */
+ Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
+ List<AtlasActionTypes> usr1AccessList = new ArrayList<AtlasActionTypes>();
+ usr1AccessList.add(AtlasActionTypes.READ);
+ usersMap.put("usr1", usr1AccessList);
+
+ List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
+ usr2AccessList.add(AtlasActionTypes.READ);
+ usr2AccessList.add(AtlasActionTypes.CREATE);
+ usersMap.put("usr2", usr2AccessList);
+
+ /* Creating resources data */
+ Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
+ List<String> resource1List = new ArrayList<String>();
+ resource1List.add("*abc");
+ resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
+
+ List<String> resource2List = new ArrayList<String>();
+ resource2List.add("*xyz");
+ resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
+
+ List<String> resource3List = new ArrayList<String>();
+ resource3List.add("PII");
+ resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
+
+ List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
+ for (PolicyDef def : policyDefs) {
+
+ assertEquals(def.getPolicyName(), "hivePolicy");
+ assertEquals(def.getGroups(), groupMap);
+ assertEquals(def.getUsers(), usersMap);
+ assertEquals(def.getResources(), resourceMap);
+
+ }
+
+ }
+
+ @Test
+ public void testParsePoliciesWithOutUserProperties() {
+ List<String> policies = new ArrayList<String>();
+ policies.add("hivePolicy;;;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
+ // Creating group data
+ Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
+ List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
+ accessList1.add(AtlasActionTypes.READ);
+ accessList1.add(AtlasActionTypes.CREATE);
+ accessList1.add(AtlasActionTypes.UPDATE);
+
+ groupMap.put("grp1", accessList1);
+ List<AtlasActionTypes> accessList2 = new ArrayList<AtlasActionTypes>();
+ accessList2.add(AtlasActionTypes.UPDATE);
+ groupMap.put("grp2", accessList2);
+
+ // Creating user data
+ Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
+
+ // Creating resources data
+ Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
+ List<String> resource1List = new ArrayList<String>();
+ resource1List.add("*abc");
+ resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
+
+ List<String> resource2List = new ArrayList<String>();
+ resource2List.add("*xyz");
+ resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
+
+ List<String> resource3List = new ArrayList<String>();
+ resource3List.add("PII");
+ resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
+
+ List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
+ for (PolicyDef def : policyDefs) {
+
+ assertEquals(def.getPolicyName(), "hivePolicy");
+ assertEquals(def.getGroups(), groupMap);
+ assertEquals(def.getUsers(), usersMap);
+ assertEquals(def.getResources(), resourceMap);
+
+ }
+
+ }
+
+ @Test
+ public void testParsePoliciesWithOutGroupProperties() {
+ List<String> policies = new ArrayList<String>();
+ policies.add("hivePolicy;;usr1:r,usr2:rw;;;;entity:*abc,operation:*xyz,type:PII");
+ // Creating group data
+ Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
+
+ // Creating user data
+ Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
+ List<AtlasActionTypes> usr1AccessList = new ArrayList<AtlasActionTypes>();
+ usr1AccessList.add(AtlasActionTypes.READ);
+ usersMap.put("usr1", usr1AccessList);
+
+ List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
+ usr2AccessList.add(AtlasActionTypes.READ);
+ usr2AccessList.add(AtlasActionTypes.CREATE);
+ usersMap.put("usr2", usr2AccessList);
+
+ // Creating resources data
+ Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
+ List<String> resource1List = new ArrayList<String>();
+ resource1List.add("*abc");
+ resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
+
+ List<String> resource2List = new ArrayList<String>();
+ resource2List.add("*xyz");
+ resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
+
+ List<String> resource3List = new ArrayList<String>();
+ resource3List.add("PII");
+ resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
+
+ List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
+ for (PolicyDef def : policyDefs) {
+ assertEquals(def.getPolicyName(), "hivePolicy");
+ assertEquals(def.getGroups(), groupMap);
+ assertEquals(def.getUsers(), usersMap);
+ assertEquals(def.getResources(), resourceMap);
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/353ea964/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
new file mode 100644
index 0000000..3453bf0
--- /dev/null
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasActionTypes;
+import org.apache.atlas.authorize.AtlasResourceTypes;
+import org.apache.atlas.authorize.simple.PolicyDef;
+import org.apache.atlas.authorize.simple.PolicyParser;
+import org.apache.atlas.authorize.simple.PolicyUtil;
+import org.testng.annotations.Test;
+
+public class PolicyUtilTest {
+
+ @Test
+ public void testCreatePermissionMap() {
+
+ HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
+ List<String> resource1List = new ArrayList<String>();
+ resource1List.add("*abc");
+ resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
+
+ List<String> resource2List = new ArrayList<String>();
+ resource2List.add("*xyz");
+ resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
+
+ List<String> resource3List = new ArrayList<String>();
+ resource3List.add("PII");
+ resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
+
+ Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
+ new HashMap<String, HashMap<AtlasResourceTypes, List<String>>>();
+ permissionMap.put("grp1", resourceMap);
+
+ List<String> policies = new ArrayList<String>();
+ policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
+ List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
+
+ Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
+ new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
+
+ assertEquals(permissionMap, createdPermissionMap);
+
+ }
+
+ @Test
+ public void testMergeCreatePermissionMap() {
+
+ HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
+ List<String> resource1List = new ArrayList<String>();
+ resource1List.add("*abc");
+ resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
+
+ List<String> resource2List = new ArrayList<String>();
+ resource2List.add("*x");
+ resource2List.add("*xyz");
+ resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
+
+ List<String> resource3List = new ArrayList<String>();
+ resource3List.add("PII");
+ resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
+
+ Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
+ new HashMap<String, HashMap<AtlasResourceTypes, List<String>>>();
+ permissionMap.put("grp1", resourceMap);
+
+ List<String> policies = new ArrayList<String>();
+ policies.add("hivePolicys;;;;grp1:rwu;;entity:*abc,operation:*xyz,operation:*x");
+ policies.add("hivePolicy;;;;grp1:rwu;;entity:*abc,operation:*xyz");
+ policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu;;entity:*abc,operation:*xyz");
+ policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
+ List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
+
+ Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
+ new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
+
+ assertEquals(permissionMap, createdPermissionMap);
+
+ }
+}