Atlas-Authorization-Simple-Authorizer.twiki

---+++ Setting up Atlas to use Simple Authorizer

As detailed in [[Atlas-Authorization-Model][Atlas Authorization Model]], Apache Atlas supports a pluggable authorization
model. Simple authorizer is the default authorizer implementation included in Apache Atlas. Simple authorizer uses
policies defined in a JSON file. This document provides details of steps to configure Apache Atlas to use the simple
authorizer and details of the JSON file format containing authorization policies.


---++++  Configure Apache Atlas

To configure Apache Atlas to use simple authorizer, include the following properties in application.properties config file:

<verbatim>
atlas.authorizer.impl=simple
atlas.authorizer.simple.authz.policy.file=/etc/atlas/conf/atlas-simple-authz-policy.json
</verbatim>

Please note that if the policy file location specified is not an absolute path, the file will be looked up in following paths:
   * Apache Atlas configuration directory (specified by system property =atlas.conf=)
   * Apache Atlas server's current directory
   * CLASSPATH

---++++  Policy file format

Simple authorizer uses =roles= to group permissions, which can then be assigned to users and user-groups. Following examples
would help to understand the details of the policy file format:

---+++++  Roles
Following policy file defines 3 roles:
   * ROLE_ADMIN: has all permissions
   * PROD_READ_ONLY: has access to read entities having qualifiedName ending with "@prod"
   * TEST_ALL_ACCESS: has all access to entities having qualifiedName ending with "@test"

Simple authorizer supports Java reg-ex to specify values for privilege/entity-type/entity-id/classification/typeName/typeCategory.

<verbatim>
{
  "roles": {
    "ROLE_ADMIN": {
      "adminPermissions": [
        {
          "privileges": [ ".*" ]
        }
      ],

      "entityPermissions": [
        {
          "privileges":      [ ".*" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*" ],
          "classifications": [ ".*" ]
        }
      ],

      "typePermissions": [
        {
          "privileges":     [ ".*" ],
          "typeCategories": [ ".*" ],
          "typeNames":      [ ".*" ]
        }
      ]
    },

    "PROD_READ_ONLY" : {
      "entityPermissions": [
        {
          "privileges":      [ "entity-read", "entity-read-classification" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*@prod" ],
          "classifications": [ ".*" ]
        }
    }

    "TEST_ALL_ACCESS" : {
      "entityPermissions": [
        {
          "privileges":      [ ".*" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*@test" ],
          "classifications": [ ".*" ]
        }
    }
  },

  "userRoles": {
   ...
  },

  "groupRoles": {
   ...
  }
}

</verbatim>

---+++++  Assign Roles to Users and User Groups

Roles defined above can be assigned (granted) to users as shown below:

<verbatim>
{
  "roles": {
   ...
  },

  "userRoles": {
    "admin":   [ "ROLE_ADMIN" ],
    "steward": [ "DATA_STEWARD" ],
    "user1":   [ "PROD_READ_ONLY" ],
    "user2":   [ "TEST_ALL_ACCESS" ],
    "user3":   [ "PROD_READ_ONLY", "TEST_ALL_ACCESS" ],
  },

  "groupRoles": {
   ...
  }
}
</verbatim>

Roles can be assigned (granted) to user-groups as shown below. An user can belong to multiple groups; roles assigned to
all groups the user belongs to will be used to authorize the access.

<verbatim>
{
  "roles": {
   ...
  },

  "userRoles": {
   ...
  },

  "groupRoles": {
    "admins":        [ "ROLE_ADMIN" ],
    "dataStewards":  [ "DATA_STEWARD" ],
    "testUsers":     [ "TEST_ALL_ACCESS" ],
    "prodReadUsers": [ "PROD_READ_ONLY" ]
  }
}
</verbatim>