name: Atlas Simple Authorizer
route: /AtlasSimpleAuthorizer
menu: Documentation
submenu: Security
import themen from 'theme/styles/styled-colors'; import * as theme from 'react-syntax-highlighter/dist/esm/styles/hljs'; import SyntaxHighlighter from 'react-syntax-highlighter';
Atlas Simple Authorizer
Setting up Atlas to use Simple Authorizer
As detailed in Atlas Authorization Model, Apache Atlas supports a pluggable authorization model. Simple authorizer is the default authorizer implementation included in Apache Atlas. Simple authorizer uses policies defined in a JSON file. This document provides details of steps to configure Apache Atlas to use the simple authorizer and details of the JSON file format containing authorization policies.
Configure Apache Atlas
To configure Apache Atlas to use simple authorizer, include the following properties in application.properties config file:
{atlas.authorizer.impl=simple
atlas.authorizer.simple.authz.policy.file=/etc/atlas/conf/atlas-simple-authz-policy.json
}
Please note that if the policy file location specified is not an absolute path, the file will be looked up in following paths:
- Apache Atlas configuration directory (specified by system property =atlas.conf=)
- Apache Atlas server's current directory
- CLASSPATH
Policy file format
Simple authorizer uses =roles= to group permissions, which can then be assigned to users and user-groups. Following examples would help to understand the details of the policy file format:
Roles
Following policy file defines 3 roles:
- ROLE_ADMIN: has all permissions
- PROD_READ_ONLY: has access to read entities having qualifiedName ending with "@prod"
- TEST_ALL_ACCESS: has all access to entities having qualifiedName ending with "@test"
Simple authorizer supports Java reg-ex to specify values for privilege/entity-type/entity-id/classification/typeName/typeCategory.
{`{ "roles": { "ROLE_ADMIN": { "adminPermissions": [ { "privileges": [ ".*" ] } ],
"entityPermissions": [
{
"privileges": [ ".*" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*" ],
"classifications": [ ".*" ]
}
],
"typePermissions": [
{
"privileges": [ ".*" ],
"typeCategories": [ ".*" ],
"typeNames": [ ".*" ]
}
]
},
"PROD_READ_ONLY" : {
"entityPermissions": [
{
"privileges": [ "entity-read", "entity-read-classification" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*@prod" ],
"classifications": [ ".*" ]
}
}
"TEST_ALL_ACCESS" : {
"entityPermissions": [
{
"privileges": [ ".*" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*@test" ],
"classifications": [ ".*" ]
}
}
},
"userRoles": { ... },
"groupRoles": { ... } }`}
Assign Roles to Users and User Groups
Roles defined above can be assigned (granted) to users as shown below:
{{
"roles": {
...
},
"userRoles": {
"admin": [ "ROLE_ADMIN" ],
"steward": [ "DATA_STEWARD" ],
"user1": [ "PROD_READ_ONLY" ],
"user2": [ "TEST_ALL_ACCESS" ],
"user3": [ "PROD_READ_ONLY", "TEST_ALL_ACCESS" ],
},
"groupRoles": {
...
}
}
}
Roles can be assigned (granted) to user-groups as shown below. An user can belong to multiple groups; roles assigned to all groups the user belongs to will be used to authorize the access.
{{
"roles": {
...
},
"userRoles": {
...
},
"groupRoles": {
"admins": [ "ROLE_ADMIN" ],
"dataStewards": [ "DATA_STEWARD" ],
"testUsers": [ "TEST_ALL_ACCESS" ],
"prodReadUsers": [ "PROD_READ_ONLY" ]
}
}
}