You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ma...@apache.org on 2018/02/26 19:27:56 UTC
[3/4] atlas git commit: ATLAS-2459: Authorization enhancements to
support instance level access controls
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
deleted file mode 100644
index f61bbf7..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
+++ /dev/null
@@ -1,252 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.regex.Pattern;
-
-public class PolicyParser {
-
- private static Logger LOG = LoggerFactory.getLogger(PolicyParser.class);
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
- public static final int POLICYNAME = 0;
-
- public static final int USER_INDEX = 1;
- public static final int USERNAME = 0;
- public static final int USER_AUTHORITIES = 1;
-
- public static final int GROUP_INDEX = 2;
- public static final int GROUPNAME = 0;
- public static final int GROUP_AUTHORITIES = 1;
-
- public static final int RESOURCE_INDEX = 3;
- public static final int RESOURCE_TYPE = 0;
- public static final int RESOURCE_NAME = 1;
-
- private List<AtlasActionTypes> getListOfAutorities(String auth) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser getListOfAutorities");
- }
- List<AtlasActionTypes> authorities = new ArrayList<>();
-
- for (int i = 0; i < auth.length(); i++) {
- char access = auth.toLowerCase().charAt(i);
- switch (access) {
- case 'r':
- authorities.add(AtlasActionTypes.READ);
- break;
- case 'w':
- authorities.add(AtlasActionTypes.CREATE);
- break;
- case 'u':
- authorities.add(AtlasActionTypes.UPDATE);
- break;
- case 'd':
- authorities.add(AtlasActionTypes.DELETE);
- break;
-
- default:
- if (LOG.isErrorEnabled()) {
- LOG.error("Invalid action: '{}'", access);
- }
- break;
- }
- }
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser getListOfAutorities");
- }
- return authorities;
- }
-
- public List<PolicyDef> parsePolicies(List<String> policies) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser parsePolicies");
- }
- List<PolicyDef> policyDefs = new ArrayList<>();
- for (String policy : policies) {
- PolicyDef policyDef = parsePolicy(policy);
- if (policyDef != null) {
- policyDefs.add(policyDef);
- }
- }
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser parsePolicies");
- LOG.debug(policyDefs.toString());
- }
- return policyDefs;
- }
-
- private PolicyDef parsePolicy(String data) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser parsePolicy");
- }
- PolicyDef def = null;
- String[] props = data.split(";;");
-
- if (props.length < RESOURCE_INDEX) {
- LOG.warn("skipping invalid policy line: {}", data);
- } else {
- def = new PolicyDef();
- def.setPolicyName(props[POLICYNAME]);
- parseUsers(props[USER_INDEX], def);
- parseGroups(props[GROUP_INDEX], def);
- parseResources(props[RESOURCE_INDEX], def);
- if (isDebugEnabled) {
- LOG.debug("policy successfully parsed!!!");
- LOG.debug("<== PolicyParser parsePolicy");
- }
- }
- return def;
- }
-
- private boolean validateEntity(String entity) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser validateEntity");
- }
- boolean isValidEntity = Pattern.matches("(.+:.+)+", entity);
- boolean isEmpty = entity.isEmpty();
- if (!isValidEntity || isEmpty) {
- if (isDebugEnabled) {
- LOG.debug("group/user/resource not properly define in Policy");
- LOG.debug("<== PolicyParser validateEntity");
- }
- return false;
- } else {
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser validateEntity");
- }
- return true;
- }
-
- }
-
- private void parseUsers(String usersDef, PolicyDef def) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser parseUsers");
- }
- String[] users = usersDef.split(",");
- String[] userAndRole = null;
- Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>();
- if (validateEntity(usersDef)) {
- for (String user : users) {
- if (!Pattern.matches("(.+:.+)+", user)) {
- continue;
- }
- userAndRole = user.split(":");
- if (def.getUsers() != null) {
- usersMap = def.getUsers();
- }
- List<AtlasActionTypes> userAutorities = getListOfAutorities(userAndRole[USER_AUTHORITIES]);
- usersMap.put(userAndRole[USERNAME], userAutorities);
- def.setUsers(usersMap);
- }
-
- } else {
- def.setUsers(usersMap);
- }
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser parseUsers");
- }
- }
-
- private void parseGroups(String groupsDef, PolicyDef def) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser parseGroups");
- }
- String[] groups = groupsDef.split("\\,");
- String[] groupAndRole = null;
- Map<String, List<AtlasActionTypes>> groupsMap = new HashMap<>();
- if (validateEntity(groupsDef.trim())) {
- for (String group : groups) {
- if (!Pattern.matches("(.+:.+)+", group)) {
- continue;
- }
- groupAndRole = group.split("[:]");
- if (def.getGroups() != null) {
- groupsMap = def.getGroups();
- }
- List<AtlasActionTypes> groupAutorities = getListOfAutorities(groupAndRole[GROUP_AUTHORITIES]);
- groupsMap.put(groupAndRole[GROUPNAME], groupAutorities);
- def.setGroups(groupsMap);
- }
-
- } else {
- def.setGroups(groupsMap);
- }
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser parseGroups");
- }
-
- }
-
- private void parseResources(String resourceDef, PolicyDef def) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyParser parseResources");
- }
- String[] resources = resourceDef.split(",");
- String[] resourceTypeAndName = null;
- Map<AtlasResourceTypes, List<String>> resourcesMap = new HashMap<>();
- if (validateEntity(resourceDef)) {
- for (String resource : resources) {
- if (!Pattern.matches("(.+:.+)+", resource)) {
- continue;
- }
- resourceTypeAndName = resource.split("[:]");
- if (def.getResources() != null) {
- resourcesMap = def.getResources();
- }
- AtlasResourceTypes resourceType = null;
- String type = resourceTypeAndName[RESOURCE_TYPE].toUpperCase();
- if (type.equalsIgnoreCase("ENTITY")) {
- resourceType = AtlasResourceTypes.ENTITY;
- } else if (type.equalsIgnoreCase("OPERATION")) {
- resourceType = AtlasResourceTypes.OPERATION;
- } else if (type.equalsIgnoreCase("TYPE")) {
- resourceType = AtlasResourceTypes.TYPE;
- } else if (type.equalsIgnoreCase("RELATIONSHIP")) {
- resourceType = AtlasResourceTypes.RELATIONSHIP;
- } else {
- LOG.warn(type + " is invalid resource please check PolicyStore file");
- continue;
- }
-
- List<String> resourceList = resourcesMap.get(resourceType);
- if (resourceList == null) {
- resourceList = new ArrayList<>();
- }
- resourceList.add(resourceTypeAndName[RESOURCE_NAME]);
- resourcesMap.put(resourceType, resourceList);
- def.setResources(resourcesMap);
- }
- } else {
- def.setResources(resourcesMap);
- }
- if (isDebugEnabled) {
- LOG.debug("<== PolicyParser parseResources");
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
deleted file mode 100644
index 9c08e40..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class PolicyUtil {
-
- private static Logger LOG = LoggerFactory.getLogger(PolicyUtil.class);
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
-
-
- public static Map<String, Map<AtlasResourceTypes, List<String>>> createPermissionMap(List<PolicyDef> policyDefList,
- AtlasActionTypes permissionType, SimpleAtlasAuthorizer.AtlasAccessorTypes principalType) {
- if (isDebugEnabled) {
- LOG.debug("==> PolicyUtil createPermissionMap\nCreating Permission Map for :: {} & {}", permissionType, principalType);
- }
- Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap =
- new HashMap<>();
-
- // Iterate over the list of policies to create map
- for (PolicyDef policyDef : policyDefList) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Processing policy def : {}", policyDef);
- }
-
- Map<String, List<AtlasActionTypes>> principalMap =
- principalType.equals(SimpleAtlasAuthorizer.AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef
- .getGroups();
- // For every policy extract the resource list and populate the user map
- for (Entry<String, List<AtlasActionTypes>> e : principalMap.entrySet()) {
- // Check if the user has passed permission type like READ
- if (!e.getValue().contains(permissionType)) {
- continue;
- }
- // See if the current user is already added to map
- String username = e.getKey();
- Map<AtlasResourceTypes, List<String>> userResourceList = userReadMap.get(username);
-
- // If its not added then create a new resource list
- if (userResourceList == null) {
- if (isDebugEnabled) {
- LOG.debug("Resource list not found for {}, creating it", username);
- }
- userResourceList = new HashMap<>();
- }
- /*
- * Iterate over resources from the current policy def and update the resource list for the current user
- */
- for (Entry<AtlasResourceTypes, List<String>> resourceTypeMap : policyDef.getResources().entrySet()) {
- // For the current resourceType in the policyDef, get the
- // current list of resources already added
- AtlasResourceTypes type = resourceTypeMap.getKey();
- List<String> resourceList = userResourceList.get(type);
-
- if (resourceList == null) {
- // if the resource list was not added for this type then
- // create and add all the resources in this policy
- resourceList = new ArrayList<>();
- resourceList.addAll(resourceTypeMap.getValue());
- } else {
- // if the resource list is present then merge both the
- // list
- resourceList.removeAll(resourceTypeMap.getValue());
- resourceList.addAll(resourceTypeMap.getValue());
- }
-
- userResourceList.put(type, resourceList);
- }
- userReadMap.put(username, userResourceList);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("userReadMap {}", userReadMap);
- }
- }
- }
- if (isDebugEnabled) {
- LOG.debug("Returning Map for {} :: {}", principalType, userReadMap);
- LOG.debug("<== PolicyUtil createPermissionMap");
- }
- return userReadMap;
-
- }
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
deleted file mode 100644
index 2eb0cd5..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java
+++ /dev/null
@@ -1,381 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.atlas.authorize.simple;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.Map;
-
-import org.apache.atlas.ApplicationProperties;
-import org.apache.atlas.AtlasException;
-import org.apache.atlas.authorize.AtlasAccessRequest;
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasAuthorizationException;
-import org.apache.atlas.authorize.AtlasAuthorizer;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.apache.atlas.utils.PropertiesUtil;
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOCase;
-import org.apache.commons.lang.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-
-public final class SimpleAtlasAuthorizer implements AtlasAuthorizer {
-
- public enum AtlasAccessorTypes {
- USER, GROUP
- }
-
- private static final Logger LOG = LoggerFactory.getLogger(SimpleAtlasAuthorizer.class);
- private boolean isDebugEnabled = LOG.isDebugEnabled();
- private final static String WILDCARD_ASTERISK = "*";
- private final static String WILDCARDS = "*?";
- private boolean optIgnoreCase = false;
-
- private Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> userWriteMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> userUpdateMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> userDeleteMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> groupWriteMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> groupUpdateMap = null;
- private Map<String, Map<AtlasResourceTypes, List<String>>> groupDeleteMap = null;
-
- public SimpleAtlasAuthorizer() {
- }
-
-
- @Override
- public void init() {
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer init");
- }
- try {
-
- PolicyParser parser = new PolicyParser();
- optIgnoreCase = Boolean.valueOf(PropertiesUtil.getProperty("optIgnoreCase", "false"));
-
- if (isDebugEnabled) {
- LOG.debug("Read from PropertiesUtil --> optIgnoreCase :: {}", optIgnoreCase);
- }
-
- InputStream policyStoreStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.auth.policy.file", "policy-store.txt");
- List<String> policies = null;
- try {
- policies = FileReaderUtil.readFile(policyStoreStream);
- }
- finally {
- policyStoreStream.close();
- }
- List<PolicyDef> policyDef = parser.parsePolicies(policies);
-
- userReadMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
- userWriteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.USER);
- userUpdateMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.USER);
- userDeleteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.USER);
-
- groupReadMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
- groupWriteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.GROUP);
- groupUpdateMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.GROUP);
- groupDeleteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.GROUP);
-
- if (isDebugEnabled) {
- LOG.debug("\n\nUserReadMap :: {}\nGroupReadMap :: {}", userReadMap, groupReadMap);
- LOG.debug("\n\nUserWriteMap :: {}\nGroupWriteMap :: {}", userWriteMap, groupWriteMap);
- LOG.debug("\n\nUserUpdateMap :: {}\nGroupUpdateMap :: {}", userUpdateMap, groupUpdateMap);
- LOG.debug("\n\nUserDeleteMap :: {}\nGroupDeleteMap :: {}", userDeleteMap, groupDeleteMap);
- }
-
- } catch (IOException | AtlasException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("SimpleAtlasAuthorizer could not be initialized properly due to : ", e);
- }
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException {
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer isAccessAllowed");
- LOG.debug("isAccessAllowd({})", request);
- }
- String user = request.getUser();
- Set<String> groups = request.getUserGroups();
- AtlasActionTypes action = request.getAction();
- String resource = request.getResource();
- Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes();
- if (isDebugEnabled)
- LOG.debug("Checking for :: \nUser :: {}\nGroups :: {}\nAction :: {}\nResource :: {}", user, groups, action, resource);
-
- boolean isAccessAllowed = false;
- boolean isUser = user != null;
- boolean isGroup = groups != null;
-
- if ((!isUser && !isGroup) || action == null || resource == null) {
- if (isDebugEnabled) {
- LOG.debug("Please check the formation AtlasAccessRequest.");
- }
- return isAccessAllowed;
- } else {
- if (isDebugEnabled) {
- LOG.debug("checkAccess for Operation :: {} on Resource {}:{}", action, resourceTypes, resource);
- }
- switch (action) {
- case READ:
- isAccessAllowed = checkAccess(user, resourceTypes, resource, userReadMap);
- isAccessAllowed =
- isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupReadMap);
- break;
- case CREATE:
- isAccessAllowed = checkAccess(user, resourceTypes, resource, userWriteMap);
- isAccessAllowed =
- isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupWriteMap);
- break;
- case UPDATE:
- isAccessAllowed = checkAccess(user, resourceTypes, resource, userUpdateMap);
- isAccessAllowed =
- isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupUpdateMap);
- break;
- case DELETE:
- isAccessAllowed = checkAccess(user, resourceTypes, resource, userDeleteMap);
- isAccessAllowed =
- isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupDeleteMap);
- break;
- default:
- if (isDebugEnabled) {
- LOG.debug("Invalid Action {}\nRaising AtlasAuthorizationException!!!", action);
- }
- throw new AtlasAuthorizationException("Invalid Action :: " + action);
- }
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== SimpleAtlasAuthorizer isAccessAllowed = {}", isAccessAllowed);
- }
-
- return isAccessAllowed;
- }
-
- private boolean checkAccess(String accessor, Set<AtlasResourceTypes> resourceTypes, String resource,
- Map<String, Map<AtlasResourceTypes, List<String>>> map) {
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer checkAccess");
- LOG.debug("Now checking access for accessor : {}\nResource Types : {}\nResource : {}\nMap : {}", accessor, resourceTypes, resource, map);
- }
- boolean result = true;
- Map<AtlasResourceTypes, List<String>> rescMap = map.get(accessor);
- if (rescMap != null) {
- for (AtlasResourceTypes resourceType : resourceTypes) {
- List<String> accessList = rescMap.get(resourceType);
- if (isDebugEnabled) {
- LOG.debug("\nChecking for resource : {} in list : {}\n", resource, accessList);
- }
- if (accessList != null) {
- result = result && isMatch(resource, accessList);
- } else {
- result = false;
- }
- }
- } else {
- result = false;
- if (isDebugEnabled)
- LOG.debug("Key {} missing. Returning with result : {}", accessor, result);
- }
-
- if (isDebugEnabled) {
- LOG.debug("Check for {} :: {}", accessor, result);
- LOG.debug("<== SimpleAtlasAuthorizer checkAccess");
- }
- return result;
- }
-
- private boolean checkAccessForGroups(Set<String> groups, Set<AtlasResourceTypes> resourceType, String resource,
- Map<String, Map<AtlasResourceTypes, List<String>>> map) {
- boolean isAccessAllowed = false;
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer checkAccessForGroups");
- }
-
- if(CollectionUtils.isNotEmpty(groups)) {
- for (String group : groups) {
- isAccessAllowed = checkAccess(group, resourceType, resource, map);
- if (isAccessAllowed) {
- break;
- }
- }
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== SimpleAtlasAuthorizer checkAccessForGroups");
- }
- return isAccessAllowed;
- }
-
- private boolean resourceMatchHelper(List<String> policyResource) {
- boolean isMatchAny = false;
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer resourceMatchHelper");
- }
-
- boolean optWildCard = true;
-
- List<String> policyValues = new ArrayList<>();
-
- if (policyResource != null) {
- boolean isWildCardPresent = !optWildCard;
- for (String policyValue : policyResource) {
- if (StringUtils.isEmpty(policyValue)) {
- continue;
- }
- if (StringUtils.containsOnly(policyValue, WILDCARD_ASTERISK)) {
- isMatchAny = true;
- } else if (!isWildCardPresent && StringUtils.containsAny(policyValue, WILDCARDS)) {
- isWildCardPresent = true;
- }
- policyValues.add(policyValue);
- }
- optWildCard = optWildCard && isWildCardPresent;
- } else {
- isMatchAny = false;
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== SimpleAtlasAuthorizer resourceMatchHelper");
- }
- return isMatchAny;
- }
-
- private boolean isMatch(String resource, List<String> policyValues) {
- if (isDebugEnabled) {
- LOG.debug("==> SimpleAtlasAuthorizer isMatch");
- }
- boolean isMatchAny = resourceMatchHelper(policyValues);
- boolean isMatch = false;
- boolean allValuesRequested = isAllValuesRequested(resource);
-
- if (allValuesRequested || isMatchAny) {
- isMatch = isMatchAny;
- } else {
- for (String policyValue : policyValues) {
- if (policyValue.contains("*")) {
- isMatch =
- optIgnoreCase ? FilenameUtils.wildcardMatch(resource, policyValue, IOCase.INSENSITIVE)
- : FilenameUtils.wildcardMatch(resource, policyValue, IOCase.SENSITIVE);
- } else {
- isMatch =
- optIgnoreCase ? StringUtils.equalsIgnoreCase(resource, policyValue) : StringUtils.equals(
- resource, policyValue);
- }
- if (isMatch) {
- break;
- }
- }
- }
-
- if (!isMatch) {
- if (isDebugEnabled) {
- StringBuilder sb = new StringBuilder();
- sb.append("[");
- for (String policyValue : policyValues) {
- sb.append(policyValue);
- sb.append(" ");
- }
- sb.append("]");
-
- LOG.debug("AtlasDefaultResourceMatcher.isMatch returns FALSE, (resource={}, policyValues={})", resource, sb.toString());
- }
-
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== SimpleAtlasAuthorizer isMatch({}): {}", resource, isMatch);
- }
-
- return isMatch;
- }
-
- private boolean isAllValuesRequested(String resource) {
- return StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource);
- }
-
- @Override
- public void cleanUp() {
- if (isDebugEnabled) {
- LOG.debug("==> +SimpleAtlasAuthorizer cleanUp");
- }
- userReadMap = null;
- userWriteMap = null;
- userUpdateMap = null;
- userDeleteMap = null;
- groupReadMap = null;
- groupWriteMap = null;
- groupUpdateMap = null;
- groupDeleteMap = null;
- if (isDebugEnabled) {
- LOG.debug("<== +SimpleAtlasAuthorizer cleanUp");
- }
- }
-
- /*
- * NOTE :: This method is added for setting the maps for testing purpose.
- */
- @VisibleForTesting
- public void setResourcesForTesting(Map<String, Map<AtlasResourceTypes, List<String>>> userMap,
- Map<String, Map<AtlasResourceTypes, List<String>>> groupMap, AtlasActionTypes actionTypes) {
-
- switch (actionTypes) {
- case READ:
- this.userReadMap = userMap;
- this.groupReadMap = groupMap;
- break;
-
- case CREATE:
-
- this.userWriteMap = userMap;
- this.groupWriteMap = groupMap;
- break;
- case UPDATE:
-
- this.userUpdateMap = userMap;
- this.groupUpdateMap = groupMap;
- break;
- case DELETE:
-
- this.userDeleteMap = userMap;
- this.groupDeleteMap = groupMap;
- break;
-
- default:
- if (isDebugEnabled) {
- LOG.debug("No such action available");
- }
- break;
- }
- }
-
-}
-
-
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/resources/atlas-simple-authz-policy.json
----------------------------------------------------------------------
diff --git a/authorization/src/main/resources/atlas-simple-authz-policy.json b/authorization/src/main/resources/atlas-simple-authz-policy.json
new file mode 100644
index 0000000..01104a8
--- /dev/null
+++ b/authorization/src/main/resources/atlas-simple-authz-policy.json
@@ -0,0 +1,61 @@
+{
+ "roles": {
+ "ROLE_ADMIN": {
+ "adminPermissions": [
+ {
+ "privileges": [ ".*" ]
+ }
+ ],
+
+ "entityPermissions": [
+ {
+ "privileges": [ ".*" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ],
+
+ "typePermissions": [
+ {
+ "privileges": [ ".*" ],
+ "typeCategories": [ ".*" ],
+ "typeNames": [ ".*" ]
+ }
+ ]
+ },
+
+ "DATA_SCIENTIST": {
+ "entityPermissions": [
+ {
+ "privileges": [ "entity-read", "entity-read-classification" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ]
+ },
+
+ "DATA_STEWARD": {
+ "entityPermissions": [
+ {
+ "privileges": [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ]
+ }
+ },
+
+ "userRoles": {
+ "admin": [ "ROLE_ADMIN" ]
+ },
+
+ "groupRoles": {
+ "ROLE_ADMIN": [ "ROLE_ADMIN" ],
+ "hadoop": [ "DATA_STEWARD" ],
+ "DATA_STEWARD": [ "DATA_STEWARD" ],
+ "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ]
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
deleted file mode 100644
index adebb62..0000000
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.atlas.authorize.simple;
-
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.testng.annotations.Test;
-
-import java.util.Set;
-
-import static org.testng.Assert.assertEquals;
-import static org.testng.Assert.assertTrue;
-
-/**
- * Unit tests for AtlasAuthorizationUtils.
- */
-public class AtlasAuthorizationUtilsTest {
- @Test
- public void testGetApi() {
- String contextPath = "/api/atlas/entities";
- assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
-
- contextPath = "/api/atlas/entities/111/traits";
- assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
-
- contextPath = "/api/atlas/v1/entities";
- assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
-
- contextPath = "/api/atlas/v1/entities/111/tags";
- assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities");
-
- // not sure of this use case but the code appears to support url's that don't
- // begin with base url.
- contextPath = "/foo/bar";
- assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "foo");
- }
-
- @Test
- public void testGetAtlasResourceType() throws Exception {
- String contextPath = "/api/atlas/types";
- Set<AtlasResourceTypes> resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
-
- contextPath = "/api/atlas/admin/foo";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
-
- contextPath = "/api/atlas/graph/foo";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
-
- contextPath = "/api/atlas/discovery/search/gremlin";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION));
-
- contextPath = "/api/atlas/entities/111/traits";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
-
- contextPath = "/api/atlas/discovery/search";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
-
- contextPath = "/api/atlas/entities?type=Column";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
-
- contextPath = "/api/atlas/lineage";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
-
- contextPath = "/api/atlas/v1/entities/111";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
-
- contextPath = "/api/atlas/v1/entities/111/tags/foo";
- resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
- assertEquals(resourceTypes.size(), 1);
- assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
- }
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
new file mode 100644
index 0000000..16c8c8c
--- /dev/null
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import org.apache.atlas.authorize.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+import org.testng.AssertJUnit;
+
+import java.util.Collections;
+
+public class AtlasSimpleAuthorizerTest {
+ private static Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
+
+ private String originalConf;
+ private AtlasAuthorizer authorizer;
+
+ @BeforeMethod
+ public void setup1() {
+ originalConf = System.getProperty("atlas.conf");
+
+ System.setProperty("atlas.conf", "src/test/resources");
+
+ try {
+ authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
+ } catch (Exception e) {
+ LOG.error("Exception in AtlasSimpleAuthorizerTest setup failed", e);
+ }
+ }
+
+ @AfterClass
+ public void tearDown() throws Exception {
+ if (originalConf != null) {
+ System.setProperty("atlas.conf", originalConf);
+ }
+
+ authorizer = null;
+ }
+
+ @Test(enabled = true)
+ public void testAccessAllowedForUserAndGroup() {
+ try {
+ AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
+
+ request.setUser("admin", Collections.singleton("ROLE_ADMIN"));
+
+ boolean isAccessAllowed = authorizer.isAccessAllowed(request);
+
+ AssertJUnit.assertEquals(true, isAccessAllowed);
+ } catch (Exception e) {
+ LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
+
+ AssertJUnit.fail();
+ }
+ }
+
+ @Test(enabled = true)
+ public void testAccessAllowedForGroup() {
+ try {
+ AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
+
+ request.setUser("nonmappeduser", Collections.singleton("ROLE_ADMIN"));
+
+ boolean isAccessAllowed = authorizer.isAccessAllowed(request);
+
+ AssertJUnit.assertEquals(true, isAccessAllowed);
+ } catch (AtlasAuthorizationException e) {
+ LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
+
+ AssertJUnit.fail();
+ }
+ }
+
+ @Test(enabled = true)
+ public void testAccessNotAllowedForUserAndGroup() {
+ try {
+ AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
+
+ request.setUser("nonmappeduser", Collections.singleton("GROUP-NOT-IN-POLICYFILE"));
+
+ boolean isAccessAllowed = authorizer.isAccessAllowed(request);
+
+ AssertJUnit.assertEquals(false, isAccessAllowed);
+ } catch (AtlasAuthorizationException e) {
+ LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
+
+ AssertJUnit.fail();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
deleted file mode 100644
index 3b7869a..0000000
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import static org.testng.AssertJUnit.assertEquals;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.apache.atlas.authorize.simple.PolicyDef;
-import org.apache.atlas.authorize.simple.PolicyParser;
-import org.testng.annotations.Test;
-
-public class PolicyParserTest {
-
- @Test
- public void testParsePoliciesWithAllProperties() {
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
- /* Creating group data */
- Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>();
- List<AtlasActionTypes> accessList1 = new ArrayList<>();
- accessList1.add(AtlasActionTypes.READ);
- accessList1.add(AtlasActionTypes.CREATE);
- accessList1.add(AtlasActionTypes.UPDATE);
-
- groupMap.put("grp1", accessList1);
- List<AtlasActionTypes> accessList2 = new ArrayList<>();
- accessList2.add(AtlasActionTypes.UPDATE);
- groupMap.put("grp2", accessList2);
-
- /* Creating user data */
- Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>();
- List<AtlasActionTypes> usr1AccessList = new ArrayList<>();
- usr1AccessList.add(AtlasActionTypes.READ);
- usersMap.put("usr1", usr1AccessList);
-
- List<AtlasActionTypes> usr2AccessList = new ArrayList<>();
- usr2AccessList.add(AtlasActionTypes.READ);
- usr2AccessList.add(AtlasActionTypes.CREATE);
- usersMap.put("usr2", usr2AccessList);
-
- /* Creating resources data */
- Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>();
- List<String> resource1List = new ArrayList<>();
- resource1List.add("*abc");
- resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
-
- List<String> resource2List = new ArrayList<>();
- resource2List.add("*xyz");
- resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
-
- List<String> resource3List = new ArrayList<>();
- resource3List.add("PII");
- resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- for (PolicyDef def : policyDefs) {
-
- assertEquals(def.getPolicyName(), "hivePolicy");
- assertEquals(def.getGroups(), groupMap);
- assertEquals(def.getUsers(), usersMap);
- assertEquals(def.getResources(), resourceMap);
-
- }
-
- }
-
- @Test
- public void testParsePoliciesWithOutUserProperties() {
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
- // Creating group data
- Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>();
- List<AtlasActionTypes> accessList1 = new ArrayList<>();
- accessList1.add(AtlasActionTypes.READ);
- accessList1.add(AtlasActionTypes.CREATE);
- accessList1.add(AtlasActionTypes.UPDATE);
-
- groupMap.put("grp1", accessList1);
- List<AtlasActionTypes> accessList2 = new ArrayList<>();
- accessList2.add(AtlasActionTypes.UPDATE);
- groupMap.put("grp2", accessList2);
-
- // Creating user data
- Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>();
-
- // Creating resources data
- Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>();
- List<String> resource1List = new ArrayList<>();
- resource1List.add("*abc");
- resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
-
- List<String> resource2List = new ArrayList<>();
- resource2List.add("*xyz");
- resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
-
- List<String> resource3List = new ArrayList<>();
- resource3List.add("PII");
- resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- for (PolicyDef def : policyDefs) {
-
- assertEquals(def.getPolicyName(), "hivePolicy");
- assertEquals(def.getGroups(), groupMap);
- assertEquals(def.getUsers(), usersMap);
- assertEquals(def.getResources(), resourceMap);
-
- }
-
- }
-
- @Test
- public void testParsePoliciesWithOutGroupProperties() {
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;;;entity:*abc,operation:*xyz,type:PII");
- // Creating group data
- Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>();
-
- // Creating user data
- Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>();
- List<AtlasActionTypes> usr1AccessList = new ArrayList<>();
- usr1AccessList.add(AtlasActionTypes.READ);
- usersMap.put("usr1", usr1AccessList);
-
- List<AtlasActionTypes> usr2AccessList = new ArrayList<>();
- usr2AccessList.add(AtlasActionTypes.READ);
- usr2AccessList.add(AtlasActionTypes.CREATE);
- usersMap.put("usr2", usr2AccessList);
-
- // Creating resources data
- Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>();
- List<String> resource1List = new ArrayList<>();
- resource1List.add("*abc");
- resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
-
- List<String> resource2List = new ArrayList<>();
- resource2List.add("*xyz");
- resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
-
- List<String> resource3List = new ArrayList<>();
- resource3List.add("PII");
- resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- for (PolicyDef def : policyDefs) {
- assertEquals(def.getPolicyName(), "hivePolicy");
- assertEquals(def.getGroups(), groupMap);
- assertEquals(def.getUsers(), usersMap);
- assertEquals(def.getResources(), resourceMap);
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
deleted file mode 100644
index 1cefbcd..0000000
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import static org.testng.AssertJUnit.assertEquals;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer;
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.apache.atlas.authorize.simple.PolicyDef;
-import org.apache.atlas.authorize.simple.PolicyParser;
-import org.apache.atlas.authorize.simple.PolicyUtil;
-import org.testng.annotations.Test;
-
-public class PolicyUtilTest {
-
- @Test
- public void testCreatePermissionMap() {
-
- HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>();
- List<String> resource1List = new ArrayList<>();
- resource1List.add("*abc");
- resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
-
- List<String> resource2List = new ArrayList<>();
- resource2List.add("*xyz");
- resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
-
- List<String> resource3List = new ArrayList<>();
- resource3List.add("PII");
- resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
-
- Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
- new HashMap<>();
- permissionMap.put("grp1", resourceMap);
-
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
- List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
-
- Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
- new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
-
- assertEquals(permissionMap, createdPermissionMap);
-
- }
-
- @Test
- public void testMergeCreatePermissionMap() {
-
- HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>();
- List<String> resource1List = new ArrayList<>();
- resource1List.add("*abc");
- resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
-
- List<String> resource2List = new ArrayList<>();
- resource2List.add("*x");
- resource2List.add("*xyz");
- resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
-
- List<String> resource3List = new ArrayList<>();
- resource3List.add("PII");
- resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
-
- Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
- new HashMap<>();
- permissionMap.put("grp1", resourceMap);
-
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicys;;;;grp1:rwu;;entity:*abc,operation:*xyz,operation:*x");
- policies.add("hivePolicy;;;;grp1:rwu;;entity:*abc,operation:*xyz");
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu;;entity:*abc,operation:*xyz");
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
- List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
-
- Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
- new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
-
- assertEquals(permissionMap, createdPermissionMap);
-
- }
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
deleted file mode 100644
index b36c9c7..0000000
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-import java.util.Map;
-
-import org.apache.atlas.authorize.*;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.testng.AssertJUnit;
-import org.testng.annotations.Test;
-
-public class SimpleAtlasAuthorizerTest {
-
- private static Logger LOG = LoggerFactory
- .getLogger(SimpleAtlasAuthorizerTest.class);
-
- @Test
- public void testAccessAllowedForUserAndGroup() {
-
- Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
- Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:*abc,type:PII");
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- PolicyUtil policyUtil = new PolicyUtil();
- // group read map
- groupReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
- // creating user readMap
- userReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
-
- Set<AtlasResourceTypes> resourceType = new HashSet<>();
- resourceType.add(AtlasResourceTypes.TYPE);
- String resource = "xsdfhjabc";
- AtlasActionTypes action = AtlasActionTypes.READ;
- String user = "usr1";
-
- Set<String> userGroups = new HashSet<>();
- userGroups.add("grp3");
- try {
- AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups,"127.0.0.1");
- SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
- .getAtlasAuthorizer();
-
- authorizer
- .setResourcesForTesting(userReadMap, groupReadMap, action);
-
- boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- // getUserReadMap
- AssertJUnit.assertEquals(true, isAccessAllowed);
- } catch (AtlasAuthorizationException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("AtlasAuthorizationException in Unit Test", e);
- }
- }
-
- }
-
- @Test
- public void testAccessAllowedForGroup() {
-
- Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
- Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- PolicyUtil policyUtil = new PolicyUtil();
- // creating group read map
- groupReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
- // creating user readMap
- userReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
-
- Set<AtlasResourceTypes> resourceType = new HashSet<>();
- resourceType.add(AtlasResourceTypes.TYPE);
- String resource = "PII";
- AtlasActionTypes action = AtlasActionTypes.READ;
- String user = "usr3";
- Set<String> userGroups = new HashSet<>();
- userGroups.add("grp1");
- AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups,"127.0.0.1");
- try {
- SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
- .getAtlasAuthorizer();
- authorizer
- .setResourcesForTesting(userReadMap, groupReadMap, action);
-
- boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals(true, isAccessAllowed);
- } catch (AtlasAuthorizationException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("AtlasAuthorizationException in Unit Test", e);
- }
-
- }
-
- }
-
- @Test
- public void testResourceNotAvailableInPolicy() {
-
- Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
- Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- PolicyUtil policyUtil = new PolicyUtil();
- // group read map
- groupReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
- // creating user readMap
- userReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
-
- Set<AtlasResourceTypes> resourceType = new HashSet<>();
- resourceType.add(AtlasResourceTypes.TYPE);
- String resource = "abc";
- AtlasActionTypes action = AtlasActionTypes.READ;
- String user = "usr1";
- Set<String> userGroups = new HashSet<>();
- userGroups.add("grp1");
- AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups,"127.0.0.1");
- try {
- SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
- .getAtlasAuthorizer();
- authorizer
- .setResourcesForTesting(userReadMap, groupReadMap, action);
-
- boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals(false, isAccessAllowed);
- } catch (AtlasAuthorizationException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("AtlasAuthorizationException in Unit Test", e);
- }
- }
-
- }
-
- @Test
- public void testAccessNotAllowedForUserAndGroup() {
-
- Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
- Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
- List<String> policies = new ArrayList<>();
- policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
-
- List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
- PolicyUtil policyUtil = new PolicyUtil();
- // group read map
- groupReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
- // creating user readMap
- userReadMap = policyUtil.createPermissionMap(policyDefs,
- AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
-
- Set<AtlasResourceTypes> resourceType = new HashSet<>();
- resourceType.add(AtlasResourceTypes.TYPE);
- String resource = "PII";
- AtlasActionTypes action = AtlasActionTypes.READ;
- String user = "usr3";
- Set<String> userGroups = new HashSet<>();
- userGroups.add("grp3");
- AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
- resource, action, user, userGroups,"127.0.0.1");
- try {
- SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
- .getAtlasAuthorizer();
- authorizer
- .setResourcesForTesting(userReadMap, groupReadMap, action);
-
- boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals(false, isAccessAllowed);
- } catch (AtlasAuthorizationException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("AtlasAuthorizationException in Unit Test", e);
- }
- }
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/authorization/src/test/resources/atlas-application.properties b/authorization/src/test/resources/atlas-application.properties
new file mode 100644
index 0000000..e1357b1
--- /dev/null
+++ b/authorization/src/test/resources/atlas-application.properties
@@ -0,0 +1,149 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#system property
+atlas.data=${sys:user.dir}/target/data
+
+
+
+#re-use existing property
+atlas.graph.data=${atlas.data}/graph
+
+#plain property
+atlas.service=atlas
+
+#invalid system property
+atlas.db=${atlasdb}
+
+atlas.TypeSystem.impl=org.apache.atlas.typesystem.types.TypeSystem
+
+
+
+######### Atlas Server Configs #########
+atlas.rest.address=http://localhost:31000
+
+######### Graph Database Configs #########
+
+
+# Graph database implementation. Value inserted by maven.
+atlas.graphdb.backend=${graphdb.backend.impl}
+
+# Graph Storage
+atlas.graph.storage.backend=${graph.storage.backend}
+
+# Entity repository implementation
+atlas.EntityAuditRepository.impl=${entity.repository.impl}
+
+# Graph Search Index Backend
+atlas.graph.index.search.backend=${graph.index.backend}
+
+#Berkeley storage directory
+atlas.graph.storage.directory=${sys:atlas.data}/berkley
+
+#hbase
+#For standalone mode , specify localhost
+#for distributed mode, specify zookeeper quorum here - For more information refer http://s3.thinkaurelius.com/docs/titan/current/hbase.html#_remote_server_mode_2
+
+atlas.graph.storage.hostname=${graph.storage.hostname}
+atlas.graph.storage.hbase.regions-per-server=1
+atlas.graph.storage.lock.wait-time=10000
+
+#ElasticSearch
+atlas.graph.index.search.directory=${sys:atlas.data}/es
+atlas.graph.index.search.elasticsearch.client-only=false
+atlas.graph.index.search.elasticsearch.local-mode=true
+atlas.graph.index.search.elasticsearch.create.sleep=2000
+
+# Solr cloud mode properties
+atlas.graph.index.search.solr.mode=cloud
+atlas.graph.index.search.solr.zookeeper-url=${solr.zk.address}
+atlas.graph.index.search.solr.embedded=${tests.solr.embedded}
+atlas.graph.index.search.max-result-set-size=150
+
+######### Hive Lineage Configs #########
+## Schema
+atlas.lineage.schema.query.hive_table=hive_table where __guid='%s'\, columns
+atlas.lineage.schema.query.hive_table_v1=hive_table_v1 where __guid='%s'\, columns
+
+######### Notification Configs #########
+atlas.notification.embedded=true
+
+atlas.kafka.zookeeper.connect=localhost:19026
+atlas.kafka.bootstrap.servers=localhost:19027
+atlas.kafka.data=${sys:atlas.data}/kafka
+atlas.kafka.zookeeper.session.timeout.ms=4000
+atlas.kafka.zookeeper.sync.time.ms=20
+atlas.kafka.consumer.timeout.ms=4000
+atlas.kafka.auto.commit.interval.ms=100
+atlas.kafka.hook.group.id=atlas
+atlas.kafka.entities.group.id=atlas_entities
+#atlas.kafka.auto.commit.enable=false
+
+atlas.kafka.enable.auto.commit=false
+atlas.kafka.auto.offset.reset=earliest
+atlas.kafka.session.timeout.ms=30000
+
+
+
+######### Entity Audit Configs #########
+atlas.audit.hbase.tablename=ATLAS_ENTITY_AUDIT_EVENTS
+atlas.audit.zookeeper.session.timeout.ms=1000
+atlas.audit.hbase.zookeeper.quorum=localhost
+atlas.audit.hbase.zookeeper.property.clientPort=19026
+
+######### Security Properties #########
+
+# SSL config
+atlas.enableTLS=false
+atlas.server.https.port=31443
+
+######### Security Properties #########
+
+hbase.security.authentication=simple
+
+atlas.hook.falcon.synchronous=true
+
+######### JAAS Configuration ########
+
+atlas.jaas.KafkaClient.loginModuleName = com.sun.security.auth.module.Krb5LoginModule
+atlas.jaas.KafkaClient.loginModuleControlFlag = required
+atlas.jaas.KafkaClient.option.useKeyTab = true
+atlas.jaas.KafkaClient.option.storeKey = true
+atlas.jaas.KafkaClient.option.serviceName = kafka
+atlas.jaas.KafkaClient.option.keyTab = /etc/security/keytabs/atlas.service.keytab
+atlas.jaas.KafkaClient.option.principal = atlas/_HOST@EXAMPLE.COM
+
+######### High Availability Configuration ########
+atlas.server.ha.enabled=false
+#atlas.server.ids=id1
+#atlas.server.address.id1=localhost:21000
+
+######### Atlas Authorization #########
+#atlas.authorizer.impl=none
+atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+
+######### Atlas Authentication #########
+atlas.authentication.method.file=true
+atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
+# atlas.authentication.method.file.filename=users-credentials.properties
+
+######### Gremlin Search Configuration #########
+# Set to false to disable gremlin search.
+atlas.search.gremlin.enable=true
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/resources/atlas-simple-authz-policy.json
----------------------------------------------------------------------
diff --git a/authorization/src/test/resources/atlas-simple-authz-policy.json b/authorization/src/test/resources/atlas-simple-authz-policy.json
new file mode 100644
index 0000000..01104a8
--- /dev/null
+++ b/authorization/src/test/resources/atlas-simple-authz-policy.json
@@ -0,0 +1,61 @@
+{
+ "roles": {
+ "ROLE_ADMIN": {
+ "adminPermissions": [
+ {
+ "privileges": [ ".*" ]
+ }
+ ],
+
+ "entityPermissions": [
+ {
+ "privileges": [ ".*" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ],
+
+ "typePermissions": [
+ {
+ "privileges": [ ".*" ],
+ "typeCategories": [ ".*" ],
+ "typeNames": [ ".*" ]
+ }
+ ]
+ },
+
+ "DATA_SCIENTIST": {
+ "entityPermissions": [
+ {
+ "privileges": [ "entity-read", "entity-read-classification" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ]
+ },
+
+ "DATA_STEWARD": {
+ "entityPermissions": [
+ {
+ "privileges": [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
+ "entityTypes": [ ".*" ],
+ "entityIds": [ ".*" ],
+ "classifications": [ ".*" ]
+ }
+ ]
+ }
+ },
+
+ "userRoles": {
+ "admin": [ "ROLE_ADMIN" ]
+ },
+
+ "groupRoles": {
+ "ROLE_ADMIN": [ "ROLE_ADMIN" ],
+ "hadoop": [ "DATA_STEWARD" ],
+ "DATA_STEWARD": [ "DATA_STEWARD" ],
+ "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ]
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/distro/src/conf/atlas-application.properties
----------------------------------------------------------------------
diff --git a/distro/src/conf/atlas-application.properties b/distro/src/conf/atlas-application.properties
index 1f38705..355abf4 100755
--- a/distro/src/conf/atlas-application.properties
+++ b/distro/src/conf/atlas-application.properties
@@ -184,8 +184,9 @@ atlas.server.ha.enabled=false
-#########POLICY FILE PATH #########
-atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=simple
+atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
######### Type Cache Implementation ########
# A type cache class which implements
@@ -193,9 +194,6 @@ atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt
# The default implementation is org.apache.atlas.typesystem.types.cache.DefaultTypeCache which is a local in-memory type cache.
#atlas.TypeCache.impl=
-#########authorizer impl class #########
-atlas.authorizer.impl=SIMPLE
-
######### Performance Configs #########
#atlas.graph.storage.lock.retries=10
#atlas.graph.storage.cache.db-cache-time=120000
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
----------------------------------------------------------------------
diff --git a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
index 320563e..c79c549 100644
--- a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
+++ b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
@@ -174,57 +174,57 @@ public final class ApplicationProperties extends PropertiesConfiguration {
* @throws AtlasException if no file was found or if there was an error loading the file
*/
public static InputStream getFileAsInputStream(Configuration configuration, String propertyName, String defaultFileName) throws AtlasException {
- File fileToLoad = null;
- String fileName = configuration.getString(propertyName);
+ File fileToLoad = null;
+ String fileName = configuration.getString(propertyName);
+
if (fileName == null) {
if (defaultFileName == null) {
throw new AtlasException(propertyName + " property not set and no default value specified");
}
+
+ LOG.info("{} property not set; defaulting to {}", propertyName, defaultFileName);
+
fileName = defaultFileName;
+
String atlasConfDir = System.getProperty(ATLAS_CONFIGURATION_DIRECTORY_PROPERTY);
+
if (atlasConfDir != null) {
// Look for default filename in Atlas config directory
fileToLoad = new File(atlasConfDir, fileName);
- }
- else {
+ } else {
// Look for default filename under the working directory
fileToLoad = new File(fileName);
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("{} property not set - defaulting to {}", propertyName, fileToLoad.getPath());
- }
- }
- else {
+ } else {
// Look for configured filename
fileToLoad = new File(fileName);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using {} property setting: {}", propertyName, fileToLoad.getPath());
- }
}
InputStream inStr = null;
+
if (fileToLoad.exists()) {
try {
+ LOG.info("Loading file {} from {}", fileName, fileToLoad.getPath());
+
inStr = new FileInputStream(fileToLoad);
} catch (FileNotFoundException e) {
throw new AtlasException("Error loading file " + fileName, e);
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("Loaded file from : {}", fileToLoad.getPath());
- }
- }
- else {
+ } else {
// Look for file as class loader resource
inStr = Thread.currentThread().getContextClassLoader().getResourceAsStream(fileName);
+
if (inStr == null) {
String msg = fileName + " not found in file system or as class loader resource";
+
LOG.error(msg);
+
throw new AtlasException(msg);
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("Loaded {} as resource from : {}", fileName, Thread.currentThread().getContextClassLoader().getResource(fileName).toString());
- }
+
+ LOG.info("Loaded {} as resource from {}", fileName, Thread.currentThread().getContextClassLoader().getResource(fileName).toString());
}
+
return inStr;
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java
----------------------------------------------------------------------
diff --git a/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java b/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java
index f1d4536..6ac7786 100644
--- a/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java
+++ b/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java
@@ -126,6 +126,8 @@ public enum AtlasErrorCode {
CLASSIFICATION_DELETE_FROM_PROPAGATED_ENTITY(400, "ATLAS-400-00-06C", "Delete of classification {0} is not allowed from propagated entity"),
CLASSIFICATION_NOT_ASSOCIATED_WITH_ENTITY(400, "ATLAS-400-00-06D", "Classification {0} is not associated with entity"),
+ UNAUTHORIZED_ACCESS(403, "ATLAS-403-00-001", "{0} is not authorized to perform {1}"),
+
// All Not found enums go here
TYPE_NAME_NOT_FOUND(404, "ATLAS-404-00-001", "Given typename {0} was invalid"),
TYPE_GUID_NOT_FOUND(404, "ATLAS-404-00-002", "Given type guid {0} was invalid"),
@@ -142,6 +144,7 @@ public enum AtlasErrorCode {
RELATIONSHIPDEF_END_TYPE_NAME_NOT_FOUND(404, "ATLAS-404-00-00E", "RelationshipDef {0} endDef typename {0} cannot be found"),
RELATIONSHIP_ALREADY_DELETED(404, "ATLAS-404-00-00F", "Attempting to delete a relationship which is already deleted : {0}"),
INVALID_ENTITY_GUID_FOR_CLASSIFICATION_UPDATE(404, "ATLAS-404-00-010", "Updating entityGuid of classification is not allowed."),
+ INSTANCE_GUID_NOT_DATASET(404, "ATLAS-404-00-011", "Given instance guid {0} is not a dataset"),
// All data conflict errors go here
TYPE_ALREADY_EXISTS(409, "ATLAS-409-00-001", "Given type {0} already exists"),
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java
----------------------------------------------------------------------
diff --git a/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java b/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java
index 340cd05..9db9200 100644
--- a/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java
+++ b/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java
@@ -23,6 +23,7 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import java.io.Serializable;
+import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
@@ -36,6 +37,7 @@ import org.apache.atlas.model.PList;
import org.apache.atlas.model.SearchFilter.SortType;
import org.apache.atlas.model.typedef.AtlasBaseTypeDef;
import org.apache.atlas.model.typedef.AtlasEntityDef;
+import org.apache.commons.collections.CollectionUtils;
import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE;
import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY;
@@ -98,6 +100,20 @@ public class AtlasEntityHeader extends AtlasStruct implements Serializable {
}
}
+ public AtlasEntityHeader(AtlasEntity entity){
+ super(entity.getTypeName(), entity.getAttributes());
+ setGuid(entity.getGuid());
+ setClassifications(entity.getClassifications());
+
+ if (CollectionUtils.isNotEmpty(entity.getClassifications())) {
+ this.classificationNames = new ArrayList<>(entity.getClassifications().size());
+
+ for (AtlasClassification classification : entity.getClassifications()) {
+ this.classificationNames.add(classification.getTypeName());
+ }
+ }
+ }
+
public String getGuid() {
return guid;
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java
----------------------------------------------------------------------
diff --git a/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java b/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java
index ae0c206..abacd78 100644
--- a/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java
+++ b/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java
@@ -45,6 +45,7 @@ public class AtlasClassificationType extends AtlasStructType {
private Set<String> subTypes = Collections.emptySet();
private Set<String> allSubTypes = Collections.emptySet();
private Set<String> typeAndAllSubTypes = Collections.emptySet();
+ private Set<String> typeAndAllSuperTypes = Collections.emptySet();
private String typeAndAllSubTypesQryStr = "";
// we need to store the entityTypes specified in our supertypes. i.e. our parent classificationDefs may specify more entityTypes
@@ -113,6 +114,10 @@ public class AtlasClassificationType extends AtlasStructType {
this.entityTypes = new HashSet<>(); // this will be populated in resolveReferencesPhase3()
this.typeAndAllSubTypes.add(this.getTypeName());
+
+ this.typeAndAllSuperTypes = new HashSet<>(this.allSuperTypes);
+ this.typeAndAllSuperTypes.add(this.getTypeName());
+ this.typeAndAllSuperTypes = Collections.unmodifiableSet(this.typeAndAllSuperTypes);
}
@Override
@@ -241,6 +246,8 @@ public class AtlasClassificationType extends AtlasStructType {
public Set<String> getTypeAndAllSubTypes() { return typeAndAllSubTypes; }
+ public Set<String> getTypeAndAllSuperTypes() { return typeAndAllSuperTypes; }
+
public String getTypeQryStr() { return typeQryStr; }
public String getTypeAndAllSubTypesQryStr() {
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java
----------------------------------------------------------------------
diff --git a/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java b/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java
index 9aacb2d..7d65bb6 100644
--- a/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java
+++ b/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java
@@ -46,6 +46,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
+import java.io.InputStream;
import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
@@ -156,6 +157,20 @@ public class AtlasJson {
return ret;
}
+ public static <T> T fromJson(InputStream inputStream, Class<T> type) throws IOException {
+ T ret = null;
+
+ if (inputStream != null) {
+ ret = mapper.readValue(inputStream, type);
+
+ if (ret instanceof Struct) {
+ ((Struct) ret).normalize();
+ }
+ }
+
+ return ret;
+ }
+
public static String toV1Json(Object obj) {
return toJson(obj);
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/intg/src/test/resources/atlas-application.properties b/intg/src/test/resources/atlas-application.properties
index 373bf68..9015f89 100644
--- a/intg/src/test/resources/atlas-application.properties
+++ b/intg/src/test/resources/atlas-application.properties
@@ -133,14 +133,17 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
-# atlas.authentication.method.file.filename=users-credentials.properties
atlas.authentication.method.kerberos=false
+# atlas.authentication.method.file.filename=users-credentials.properties
######### Gremlin Search Configuration #########
# Set to false to disable gremlin search.
-atlas.search.gremlin.enable=true
\ No newline at end of file
+atlas.search.gremlin.enable=true
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/repository/pom.xml
----------------------------------------------------------------------
diff --git a/repository/pom.xml b/repository/pom.xml
index 87fe7fd..b1d6b1f 100755
--- a/repository/pom.xml
+++ b/repository/pom.xml
@@ -112,6 +112,12 @@
<type>pom</type>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-authorization</artifactId>
+ <version>${project.version}</version>
+ </dependency>
<dependency>
<groupId>org.apache.atlas</groupId>