1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---+++ Setting up Atlas to use Simple Authorizer
As detailed in [[Atlas-Authorization-Model][Atlas Authorization Model]], Apache Atlas supports a pluggable authorization
model. Simple authorizer is the default authorizer implementation included in Apache Atlas. Simple authorizer uses
policies defined in a JSON file. This document provides details of steps to configure Apache Atlas to use the simple
authorizer and details of the JSON file format containing authorization policies.
---++++ Configure Apache Atlas
To configure Apache Atlas to use simple authorizer, include the following properties in application.properties config file:
<verbatim>
atlas.authorizer.impl=simple
atlas.authorizer.simple.authz.policy.file=/etc/atlas/conf/atlas-simple-authz-policy.json
</verbatim>
Please note that if the policy file location specified is not an absolute path, the file will be looked up in following paths:
* Apache Atlas configuration directory (specified by system property =atlas.conf=)
* Apache Atlas server's current directory
* CLASSPATH
---++++ Policy file format
Simple authorizer uses =roles= to group permissions, which can then be assigned to users and user-groups. Following examples
would help to understand the details of the policy file format:
---+++++ Roles
Following policy file defines 3 roles:
* ROLE_ADMIN: has all permissions
* PROD_READ_ONLY: has access to read entities having qualifiedName ending with "@prod"
* TEST_ALL_ACCESS: has all access to entities having qualifiedName ending with "@test"
Simple authorizer supports Java reg-ex to specify values for privilege/entity-type/entity-id/classification/typeName/typeCategory.
<verbatim>
{
"roles": {
"ROLE_ADMIN": {
"adminPermissions": [
{
"privileges": [ ".*" ]
}
],
"entityPermissions": [
{
"privileges": [ ".*" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*" ],
"classifications": [ ".*" ]
}
],
"typePermissions": [
{
"privileges": [ ".*" ],
"typeCategories": [ ".*" ],
"typeNames": [ ".*" ]
}
]
},
"PROD_READ_ONLY" : {
"entityPermissions": [
{
"privileges": [ "entity-read", "entity-read-classification" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*@prod" ],
"classifications": [ ".*" ]
}
}
"TEST_ALL_ACCESS" : {
"entityPermissions": [
{
"privileges": [ ".*" ],
"entityTypes": [ ".*" ],
"entityIds": [ ".*@test" ],
"classifications": [ ".*" ]
}
}
},
"userRoles": {
...
},
"groupRoles": {
...
}
}
</verbatim>
---+++++ Assign Roles to Users and User Groups
Roles defined above can be assigned (granted) to users as shown below:
<verbatim>
{
"roles": {
...
},
"userRoles": {
"admin": [ "ROLE_ADMIN" ],
"steward": [ "DATA_STEWARD" ],
"user1": [ "PROD_READ_ONLY" ],
"user2": [ "TEST_ALL_ACCESS" ],
"user3": [ "PROD_READ_ONLY", "TEST_ALL_ACCESS" ],
},
"groupRoles": {
...
}
}
</verbatim>
Roles can be assigned (granted) to user-groups as shown below. An user can belong to multiple groups; roles assigned to
all groups the user belongs to will be used to authorize the access.
<verbatim>
{
"roles": {
...
},
"userRoles": {
...
},
"groupRoles": {
"admins": [ "ROLE_ADMIN" ],
"dataStewards": [ "DATA_STEWARD" ],
"testUsers": [ "TEST_ALL_ACCESS" ],
"prodReadUsers": [ "PROD_READ_ONLY" ]
}
}
</verbatim>