You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ma...@apache.org on 2018/02/26 19:27:57 UTC
[4/4] atlas git commit: ATLAS-2459: Authorization enhancements to
support instance level access controls
ATLAS-2459: Authorization enhancements to support instance level access controls
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/afbc6975
Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/afbc6975
Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/afbc6975
Branch: refs/heads/master
Commit: afbc6975b3eb0ece492f26f508792cf363ad2211
Parents: be9b39b
Author: nixonrodrigues <ni...@apache.org>
Authored: Fri Feb 23 15:45:31 2018 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Feb 26 10:37:47 2018 -0800
----------------------------------------------------------------------
.../test/resources/atlas-application.properties | 9 +-
.../test/resources/atlas-application.properties | 9 +-
.../test/resources/atlas-application.properties | 9 +-
.../test/resources/atlas-application.properties | 9 +-
.../test/resources/atlas-application.properties | 9 +-
authorization/pom.xml | 10 +
.../atlas/authorize/AtlasAccessRequest.java | 85 ++---
.../atlas/authorize/AtlasActionTypes.java | 22 --
.../authorize/AtlasAdminAccessRequest.java | 38 ++
.../authorize/AtlasAuthorizationUtils.java | 161 ++++++++
.../apache/atlas/authorize/AtlasAuthorizer.java | 34 +-
.../atlas/authorize/AtlasAuthorizerFactory.java | 52 +--
.../authorize/AtlasEntityAccessRequest.java | 146 +++++++
.../atlas/authorize/AtlasNoneAuthorizer.java | 47 +++
.../apache/atlas/authorize/AtlasPrivilege.java | 46 +++
.../atlas/authorize/AtlasResourceTypes.java | 23 --
.../atlas/authorize/AtlasTypeAccessRequest.java | 49 +++
.../simple/AtlasAuthorizationUtils.java | 182 ---------
.../authorize/simple/AtlasSimpleAuthorizer.java | 346 +++++++++++++++++
.../simple/AtlasSimpleAuthzPolicy.java | 255 +++++++++++++
.../atlas/authorize/simple/FileReaderUtil.java | 56 ---
.../atlas/authorize/simple/PolicyDef.java | 70 ----
.../atlas/authorize/simple/PolicyParser.java | 252 ------------
.../atlas/authorize/simple/PolicyUtil.java | 107 ------
.../authorize/simple/SimpleAtlasAuthorizer.java | 381 -------------------
.../resources/atlas-simple-authz-policy.json | 61 +++
.../simple/AtlasAuthorizationUtilsTest.java | 105 -----
.../simple/AtlasSimpleAuthorizerTest.java | 107 ++++++
.../authorize/simple/PolicyParserTest.java | 172 ---------
.../atlas/authorize/simple/PolicyUtilTest.java | 100 -----
.../simple/SimpleAtlasAuthorizerTest.java | 208 ----------
.../test/resources/atlas-application.properties | 149 ++++++++
.../resources/atlas-simple-authz-policy.json | 61 +++
distro/src/conf/atlas-application.properties | 8 +-
.../org/apache/atlas/ApplicationProperties.java | 40 +-
.../java/org/apache/atlas/AtlasErrorCode.java | 3 +
.../atlas/model/instance/AtlasEntityHeader.java | 16 +
.../atlas/type/AtlasClassificationType.java | 7 +
.../java/org/apache/atlas/utils/AtlasJson.java | 15 +
.../test/resources/atlas-application.properties | 11 +-
repository/pom.xml | 6 +
.../atlas/discovery/EntityLineageService.java | 45 +--
.../graph/v1/AtlasClassificationDefStoreV1.java | 24 +-
.../store/graph/v1/AtlasEntityDefStoreV1.java | 23 ++
.../store/graph/v1/AtlasEntityStoreV1.java | 297 +++++++++------
.../store/graph/v1/AtlasStructDefStoreV1.java | 23 +-
.../store/graph/v1/EntityGraphRetriever.java | 31 +-
.../util/AtlasRepositoryConfiguration.java | 42 +-
.../repository/impexp/ExportServiceTest.java | 2 +-
.../repository/impexp/ImportServiceTest.java | 2 +-
.../impexp/ZipFileResourceTestUtils.java | 2 +-
.../store/graph/AtlasTypeDefGraphStoreTest.java | 2 +-
.../store/graph/v1/AtlasEntityStoreV1Test.java | 4 +-
.../graph/v1/AtlasRelationshipStoreV1Test.java | 2 +-
.../graph/v1/InverseReferenceUpdateV1Test.java | 4 +-
.../java/org/apache/atlas/RequestContextV1.java | 18 +-
.../java/org/apache/atlas/aspect/Loggable.java | 29 --
.../java/org/apache/atlas/aspect/Monitored.java | 29 --
.../atlas/discovery/DiscoveryException.java | 74 ----
.../exception/SchemaNotFoundException.java | 40 --
.../atlas/exception/TraitNotFoundException.java | 45 ---
.../java/org/apache/atlas/metrics/Metrics.java | 68 ----
.../notification/NotificationHookConsumer.java | 91 +++--
.../web/filters/AtlasAuthenticationFilter.java | 5 +-
.../web/filters/AtlasAuthorizationFilter.java | 180 ---------
.../apache/atlas/web/filters/AuditFilter.java | 115 ++++--
.../atlas/web/resources/AdminResource.java | 26 +-
.../org/apache/atlas/web/rest/TypesREST.java | 2 +
.../atlas/web/security/AtlasSecurityConfig.java | 8 +-
.../apache/atlas/web/util/DateTimeHelper.java | 84 +---
webapp/src/main/resources/spring-security.xml | 5 +-
.../AtlasAuthenticationSimpleFilterIT.java | 18 -
.../atlas/web/resources/AdminResourceTest.java | 4 +-
.../test/resources/atlas-application.properties | 11 +-
.../src/test/resources/test-spring-security.xml | 3 -
75 files changed, 2168 insertions(+), 2666 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/falcon-bridge/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/addons/falcon-bridge/src/test/resources/atlas-application.properties b/addons/falcon-bridge/src/test/resources/atlas-application.properties
index 282127c..d1c3f71 100644
--- a/addons/falcon-bridge/src/test/resources/atlas-application.properties
+++ b/addons/falcon-bridge/src/test/resources/atlas-application.properties
@@ -115,10 +115,13 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
# atlas.authentication.method.file.filename=users-credentials.properties
-atlas.authentication.method.kerberos=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/hbase-bridge/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/addons/hbase-bridge/src/test/resources/atlas-application.properties b/addons/hbase-bridge/src/test/resources/atlas-application.properties
index 282127c..d1c3f71 100644
--- a/addons/hbase-bridge/src/test/resources/atlas-application.properties
+++ b/addons/hbase-bridge/src/test/resources/atlas-application.properties
@@ -115,10 +115,13 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
# atlas.authentication.method.file.filename=users-credentials.properties
-atlas.authentication.method.kerberos=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/hive-bridge/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/addons/hive-bridge/src/test/resources/atlas-application.properties b/addons/hive-bridge/src/test/resources/atlas-application.properties
index 282127c..d1c3f71 100644
--- a/addons/hive-bridge/src/test/resources/atlas-application.properties
+++ b/addons/hive-bridge/src/test/resources/atlas-application.properties
@@ -115,10 +115,13 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
# atlas.authentication.method.file.filename=users-credentials.properties
-atlas.authentication.method.kerberos=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/sqoop-bridge/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/addons/sqoop-bridge/src/test/resources/atlas-application.properties b/addons/sqoop-bridge/src/test/resources/atlas-application.properties
index 282127c..d1c3f71 100644
--- a/addons/sqoop-bridge/src/test/resources/atlas-application.properties
+++ b/addons/sqoop-bridge/src/test/resources/atlas-application.properties
@@ -115,10 +115,13 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
# atlas.authentication.method.file.filename=users-credentials.properties
-atlas.authentication.method.kerberos=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/storm-bridge/src/test/resources/atlas-application.properties
----------------------------------------------------------------------
diff --git a/addons/storm-bridge/src/test/resources/atlas-application.properties b/addons/storm-bridge/src/test/resources/atlas-application.properties
index f46477a..6e9042a 100644
--- a/addons/storm-bridge/src/test/resources/atlas-application.properties
+++ b/addons/storm-bridge/src/test/resources/atlas-application.properties
@@ -117,10 +117,13 @@ atlas.server.ha.enabled=false
#atlas.server.ids=id1
#atlas.server.address.id1=localhost:21000
-#########POLICY FILE PATH #########
-# atlas.auth.policy.file=policy-store.txt
+######### Atlas Authorization #########
+atlas.authorizer.impl=none
+# atlas.authorizer.impl=simple
+# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json
+######### Atlas Authentication #########
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=none
+atlas.authentication.method.kerberos=false
# atlas.authentication.method.file.filename=users-credentials.properties
-atlas.authentication.method.kerberos=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/pom.xml
----------------------------------------------------------------------
diff --git a/authorization/pom.xml b/authorization/pom.xml
index f210a2f..92be82e 100644
--- a/authorization/pom.xml
+++ b/authorization/pom.xml
@@ -36,10 +36,20 @@
</dependency>
<dependency>
+ <groupId>org.apache.atlas</groupId>
+ <artifactId>atlas-intg</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${javax.servlet.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ </dependency>
<dependency>
<groupId>com.google.guava</groupId>
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index 07cb2b0..4ae9510 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -17,94 +17,57 @@
*/
package org.apache.atlas.authorize;
-import org.apache.atlas.authorize.simple.AtlasAuthorizationUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.Set;
public class AtlasAccessRequest {
-
private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class);
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
- private Set<AtlasResourceTypes> resourceType = null;
- private String resource = null;
- private AtlasActionTypes action = null;
- private String user = null;
- private Set<String> userGroups = null;
- private Date accessTime = null;
- private String clientIPAddress = null;
-
- public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) {
- // Spring Security 4 Change => request.getServletPath() -> request.getPathInfo()
- this(AtlasAuthorizationUtils.getAtlasResourceType(request.getPathInfo()), "*", AtlasAuthorizationUtils
- .getAtlasAction(request.getMethod(),request.getPathInfo()), user, userGroups,AtlasAuthorizationUtils.getRequestIpAddress(request));
- }
- public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
- String user, Set<String> userGroups, String clientIPAddress) {
- if (isDebugEnabled) {
- LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
- }
- setResource(resource);
- setAction(action);
- setUser(user);
- setUserGroups(userGroups);
- setResourceType(resourceType);
-
- // set remaining fields to default value
- setAccessTime(null);
- setClientIPAddress(clientIPAddress);
- }
+ private final AtlasPrivilege action;
+ private final Date accessTime;
+ private String user = null;
+ private Set<String> userGroups = null;
+ private String clientIPAddress = null;
- public Set<AtlasResourceTypes> getResourceTypes() {
- return resourceType;
- }
- public void setResourceType(Set<AtlasResourceTypes> resourceType) {
- this.resourceType = resourceType;
+ protected AtlasAccessRequest(AtlasPrivilege action) {
+ this(action, null, null, new Date(), null);
}
- public String getResource() {
- return resource;
+ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups) {
+ this(action, user, userGroups, new Date(), null);
}
- public void setResource(String resource) {
- this.resource = resource;
+ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime, String clientIPAddress) {
+ this.action = action;
+ this.user = user;
+ this.userGroups = userGroups;
+ this.accessTime = accessTime;
+ this.clientIPAddress = clientIPAddress;
}
- public AtlasActionTypes getAction() {
+ public AtlasPrivilege getAction() {
return action;
}
- public void setAction(AtlasActionTypes action) {
- this.action = action;
+ public Date getAccessTime() {
+ return accessTime;
}
public String getUser() {
return user;
}
- public void setUser(String user) {
- this.user = user;
- }
-
- public void setUserGroups(Set<String> userGroups) {
- this.userGroups = userGroups;
- }
-
public Set<String> getUserGroups() {
return userGroups;
}
- public Date getAccessTime() {
- return accessTime;
- }
-
- public void setAccessTime(Date accessTime) {
- this.accessTime = accessTime;
+ public void setUser(String user, Set<String> userGroups) {
+ this.user = user;
+ this.userGroups = userGroups;
}
public String getClientIPAddress() {
@@ -117,9 +80,7 @@ public class AtlasAccessRequest {
@Override
public String toString() {
- return "AtlasAccessRequest [resourceType=" + resourceType + ", resource=" + resource + ", action=" + action
- + ", user=" + user + ", userGroups=" + userGroups + ", accessTime=" + accessTime + ", clientIPAddress="
- + clientIPAddress + "]";
+ return "AtlasAccessRequest[action=" + action + ", accessTime=" + accessTime + ", user=" + user +
+ ", userGroups=" + userGroups + ", clientIPAddress=" + clientIPAddress + "]";
}
-
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
deleted file mode 100644
index c5969db..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize;
-
-public enum AtlasActionTypes {
- READ, CREATE, UPDATE, DELETE
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
new file mode 100644
index 0000000..1782b32
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+
+import java.util.Set;
+
+public class AtlasAdminAccessRequest extends AtlasAccessRequest {
+
+ public AtlasAdminAccessRequest(AtlasPrivilege action) {
+ super(action);
+ }
+
+ public AtlasAdminAccessRequest(AtlasPrivilege action, String userName, Set<String> usergroups) {
+ super(action, userName, usergroups);
+ }
+
+ @Override
+ public String toString() {
+ return "AtlasAdminAccessRequest[action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
new file mode 100644
index 0000000..8c57946
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -0,0 +1,161 @@
+/**
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+import org.apache.atlas.AtlasErrorCode;
+import org.apache.atlas.exception.AtlasBaseException;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import javax.servlet.http.HttpServletRequest;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.HashSet;
+import java.util.Set;
+
+
+public class AtlasAuthorizationUtils {
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
+
+ public static void verifyAccess(AtlasAdminAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
+ if (! isAccessAllowed(request)) {
+ String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
+
+ throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
+ }
+ }
+
+ public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
+ if (! isAccessAllowed(request)) {
+ String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
+
+ throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
+ }
+ }
+
+ public static void verifyAccess(AtlasEntityAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
+ if (! isAccessAllowed(request)) {
+ String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
+
+ throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
+ }
+ }
+
+ public static boolean isAccessAllowed(AtlasAdminAccessRequest request) {
+ boolean ret = false;
+ String userName = getCurrentUserName();
+
+ if (StringUtils.isNotEmpty(userName)) {
+ try {
+ AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
+
+ request.setUser(userName, getCurrentUserGroups());
+
+ ret = authorizer.isAccessAllowed(request);
+ } catch (AtlasAuthorizationException e) {
+ LOG.error("Unable to obtain AtlasAuthorizer", e);
+ }
+ } else {
+ ret = true;
+ }
+
+ return ret;
+ }
+
+ public static boolean isAccessAllowed(AtlasEntityAccessRequest request) {
+ boolean ret = false;
+ String userName = getCurrentUserName();
+
+ if (StringUtils.isNotEmpty(userName)) {
+ try {
+ AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
+
+ request.setUser(getCurrentUserName(), getCurrentUserGroups());
+
+ ret = authorizer.isAccessAllowed(request);
+ } catch (AtlasAuthorizationException e) {
+ LOG.error("Unable to obtain AtlasAuthorizer", e);
+ }
+ } else {
+ ret = true;
+ }
+
+ return ret;
+ }
+
+ public static boolean isAccessAllowed(AtlasTypeAccessRequest request) {
+ boolean ret = false;
+ String userName = getCurrentUserName();
+
+ if (StringUtils.isNotEmpty(userName)) {
+ try {
+ AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
+
+ request.setUser(getCurrentUserName(), getCurrentUserGroups());
+
+ ret = authorizer.isAccessAllowed(request);
+ } catch (AtlasAuthorizationException e) {
+ LOG.error("Unable to obtain AtlasAuthorizer", e);
+ }
+ } else {
+ ret = true;
+ }
+
+ return ret;
+ }
+
+ public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
+ String ret = "";
+
+ try {
+ InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
+
+ ret = inetAddr.getHostAddress();
+ } catch (UnknownHostException ex) {
+ LOG.error("Failed to retrieve client IP address", ex);
+ }
+
+ return ret;
+ }
+
+ public static String getCurrentUserName() {
+ Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+
+ return auth != null ? auth.getName() : "";
+ }
+
+ public static Set<String> getCurrentUserGroups() {
+ Set<String> ret = new HashSet<>();
+
+ Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+
+ if (auth != null) {
+ for (GrantedAuthority c : auth.getAuthorities()) {
+ ret.add(c.getAuthority());
+ }
+ }
+
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
index d64c692..285e0f6 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
@@ -20,23 +20,39 @@ package org.apache.atlas.authorize;
public interface AtlasAuthorizer {
+ /**
+ * initialization of authorizer implementation
+ */
+ void init();
+ /**
+ * cleanup of authorizer implementation
+ */
+ void cleanUp();
/**
- * This method will load the policy file and would initialize the required data-structures.
+ * authorize admin operations
+ * @param request
+ * @return
+ * @throws AtlasAuthorizationException
*/
- void init();
+ boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException;
/**
- * This method is responsible to perform the actual authorization for every REST API call. It will check if
- * user can perform action on resource.
+ * authorize operations on an entity
+ * @param request
+ * @return
+ * @throws AtlasAuthorizationException
*/
- boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException;
+ boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException;
+
+
/**
- * This method is responsible to perform the cleanup and release activities. It must be called when you are done
- * with the Authorization activity and once it's called a restart would be required. Try to invoke this while
- * destroying the context.
+ * authorize operations on a type
+ * @param request
+ * @return
+ * @throws AtlasAuthorizationException
*/
- void cleanUp();
+ boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException;
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
index 9b7933e..72037ea 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
@@ -20,65 +20,71 @@ package org.apache.atlas.authorize;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthorizer;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class AtlasAuthorizerFactory {
+public class AtlasAuthorizerFactory {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class);
- private static final String SIMPLE_AUTHORIZER = "org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer";
- private static final String RANGER_AUTHORIZER =
- "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
+
+ private static final String NONE_AUTHORIZER = AtlasNoneAuthorizer.class.getName();
+ private static final String SIMPLE_AUTHORIZER = AtlasSimpleAuthorizer.class.getName();
+ private static final String RANGER_AUTHORIZER = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
+
private static volatile AtlasAuthorizer INSTANCE = null;
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException {
- Configuration configuration = null;
- try {
- configuration = ApplicationProperties.get();
- } catch (AtlasException e) {
- if (LOG.isErrorEnabled()) {
- LOG.error("Exception while fetching configuration. ", e);
- }
- }
AtlasAuthorizer ret = INSTANCE;
if (ret == null) {
synchronized (AtlasAuthorizerFactory.class) {
if (INSTANCE == null) {
- String authorizerClass =
- configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE";
+ Configuration configuration = null;
+
+ try {
+ configuration = ApplicationProperties.get();
+ } catch (AtlasException e) {
+ LOG.error("Exception while fetching configuration", e);
+ }
+
+ String authorizerClass = configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE";
if (StringUtils.isNotEmpty(authorizerClass)) {
if (StringUtils.equalsIgnoreCase(authorizerClass, "SIMPLE")) {
authorizerClass = SIMPLE_AUTHORIZER;
} else if (StringUtils.equalsIgnoreCase(authorizerClass, "RANGER")) {
authorizerClass = RANGER_AUTHORIZER;
+ } else if (StringUtils.equalsIgnoreCase(authorizerClass, "NONE")) {
+ authorizerClass = NONE_AUTHORIZER;
}
} else {
authorizerClass = SIMPLE_AUTHORIZER;
}
- if (isDebugEnabled) {
- LOG.debug("Initializing Authorizer :: {}", authorizerClass);
- }
+ LOG.info("Initializing Authorizer {}", authorizerClass);
+
try {
Class authorizerMetaObject = Class.forName(authorizerClass);
+
if (authorizerMetaObject != null) {
INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance();
+
+ INSTANCE.init();
}
} catch (Exception e) {
- LOG.error("Error while creating authorizer of type '{}", authorizerClass, e);
- throw new AtlasAuthorizationException("Error while creating authorizer of type '"
- + authorizerClass + "'", e);
+ LOG.error("Error while creating authorizer of type {}", authorizerClass, e);
+
+ throw new AtlasAuthorizationException("Error while creating authorizer of type '" + authorizerClass + "'", e);
}
- ret = INSTANCE;
}
+
+ ret = INSTANCE;
}
}
+
return ret;
}
-
}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
new file mode 100644
index 0000000..e79b97c
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -0,0 +1,146 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+import org.apache.atlas.model.instance.AtlasClassification;
+import org.apache.atlas.model.instance.AtlasEntityHeader;
+import org.apache.atlas.type.AtlasClassificationType;
+import org.apache.atlas.type.AtlasEntityType;
+import org.apache.atlas.type.AtlasTypeRegistry;
+import org.apache.commons.lang.StringUtils;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+public class AtlasEntityAccessRequest extends AtlasAccessRequest {
+ private final AtlasEntityHeader entity;
+ private final String entityId;
+ private final AtlasClassification classification;
+ private final String attributeName;
+ private final AtlasTypeRegistry typeRegistry;
+ private final Set<String> entityClassifications;
+
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) {
+ this(typeRegistry, action, null, null, null, null, null);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity) {
+ this(typeRegistry, action, entity, null, null, null, null);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification) {
+ this(typeRegistry, action, entity, classification, null, null, null);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName) {
+ this(typeRegistry, action, entity, null, attributeName, null, null);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String userName, Set<String> userGroups) {
+ this(typeRegistry, action, entity, null, null, userName, userGroups);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String userName, Set<String> userGroups) {
+ this(typeRegistry, action, entity, classification, null, userName, userGroups);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName, String userName, Set<String> userGroups) {
+ this(typeRegistry, action, entity, null, attributeName, userName, userGroups);
+ }
+
+ public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String attributeName, String userName, Set<String> userGroups) {
+ super(action, userName, userGroups);
+
+ this.entity = entity;
+ this.entityId = entity != null ? (String) entity.getAttribute("qualifiedName") : null;
+ this.classification = classification;
+ this.attributeName = attributeName;
+ this.typeRegistry = typeRegistry;
+
+ if (entity == null || entity.getClassifications() == null) {
+ this.entityClassifications = Collections.emptySet();
+ } else {
+ this.entityClassifications = new HashSet<>();
+
+ for (AtlasClassification classify : entity.getClassifications()) {
+ this.entityClassifications.add(classify.getTypeName());
+ }
+ }
+ }
+
+ public AtlasEntityHeader getEntity() {
+ return entity;
+ }
+
+ public String getEntityId() {
+ return entityId;
+ }
+
+ public AtlasClassification getClassification() {
+ return classification;
+ }
+
+ public String getAttributeName() {
+ return attributeName;
+ }
+
+ public String getEntityType() {
+ return entity == null ? StringUtils.EMPTY : entity.getTypeName();
+ }
+
+ public Set<String> getEntityClassifications() {
+ return entityClassifications;
+ }
+
+ public Set<String> getEntityTypeAndAllSuperTypes() {
+ final Set<String> ret;
+
+ if (entity == null) {
+ ret = Collections.emptySet();
+ } else if (typeRegistry == null) {
+ ret = Collections.singleton(entity.getTypeName());
+ } else {
+ AtlasEntityType entityType = typeRegistry.getEntityTypeByName(entity.getTypeName());
+
+ ret = entityType != null ? entityType.getTypeAndAllSuperTypes() : Collections.singleton(entity.getTypeName());
+ }
+
+ return ret;
+ }
+
+ public Set<String> getClassificationTypeAndAllSuperTypes(String classificationName) {
+ if (typeRegistry != null && classificationName != null) {
+ AtlasClassificationType classificationType = typeRegistry.getClassificationTypeByName(classificationName);
+
+ return classificationType == null ? Collections.emptySet() : classificationType.getTypeAndAllSuperTypes();
+ }
+
+ return Collections.emptySet();
+ }
+
+ @Override
+ public String toString() {
+ return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", attributeName" + attributeName +
+ ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ }
+}
+
+
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
new file mode 100644
index 0000000..06ae600
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public class AtlasNoneAuthorizer implements AtlasAuthorizer {
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasNoneAuthorizer.class);
+
+ public void init() {
+ LOG.info("AtlasNoneAuthorizer.init()");
+ }
+
+ public void cleanUp() {
+ LOG.info("AtlasNoneAuthorizer.cleanUp()");
+ }
+
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
+ return true;
+ }
+
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
+ return true;
+ }
+
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
new file mode 100644
index 0000000..3cb7f65
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+public enum AtlasPrivilege {
+ TYPE_CREATE("type-create"),
+ TYPE_UPDATE("type-update"),
+ TYPE_DELETE("type-delete"),
+
+ ENTITY_READ("entity-read"),
+ ENTITY_CREATE("entity-create"),
+ ENTITY_UPDATE("entity-update"),
+ ENTITY_DELETE("entity-delete"),
+ ENTITY_READ_CLASSIFICATION("entity-read-classification"),
+ ENTITY_ADD_CLASSIFICATION("entity-add-classification"),
+ ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"),
+ ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"),
+
+ ADMIN_EXPORT("admin-export"),
+ ADMIN_IMPORT("admin-import");
+
+ private final String type;
+
+ AtlasPrivilege(String actionType){
+ this.type = actionType;
+ }
+
+ public String getType() {
+ return type;
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
deleted file mode 100644
index 7e2808c..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.atlas.authorize;
-
-public enum AtlasResourceTypes {
- UNKNOWN, ENTITY, TYPE, OPERATION, RELATIONSHIP
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
new file mode 100644
index 0000000..af38425
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize;
+
+import org.apache.atlas.model.typedef.AtlasBaseTypeDef;
+
+import java.util.Set;
+
+public class AtlasTypeAccessRequest extends AtlasAccessRequest {
+ private final AtlasBaseTypeDef typeDef;
+
+
+ public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef) {
+ super(action);
+
+ this.typeDef = typeDef;
+ }
+
+ public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef, String userName, Set<String> usergroups) {
+ super(action, userName, usergroups);
+
+ this.typeDef = typeDef;
+ }
+
+ public AtlasBaseTypeDef getTypeDef() {
+ return typeDef;
+ }
+
+ @Override
+ public String toString() {
+ return "AtlasEntityAccessRequest[typeDef=" + typeDef + ", action=" + getAction() + ", accessTime=" + getAccessTime() +
+ ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ }
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
deleted file mode 100644
index 5bc1941..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.atlas.authorize.simple;
-
-import org.apache.atlas.authorize.AtlasAccessRequest;
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasAuthorizationException;
-import org.apache.atlas.authorize.AtlasAuthorizer;
-import org.apache.atlas.authorize.AtlasAuthorizerFactory;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.http.HttpServletRequest;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.regex.Pattern;
-
-public class AtlasAuthorizationUtils {
- private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
- private static final String BASE_URL = "/api/atlas/";
-
- public static String getApi(String contextPath) {
- if (isDebugEnabled) {
- LOG.debug("==> getApi({})", contextPath);
- }
-
- if(contextPath == null){
- contextPath = "";
- }
-
- if (contextPath.startsWith(BASE_URL)) {
- contextPath = contextPath.substring(BASE_URL.length());
- } else {
- // strip of leading '/'
- if (contextPath.startsWith("/")) {
- contextPath = contextPath.substring(1);
- }
- }
- String[] split = contextPath.split("/", 3);
-
- String api = split[0];
- if (Pattern.matches("v\\d", api)) {
- api = split[1];
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== getApi({}): {}", contextPath, api);
- }
-
- return api;
- }
-
- public static AtlasActionTypes getAtlasAction(String method, String contextPath) {
- AtlasActionTypes action = null;
-
- switch (method.toUpperCase()) {
- case "POST":
- String api = getApi(contextPath);
- if (api != null && api.startsWith("search")) { // exceptional case for basic search api with POST method
- action = AtlasActionTypes.READ;
- } else {
- action = AtlasActionTypes.CREATE;
- }
- break;
- case "GET":
- action = AtlasActionTypes.READ;
- break;
- case "PUT":
- action = AtlasActionTypes.UPDATE;
- break;
- case "DELETE":
- action = AtlasActionTypes.DELETE;
- break;
- default:
- if (isDebugEnabled) {
- LOG.debug("getAtlasAction(): Invalid HTTP method '{}", method);
- }
- break;
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== AtlasAuthorizationFilter getAtlasAction HTTP Method {} mapped to AtlasAction : {}",
- method, action);
- }
- return action;
- }
-
- /**
- * @param contextPath
- * @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/*
- *
- * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
- * /api/atlas/discovery/search/gremlin /api/atlas/graph/*
- *
- * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
- * /api/atlas/entities/{guid}* /api/atlas/discovery/*
- *
- * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
- */
- public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) {
- Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
- if (isDebugEnabled) {
- LOG.debug("==> getAtlasResourceType for {}", contextPath);
- }
- String api = getApi(contextPath);
- if (api.startsWith("types")) {
- resourceTypes.add(AtlasResourceTypes.TYPE);
- } else if (api.startsWith("admin") && (contextPath.contains("/session") || contextPath.contains("/version"))) {
- resourceTypes.add(AtlasResourceTypes.UNKNOWN);
- } else if ((api.startsWith("discovery") && contextPath.contains("/gremlin")) || api.startsWith("admin")
- || api.startsWith("graph")) {
- resourceTypes.add(AtlasResourceTypes.OPERATION);
- } else if (api.startsWith("entities") || api.startsWith("lineage") ||
- api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) {
- resourceTypes.add(AtlasResourceTypes.ENTITY);
- } else if (api.startsWith("relationship")) {
- resourceTypes.add(AtlasResourceTypes.RELATIONSHIP);
- } else {
- LOG.error("Unable to find Atlas Resource corresponding to : {}\nSetting {}"
- , api, AtlasResourceTypes.UNKNOWN.name());
- resourceTypes.add(AtlasResourceTypes.UNKNOWN);
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== Returning AtlasResources {} for api {}", resourceTypes, api);
- }
- return resourceTypes;
- }
-
- public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups, HttpServletRequest request) {
- AtlasAuthorizer authorizer = null;
- boolean isaccessAllowed = false;
-
- Set<AtlasResourceTypes> resourceTypes = new HashSet<>();
- resourceTypes.add(resourcetype);
- AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups, AtlasAuthorizationUtils.getRequestIpAddress(request));
- try {
- authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
- if (authorizer != null) {
- isaccessAllowed = authorizer.isAccessAllowed(atlasRequest);
- }
- } catch (AtlasAuthorizationException e) {
- LOG.error("Unable to obtain AtlasAuthorizer. ", e);
- }
-
- return isaccessAllowed;
- }
-
- public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
- try {
- InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr());
-
- String ip = inetAddr.getHostAddress();
-
- return ip;
- } catch (UnknownHostException ex) {
- LOG.error("Error occured when retrieving IP address", ex);
- return "";
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
new file mode 100644
index 0000000..fd58858
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
@@ -0,0 +1,346 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.authorize.simple;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.atlas.ApplicationProperties;
+import org.apache.atlas.AtlasException;
+import org.apache.atlas.authorize.AtlasAdminAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasTypeAccessRequest;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.*;
+import org.apache.atlas.utils.AtlasJson;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizer.class);
+
+ private final static String WILDCARD_ASTERISK = "*";
+
+ private AtlasSimpleAuthzPolicy authzPolicy;
+
+
+ public AtlasSimpleAuthorizer() {
+ }
+
+ @Override
+ public void init() {
+ LOG.info("==> SimpleAtlasAuthorizer.init()");
+
+ InputStream inputStream = null;
+
+ try {
+ inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json");
+
+ authzPolicy = AtlasJson.fromJson(inputStream, AtlasSimpleAuthzPolicy.class);
+ } catch (IOException | AtlasException e) {
+ LOG.error("SimpleAtlasAuthorizer.init(): initialization failed", e);
+
+ throw new RuntimeException(e);
+ } finally {
+ if (inputStream != null) {
+ try {
+ inputStream.close();
+ } catch (IOException excp) {
+ // ignore
+ }
+ }
+ }
+
+ LOG.info("<== SimpleAtlasAuthorizer.init()");
+ }
+
+ @Override
+ public void cleanUp() {
+ LOG.info("==> SimpleAtlasAuthorizer.cleanUp()");
+
+ authzPolicy = null;
+
+ LOG.info("<== SimpleAtlasAuthorizer.cleanUp()");
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ }
+
+ boolean ret = false;
+
+ Set<String> roles = getRoles(request.getUser(), request.getUserGroups());
+
+ for (String role : roles) {
+ List<AtlasAdminPermission> permissions = getAdminPermissionsForRole(role);
+
+ if (permissions != null) {
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+
+ for (AtlasAdminPermission permission : permissions) {
+ if (isMatch(action, permission.getPrivileges())) {
+ ret = true;
+
+ break;
+ }
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ }
+
+ boolean ret = false;
+
+ Set<String> roles = getRoles(request.getUser(), request.getUserGroups());
+
+ for (String role : roles) {
+ List<AtlasTypePermission> permissions = getTypePermissionsForRole(role);
+
+ if (permissions != null) {
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+ final String typeCategory = request.getTypeDef() != null ? request.getTypeDef().getCategory().name() : null;
+ final String typeName = request.getTypeDef() != null ? request.getTypeDef().getName() : null;
+
+ for (AtlasTypePermission permission : permissions) {
+ if (isMatch(action, permission.getPrivileges()) &&
+ isMatch(typeCategory, permission.getTypeCategories()) &&
+ isMatch(typeName, permission.getTypeNames())) {
+ ret = true;
+
+ break;
+ }
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ }
+
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+ final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
+ final String entityId = request.getEntityId();
+ final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
+ final String attribute = request.getAttributeName();
+ final Set<String> entClsToAuthz = new HashSet<>(request.getEntityClassifications());
+ final Set<String> roles = getRoles(request.getUser(), request.getUserGroups());
+ boolean hasEntityAccess = false;
+ boolean hasClassificationsAccess = false;
+
+ for (String role : roles) {
+ List<AtlasEntityPermission> permissions = getEntityPermissionsForRole(role);
+
+ if (permissions != null) {
+ for (AtlasEntityPermission permission : permissions) {
+ // match entity-type/entity-id/attribute
+ if (isMatchAny(entityTypes, permission.getEntityTypes()) && isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes())) {
+ // match permission/classification
+ if (!hasEntityAccess) {
+ if (isMatch(action, permission.getPrivileges()) && isMatch(classification, permission.getClassifications())) {
+ hasEntityAccess = true;
+ }
+ }
+
+ // match entity-classifications
+ for (Iterator<String> iter = entClsToAuthz.iterator(); iter.hasNext();) {
+ String entityClassification = iter.next();
+
+ if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getClassifications())) {
+ iter.remove();
+ }
+ }
+
+ hasClassificationsAccess = CollectionUtils.isEmpty(entClsToAuthz);
+
+ if (hasEntityAccess && hasClassificationsAccess) {
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ boolean ret = hasEntityAccess && hasClassificationsAccess;
+
+ if (LOG.isDebugEnabled()) {
+ if (!ret) {
+ LOG.debug("hasEntityAccess={}; hasClassificationsAccess={}, classificationsWithNoAccess={}", hasEntityAccess, hasClassificationsAccess, entClsToAuthz);
+ }
+
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
+ }
+
+ return ret;
+ }
+
+
+ private Set<String> getRoles(String userName, Set<String> userGroups) {
+ Set<String> ret = new HashSet<>();
+
+ if (authzPolicy != null) {
+ if (userName != null && authzPolicy.getUserRoles() != null) {
+ List<String> userRoles = authzPolicy.getUserRoles().get(userName);
+
+ if (userRoles != null) {
+ ret.addAll(userRoles);
+ }
+ }
+
+ if (userGroups != null && authzPolicy.getGroupRoles() != null) {
+ for (String groupName : userGroups) {
+ List<String> groupRoles = authzPolicy.getGroupRoles().get(groupName);
+
+ if (groupRoles != null) {
+ ret.addAll(groupRoles);
+ }
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret);
+ }
+
+ return ret;
+ }
+
+ private List<AtlasAdminPermission> getAdminPermissionsForRole(String roleName) {
+ List<AtlasAdminPermission> ret = null;
+
+ if (authzPolicy != null && roleName != null) {
+ AtlasAuthzRole role = authzPolicy.getRoles().get(roleName);
+
+ ret = role != null ? role.getAdminPermissions() : null;
+ }
+
+ return ret;
+ }
+
+ private List<AtlasTypePermission> getTypePermissionsForRole(String roleName) {
+ List<AtlasTypePermission> ret = null;
+
+ if (authzPolicy != null && roleName != null) {
+ AtlasAuthzRole role = authzPolicy.getRoles().get(roleName);
+
+ ret = role != null ? role.getTypePermissions() : null;
+ }
+
+ return ret;
+ }
+
+ private List<AtlasEntityPermission> getEntityPermissionsForRole(String roleName) {
+ List<AtlasEntityPermission> ret = null;
+
+ if (authzPolicy != null && roleName != null) {
+ AtlasAuthzRole role = authzPolicy.getRoles().get(roleName);
+
+ ret = role != null ? role.getEntityPermissions() : null;
+ }
+
+ return ret;
+ }
+
+ private boolean isMatch(String value, List<String> patterns) {
+ boolean ret = false;
+
+ if (value == null) {
+ ret = true;
+ } if (CollectionUtils.isNotEmpty(patterns)) {
+ for (String pattern : patterns) {
+ if (isMatch(value, pattern)) {
+ ret = true;
+
+ break;
+ }
+ }
+ }
+
+ if (!ret && LOG.isDebugEnabled()) {
+ LOG.debug("<== isMatch({}, {}): {}", value, patterns, ret);
+ }
+
+ return ret;
+ }
+
+ private boolean isMatchAny(Set<String> values, List<String> patterns) {
+ boolean ret = false;
+
+ if (CollectionUtils.isEmpty(values)) {
+ ret = true;
+ }if (CollectionUtils.isNotEmpty(patterns)) {
+ for (String value : values) {
+ if (isMatch(value, patterns)) {
+ ret = true;
+
+ break;
+ }
+ }
+ }
+
+ if (!ret && LOG.isDebugEnabled()) {
+ LOG.debug("<== isMatchAny({}, {}): {}", values, patterns, ret);
+ }
+
+ return ret;
+ }
+
+ private boolean isMatch(String value, String pattern) {
+ boolean ret;
+
+ if (value == null) {
+ ret = true;
+ } else {
+ ret = StringUtils.equalsIgnoreCase(value, pattern) || value.matches(pattern);
+ }
+
+ return ret;
+ }
+}
+
+
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
new file mode 100644
index 0000000..e2a8b7f
--- /dev/null
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
@@ -0,0 +1,255 @@
+/** Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.authorize.simple;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.io.Serializable;
+import java.util.List;
+import java.util.Map;
+
+import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE;
+import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY;
+
+@JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
+@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown=true)
+@XmlRootElement
+@XmlAccessorType(XmlAccessType.PROPERTY)
+public class AtlasSimpleAuthzPolicy implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private Map<String, AtlasAuthzRole> roles;
+ private Map<String, List<String>> userRoles;
+ private Map<String, List<String>> groupRoles;
+
+
+ public Map<String, AtlasAuthzRole> getRoles() {
+ return roles;
+ }
+
+ public void setRoles(Map<String, AtlasAuthzRole> roles) {
+ this.roles = roles;
+ }
+
+ public Map<String, List<String>> getUserRoles() {
+ return userRoles;
+ }
+
+ public void setUserRoles(Map<String, List<String>> userRoles) {
+ this.userRoles = userRoles;
+ }
+
+ public Map<String, List<String>> getGroupRoles() {
+ return groupRoles;
+ }
+
+ public void setGroupRoles(Map<String, List<String>> groupRoles) {
+ this.groupRoles = groupRoles;
+ }
+
+
+ @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown=true)
+ @XmlRootElement
+ @XmlAccessorType(XmlAccessType.PROPERTY)
+ public static class AtlasAuthzRole implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private List<AtlasAdminPermission> adminPermissions;
+ private List<AtlasEntityPermission> entityPermissions;
+ private List<AtlasTypePermission> typePermissions;
+
+ public AtlasAuthzRole() {
+ }
+
+ public AtlasAuthzRole(List<AtlasAdminPermission> adminPermissions, List<AtlasEntityPermission> entityPermissions, List<AtlasTypePermission> typePermissions) {
+ this.adminPermissions = adminPermissions;
+ this.entityPermissions = entityPermissions;
+ this.typePermissions = typePermissions;
+ }
+
+ public List<AtlasAdminPermission> getAdminPermissions() {
+ return adminPermissions;
+ }
+
+ public void setAdminPermissions(List<AtlasAdminPermission> adminPermissions) {
+ this.adminPermissions = adminPermissions;
+ }
+
+ public List<AtlasEntityPermission> getEntityPermissions() {
+ return entityPermissions;
+ }
+
+ public void setEntityPermissions(List<AtlasEntityPermission> entityPermissions) {
+ this.entityPermissions = entityPermissions;
+ }
+
+ public List<AtlasTypePermission> getTypePermissions() {
+ return typePermissions;
+ }
+
+ public void setTypePermissions(List<AtlasTypePermission> typePermissions) {
+ this.typePermissions = typePermissions;
+ }
+ }
+
+ @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown=true)
+ @XmlRootElement
+ @XmlAccessorType(XmlAccessType.PROPERTY)
+ public static class AtlasAdminPermission implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported
+
+ public AtlasAdminPermission() {
+ }
+
+ public AtlasAdminPermission(List<String> privileges) {
+ this.privileges = privileges;
+ }
+
+ public List<String> getPrivileges() {
+ return privileges;
+ }
+
+ public void setPrivileges(List<String> privileges) {
+ this.privileges = privileges;
+ }
+ }
+
+ @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown=true)
+ @XmlRootElement
+ @XmlAccessorType(XmlAccessType.PROPERTY)
+ public static class AtlasTypePermission implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported
+ private List<String> typeCategories; // category of the type (entity, classification, struct, enum, relationship), wildcards supported
+ private List<String> typeNames; // name of type, wildcards supported
+
+ public AtlasTypePermission() {
+ }
+
+ public AtlasTypePermission(List<String> privileges, List<String> typeCategories, List<String> typeNames) {
+ this.privileges = privileges;
+ this.typeCategories = typeCategories;
+ this.typeNames = typeNames;
+ }
+
+ public List<String> getPrivileges() {
+ return privileges;
+ }
+
+ public void setPrivileges(List<String> privileges) {
+ this.privileges = privileges;
+ }
+
+ public List<String> getTypeCategories() {
+ return typeCategories;
+ }
+
+ public void setTypeCategories(List<String> typeCategories) {
+ this.typeCategories = typeCategories;
+ }
+
+ public List<String> getTypeNames() {
+ return typeNames;
+ }
+
+ public void setTypeNames(List<String> typeNames) {
+ this.typeNames = typeNames;
+ }
+ }
+
+ @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown=true)
+ @XmlRootElement
+ @XmlAccessorType(XmlAccessType.PROPERTY)
+ public static class AtlasEntityPermission implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported
+ private List<String> entityTypes; // name of entity-type, wildcards supported
+ private List<String> entityIds; // value of entity-unique attribute, wildcards supported
+ private List<String> classifications; // name of classification-type, wildcards supported
+ private List<String> attributes; // name of entity-attribute, wildcards supported
+
+ public AtlasEntityPermission() {
+ }
+
+ public AtlasEntityPermission(List<String> privileges, List<String> entityTypes, List<String> entityIds, List<String> classifications, List<String> attributes) {
+ this.privileges = privileges;
+ this.entityTypes = entityTypes;
+ this.entityIds = entityIds;
+ this.classifications = classifications;
+ this.attributes = attributes;
+ }
+
+ public List<String> getPrivileges() {
+ return privileges;
+ }
+
+ public void setPrivileges(List<String> privileges) {
+ this.privileges = privileges;
+ }
+
+ public List<String> getEntityTypes() {
+ return entityTypes;
+ }
+
+ public void setEntityTypes(List<String> entityTypes) {
+ this.entityTypes = entityTypes;
+ }
+
+ public List<String> getEntityIds() {
+ return entityIds;
+ }
+
+ public void setEntityIds(List<String> entityIds) {
+ this.entityIds = entityIds;
+ }
+
+ public List<String> getClassifications() {
+ return classifications;
+ }
+
+ public void setClassifications(List<String> classifications) {
+ this.classifications = classifications;
+ }
+
+ public List<String> getAttributes() {
+ return attributes;
+ }
+
+ public void setAttributes(List<String> attributes) {
+ this.attributes = attributes;
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
deleted file mode 100644
index 88bf56b..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.atlas.authorize.simple;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-
-import org.apache.commons.io.IOUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class FileReaderUtil {
- private static Logger LOG = LoggerFactory.getLogger(FileReaderUtil.class);
- private static boolean isDebugEnabled = LOG.isDebugEnabled();
-
- public static List<String> readFile(InputStream policyStoreStream) throws IOException {
- if (isDebugEnabled) {
- LOG.debug("==> FileReaderUtil readFile()");
- }
- List<String> list = new ArrayList<>();
- List<String> fileLines = IOUtils.readLines(policyStoreStream, StandardCharsets.UTF_8);
- if (fileLines != null) {
- for (String line : fileLines) {
- if ((!line.startsWith("#")) && Pattern.matches(".+;;.*;;.*;;.+", line))
- list.add(line);
- }
- }
-
- if (isDebugEnabled) {
- LOG.debug("<== FileReaderUtil readFile()");
- LOG.debug("Policies read :: " + list);
- }
-
- return list;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
----------------------------------------------------------------------
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
deleted file mode 100644
index 6b2b8b3..0000000
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.atlas.authorize.simple;
-
-import java.util.List;
-import java.util.Map;
-
-import org.apache.atlas.authorize.AtlasActionTypes;
-import org.apache.atlas.authorize.AtlasResourceTypes;
-
-public class PolicyDef {
-
- private String policyName;
- private Map<String, List<AtlasActionTypes>> users;
- private Map<String, List<AtlasActionTypes>> groups;
- private Map<AtlasResourceTypes, List<String>> resources;
-
- public String getPolicyName() {
- return policyName;
- }
-
- public void setPolicyName(String policyName) {
- this.policyName = policyName;
- }
-
- public Map<String, List<AtlasActionTypes>> getUsers() {
- return users;
- }
-
- public void setUsers(Map<String, List<AtlasActionTypes>> users) {
- this.users = users;
- }
-
- public Map<String, List<AtlasActionTypes>> getGroups() {
- return groups;
- }
-
- public void setGroups(Map<String, List<AtlasActionTypes>> groups) {
- this.groups = groups;
- }
-
- public Map<AtlasResourceTypes, List<String>> getResources() {
- return resources;
- }
-
- public void setResources(Map<AtlasResourceTypes, List<String>> resources) {
- this.resources = resources;
- }
-
- @Override
- public String toString() {
- return "PolicyDef [policyName=" + policyName + ", users=" + users + ", groups=" + groups + ", resources="
- + resources + "]";
- }
-
-}