Skip to content

A
atlas
Commit 353ea964 by Shwetha GS
Options

ATLAS-495 Atlas Ranger Authorization Plugin (nixonrodrigues via shwethags)

parent 19751c60
Showing with 542 additions and 398 deletions
authorization/pom.xml 0 → 100644
<?xml version="1.0"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.apache.atlas</groupId>
<artifactId>apache-atlas</artifactId>
<version>0.7-incubating-SNAPSHOT</version>
</parent>
<artifactId>atlas-authorization</artifactId>
<name>Apache Atlas Authorization</name>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>org.apache.atlas</groupId>
<artifactId>atlas-common</artifactId>
</dependency>
<dependency>
<groupId>org.apache.atlas</groupId>
<artifactId>atlas-client</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${javax.servlet.version}</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
</dependency>
</dependencies>
</project>
webapp/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
......@@ -18,8 +18,11 @@
package org.apache.atlas.authorize;
import java.util.Date;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.atlas.authorize.simple.AtlasAuthorizationUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -27,18 +30,23 @@ public class AtlasAccessRequest {
private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private List<AtlasResourceTypes> resourceType = null;
private Set<AtlasResourceTypes> resourceType = null;
private String resource = null;
private AtlasActionTypes action = null;
private String user = null;
private List<String> userGroups = null;
private Set<String> userGroups = null;
private Date accessTime = null;
private String clientIPAddress = null;
public AtlasAccessRequest(List<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
String user, List<String> userGroups) {
public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) {
this(AtlasAuthorizationUtils.getAtlasResourceType(request.getServletPath()), "*", AtlasAuthorizationUtils
.getAtlasAction(request.getMethod()), user, userGroups);
}
public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
String user, Set<String> userGroups) {
if (isDebugEnabled) {
LOG.debug("<== AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
}
setResource(resource);
setAction(action);
......@@ -51,11 +59,11 @@ public class AtlasAccessRequest {
setClientIPAddress(null);
}
public List<AtlasResourceTypes> getResourceTypes() {
public Set<AtlasResourceTypes> getResourceTypes() {
return resourceType;
}
public void setResourceType(List<AtlasResourceTypes> resourceType) {
public void setResourceType(Set<AtlasResourceTypes> resourceType) {
this.resourceType = resourceType;
}
......@@ -83,11 +91,11 @@ public class AtlasAccessRequest {
this.user = user;
}
public void setUserGroups(List<String> userGroups) {
public void setUserGroups(Set<String> userGroups) {
this.userGroups = userGroups;
}
public List<String> getUserGroups() {
public Set<String> getUserGroups() {
return userGroups;
}
......
webapp/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java
......@@ -18,5 +18,5 @@
package org.apache.atlas.authorize;
public enum AtlasActionTypes {
READ, WRITE, UPDATE, DELETE;
READ, CREATE, UPDATE, DELETE;
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java
......@@ -21,10 +21,6 @@ package org.apache.atlas.authorize;
public class AtlasAuthorizationException extends Exception {
private static final long serialVersionUID = 1L;
public AtlasAuthorizationException() {
}
public AtlasAuthorizationException(String message) {
super(message);
}
......@@ -37,4 +33,8 @@ public class AtlasAuthorizationException extends Exception {
boolean writableStackTrace) {
super(message, exception, enableSuppression, writableStackTrace);
}
public AtlasAuthorizationException(AtlasAccessRequest request) {
super("Unauthorized Request : " + request);
}
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
......@@ -20,17 +20,16 @@ package org.apache.atlas.authorize;
public interface AtlasAuthorizer {
/**
* This method will load the policy file and would initialize the required data-structures.
*/
public void init();
/**
* This method is responsible to perform the actual authorization for every REST API call. It will check the if the
* user:u can perform action:a on resource:r.
*
* @param request
* @return
* This method is responsible to perform the actual authorization for every REST API call. It will check if
* user can perform action on resource.
*/
public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException;
......
authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java 0 → 100644
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class AtlasAuthorizerFactory {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class);
private static final String SIMPLE_AUTHORIZER = "org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer";
private static final String RANGER_AUTHORIZER =
"org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
private static volatile AtlasAuthorizer INSTANCE = null;
private static boolean isDebugEnabled = LOG.isDebugEnabled();
public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException {
Configuration configuration = null;
try {
configuration = ApplicationProperties.get();
} catch (AtlasException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Exception while fetching configuration. ", e);
}
}
AtlasAuthorizer ret = INSTANCE;
if (ret == null) {
synchronized (AtlasAuthorizerFactory.class) {
if (INSTANCE == null) {
String authorizerClass =
configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE";
if (StringUtils.isNotEmpty(authorizerClass)) {
if (StringUtils.equalsIgnoreCase(authorizerClass, "SIMPLE")) {
authorizerClass = SIMPLE_AUTHORIZER;
} else if (StringUtils.equalsIgnoreCase(authorizerClass, "RANGER")) {
authorizerClass = RANGER_AUTHORIZER;
}
} else {
authorizerClass = SIMPLE_AUTHORIZER;
}
if (isDebugEnabled) {
LOG.debug("Initializing Authorizer :: " + authorizerClass);
}
try {
Class authorizerMetaObject = Class.forName(authorizerClass);
if (authorizerMetaObject != null) {
INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance();
}
} catch (Exception e) {
LOG.error("Error while creating authorizer of type '" + authorizerClass + "'", e);
throw new AtlasAuthorizationException("Error while creating authorizer of type '"
+ authorizerClass + "'", e);
}
ret = INSTANCE;
}
}
}
return ret;
}
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java
......@@ -19,5 +19,5 @@
package org.apache.atlas.authorize;
public enum AtlasResourceTypes {
ENTITY, TYPE, OPERATION, TAXONOMY, TERM;
UNKNOWN, ENTITY, TYPE, OPERATION, TAXONOMY, TERM;
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java
......@@ -16,50 +16,41 @@
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import java.util.HashSet;
import java.util.Set;
import org.apache.atlas.AtlasClient;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.common.base.Strings;
public class AtlasAuthorizationUtils {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private static final String BASE_URL = "/" + AtlasClient.BASE_URI;
public static String parse(String fullPath, String subPath) {
String api = null;
if (!Strings.isNullOrEmpty(fullPath)) {
api = fullPath.substring(subPath.length(), fullPath.length());
}
public static String getApi(String contextPath) {
if (isDebugEnabled) {
LOG.debug("Extracted " + api + " from path : " + fullPath);
LOG.debug("==> getApi from " + contextPath);
}
return api;
}
public static String getApi(String u) {
if (isDebugEnabled) {
LOG.debug("getApi <=== from " + u);
}
if (u.startsWith(BASE_URL)) {
u = parse(u, BASE_URL);
if (contextPath.startsWith(BASE_URL)) {
contextPath = contextPath.substring(BASE_URL.length());
} else {
// strip of leading '/'
u = u.substring(1);
if (contextPath.startsWith("/")) {
contextPath = contextPath.substring(1);
}
}
String[] split = u.split("/");
String[] split = contextPath.split("/", 3);
String api = split[0];
return (! api.equals("v1")) ? api : String.format("v1/%s", split[1]);
if (split.length > 1) {
return (!api.equals("v1")) ? api : String.format("v1/%s", split[1]);
} else {
return api;
}
}
public static AtlasActionTypes getAtlasAction(String method) {
......@@ -67,7 +58,7 @@ public class AtlasAuthorizationUtils {
switch (method.toUpperCase()) {
case "POST":
action = AtlasActionTypes.WRITE;
action = AtlasActionTypes.CREATE;
break;
case "GET":
action = AtlasActionTypes.READ;
......@@ -80,70 +71,61 @@ public class AtlasAuthorizationUtils {
break;
default:
if (isDebugEnabled) {
LOG.debug("Invalid HTTP method in request : " + method + " this is serious!!!");
LOG.debug("getAtlasAction(): Invalid HTTP method '" + method + "'");
}
break;
}
if (isDebugEnabled) {
LOG.debug("==> AtlasAuthorizationFilter getAtlasAction HTTP Method " + method + " mapped to AtlasAction : "
LOG.debug("<== AtlasAuthorizationFilter getAtlasAction HTTP Method " + method + " mapped to AtlasAction : "
+ action);
}
return action;
}
public static List<AtlasResourceTypes> getAtlasResourceType(String contextPath) throws ServletException {
List<AtlasResourceTypes> resourceTypes = new ArrayList<AtlasResourceTypes>();
/**
* @param contextPath
* @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/*
*
* gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/*
* /api/atlas/discovery/search/gremlin /api/atlas/graph/*
*
* entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/*
* /api/atlas/entities/{guid}* /api/atlas/discovery/*
*
* unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed.
*/
public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) {
Set<AtlasResourceTypes> resourceTypes = new HashSet<AtlasResourceTypes>();
if (isDebugEnabled) {
LOG.debug("getAtlasResourceType <=== for " + contextPath);
LOG.debug("==> getAtlasResourceType for " + contextPath);
}
String api = getApi(contextPath);
if (api.startsWith("types")) {
resourceTypes.add(AtlasResourceTypes.TYPE);
} else if ((api.startsWith("discovery") && contextPath.contains("gremlin")) || api.startsWith("admin")
} else if ((api.startsWith("discovery") && contextPath.contains("/gremlin")) || api.startsWith("admin")
|| api.startsWith("graph")) {
resourceTypes.add(AtlasResourceTypes.OPERATION);
} else if ((api.startsWith("entities") && contextPath.contains("traits")) || api.startsWith("discovery")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
resourceTypes.add(AtlasResourceTypes.TYPE);
} else if (api.startsWith("entities") || api.startsWith("lineage")) {
} else if (api.startsWith("entities") || api.startsWith("lineage") || api.startsWith("discovery")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
} else if (api.startsWith("v1/taxonomies")) {
resourceTypes.add(AtlasResourceTypes.TAXONOMY);
// taxonomies are modeled as entities
resourceTypes.add(AtlasResourceTypes.ENTITY);
if (contextPath.contains("terms")) {
if (contextPath.contains("/terms")) {
resourceTypes.add(AtlasResourceTypes.TERM);
// terms are modeled as traits
resourceTypes.add(AtlasResourceTypes.TYPE);
}
} else if (api.startsWith("v1/entities")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
if (contextPath.contains("tags")) {
// tags are modeled as traits
resourceTypes.add(AtlasResourceTypes.TYPE);
}
} else {
LOG.error("Unable to find Atlas Resource corresponding to : " + api);
throw new ServletException("Unable to find Atlas Resource corresponding to : " + api);
LOG.error("Unable to find Atlas Resource corresponding to : " + api + "\nSetting "
+ AtlasResourceTypes.UNKNOWN.name());
resourceTypes.add(AtlasResourceTypes.UNKNOWN);
}
if (isDebugEnabled) {
LOG.debug("Returning AtlasResources " + resourceTypes + " for api " + api);
LOG.debug("<== Returning AtlasResources " + resourceTypes + " for api " + api);
}
return resourceTypes;
}
/*
* This implementation will be changed for Resource level Authorization.
*/
public static String getAtlasResource(HttpServletRequest requeset, AtlasActionTypes action) {
if (isDebugEnabled) {
LOG.debug("getAtlasResource <=== "
+ "This implementation will be changed for Resource level Authorization.");
}
return "*";
}
}
webapp/src/main/java/org/apache/atlas/util/FileReaderUtil.java authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java
......@@ -16,11 +16,12 @@
* limitations under the License.
*/
package org.apache.atlas.util;
package org.apache.atlas.authorize.simple;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
......@@ -33,24 +34,23 @@ public class FileReaderUtil {
public static List<String> readFile(String path) throws IOException {
if (isDebugEnabled) {
LOG.debug("<== FileReaderUtil readFile");
LOG.debug("==> FileReaderUtil readFile");
}
LOG.info("reading the file" + path);
BufferedReader br = new BufferedReader(new FileReader(path));
List<String> list = new ArrayList<String>();
String line = null;
while ((line = br.readLine()) != null) {
if ((!line.startsWith("##")) && Pattern.matches(".+;;.*;;.*;;.+", line))
list.add(line);
LOG.info("reading the file" + path);
List<String> fileLines = Files.readAllLines(Paths.get(path), Charset.forName("UTF-8"));
if (fileLines != null) {
for (String line : fileLines) {
if ((!line.startsWith("##")) && Pattern.matches(".+;;.*;;.*;;.+", line))
list.add(line);
}
}
if (isDebugEnabled) {
LOG.debug("==> FileReaderUtil readFile");
LOG.debug("<== FileReaderUtil readFile");
LOG.debug("Policies read :: " + list);
}
if (br != null) {
br.close();
}
return list;
}
}
\ No newline at end of file
webapp/src/main/java/org/apache/atlas/authorize/PolicyDef.java authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java
......@@ -14,11 +14,14 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import java.util.List;
import java.util.Map;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
public class PolicyDef {
private String policyName;
......
webapp/src/main/java/org/apache/atlas/authorize/PolicyParser.java authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java
......@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import java.util.ArrayList;
import java.util.HashMap;
......@@ -23,9 +23,13 @@ import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.tools.jline.internal.Log;
public class PolicyParser {
private static Logger LOG = LoggerFactory.getLogger(PolicyParser.class);
......@@ -46,7 +50,7 @@ public class PolicyParser {
private List<AtlasActionTypes> getListOfAutorities(String auth) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser getListOfAutorities");
LOG.debug("==> PolicyParser getListOfAutorities");
}
List<AtlasActionTypes> authorities = new ArrayList<AtlasActionTypes>();
......@@ -57,7 +61,7 @@ public class PolicyParser {
authorities.add(AtlasActionTypes.READ);
break;
case 'w':
authorities.add(AtlasActionTypes.WRITE);
authorities.add(AtlasActionTypes.CREATE);
break;
case 'u':
authorities.add(AtlasActionTypes.UPDATE);
......@@ -68,28 +72,30 @@ public class PolicyParser {
default:
if (LOG.isErrorEnabled()) {
LOG.error("Invalid Action");
LOG.error("Invalid action: '" + access + "'");
}
break;
}
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser getListOfAutorities");
LOG.debug("<== PolicyParser getListOfAutorities");
}
return authorities;
}
public List<PolicyDef> parsePolicies(List<String> policies) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parsePolicies");
LOG.debug("==> PolicyParser parsePolicies");
}
List<PolicyDef> policyDefs = new ArrayList<PolicyDef>();
for (String policy : policies) {
PolicyDef policyDef = parsePolicy(policy);
policyDefs.add(policyDef);
if (policyDef != null) {
policyDefs.add(policyDef);
}
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parsePolicies");
LOG.debug("<== PolicyParser parsePolicies");
LOG.debug(policyDefs.toString());
}
return policyDefs;
......@@ -97,36 +103,42 @@ public class PolicyParser {
private PolicyDef parsePolicy(String data) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parsePolicy");
LOG.debug("==> PolicyParser parsePolicy");
}
PolicyDef def = new PolicyDef();
PolicyDef def = null;
String[] props = data.split(";;");
def.setPolicyName(props[POLICYNAME]);
parseUsers(props[USER_INDEX], def);
parseGroups(props[GROUP_INDEX], def);
parseResources(props[RESOURCE_INDEX], def);
if (isDebugEnabled) {
LOG.debug("policy successfully parsed!!!");
LOG.debug("==> PolicyParser parsePolicy");
if (props.length < RESOURCE_INDEX) {
LOG.warn("skipping invalid policy line: " + data);
} else {
def = new PolicyDef();
def.setPolicyName(props[POLICYNAME]);
parseUsers(props[USER_INDEX], def);
parseGroups(props[GROUP_INDEX], def);
parseResources(props[RESOURCE_INDEX], def);
if (isDebugEnabled) {
LOG.debug("policy successfully parsed!!!");
LOG.debug("<== PolicyParser parsePolicy");
}
}
return def;
}
private boolean validateEntity(String entity) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser validateEntity");
LOG.debug("==> PolicyParser validateEntity");
}
boolean isValidEntity = Pattern.matches("(.+:.+)+", entity);
boolean isEmpty = entity.isEmpty();
if (isValidEntity == false || isEmpty == true) {
if (isDebugEnabled) {
LOG.debug("group/user/resource not properly define in Policy");
LOG.debug("==> PolicyParser validateEntity");
LOG.debug("<== PolicyParser validateEntity");
}
return false;
} else {
if (isDebugEnabled) {
LOG.debug("==> PolicyParser validateEntity");
LOG.debug("<== PolicyParser validateEntity");
}
return true;
}
......@@ -135,7 +147,7 @@ public class PolicyParser {
private void parseUsers(String usersDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseUsers");
LOG.debug("==> PolicyParser parseUsers");
}
String[] users = usersDef.split(",");
String[] userAndRole = null;
......@@ -163,13 +175,13 @@ public class PolicyParser {
def.setUsers(usersMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseUsers");
LOG.debug("<== PolicyParser parseUsers");
}
}
private void parseGroups(String groupsDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseGroups");
LOG.debug("==> PolicyParser parseGroups");
}
String[] groups = groupsDef.split("\\,");
String[] groupAndRole = null;
......@@ -196,14 +208,14 @@ public class PolicyParser {
def.setGroups(groupsMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseGroups");
LOG.debug("<== PolicyParser parseGroups");
}
}
private void parseResources(String resourceDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseResources");
LOG.debug("==> PolicyParser parseResources");
}
String[] resources = resourceDef.split(",");
String[] resourceTypeAndName = null;
......@@ -217,8 +229,23 @@ public class PolicyParser {
if (def.getResources() != null) {
resourcesMap = def.getResources();
}
AtlasResourceTypes resourceType =
AtlasResourceTypes.valueOf(resourceTypeAndName[RESOURCE_TYPE].toUpperCase());
AtlasResourceTypes resourceType = null;
String type = resourceTypeAndName[RESOURCE_TYPE].toUpperCase();
if (type.equalsIgnoreCase("ENTITY")) {
resourceType = AtlasResourceTypes.ENTITY;
} else if (type.equalsIgnoreCase("OPERATION")) {
resourceType = AtlasResourceTypes.OPERATION;
} else if (type.equalsIgnoreCase("TYPE")) {
resourceType = AtlasResourceTypes.TYPE;
} else if (type.equalsIgnoreCase("TAXONOMY")) {
resourceType = AtlasResourceTypes.TAXONOMY;
} else if (type.equalsIgnoreCase("TERM")) {
resourceType = AtlasResourceTypes.TERM;
} else {
Log.warn(type + " is invalid resource please check PolicyStore file");
continue;
}
List<String> resourceList = resourcesMap.get(resourceType);
if (resourceList == null) {
resourceList = new ArrayList<String>();
......@@ -231,7 +258,7 @@ public class PolicyParser {
def.setResources(resourcesMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseResources");
LOG.debug("<== PolicyParser parseResources");
}
}
......
webapp/src/main/java/org/apache/atlas/authorize/PolicyUtil.java authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java
......@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import java.util.ArrayList;
import java.util.HashMap;
......@@ -22,6 +22,8 @@ import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -29,77 +31,13 @@ public class PolicyUtil {
private static Logger LOG = LoggerFactory.getLogger(PolicyUtil.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userWriteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userUpdateMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userDeleteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupWriteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupUpdateMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupDeleteMap;
/**
* @return the userReadMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserReadMap() {
return userReadMap;
}
/**
* @return the userWriteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserWriteMap() {
return userWriteMap;
}
/**
* @return the userUpdateMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserUpdateMap() {
return userUpdateMap;
}
/**
* @return the userDeleteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserDeleteMap() {
return userDeleteMap;
}
/**
* @return the groupReadMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupReadMap() {
return groupReadMap;
}
/**
* @return the groupWriteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupWriteMap() {
return groupWriteMap;
}
/**
* @return the groupUpdateMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupUpdateMap() {
return groupUpdateMap;
}
/**
* @return the groupDeleteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupDeleteMap() {
return groupDeleteMap;
}
public Map<String, Map<AtlasResourceTypes, List<String>>> createPermissionMap(List<PolicyDef> policyDefList,
AtlasActionTypes permissionType, AtlasAccessorTypes principalType) {
AtlasActionTypes permissionType, SimpleAtlasAuthorizer.AtlasAccessorTypes principalType) {
if (isDebugEnabled) {
LOG.debug("<== PolicyUtil createPermissionMap");
LOG.debug("Creating Permission Map for :: " + permissionType + " & " + principalType);
LOG.debug("==> PolicyUtil createPermissionMap" + "\nCreating Permission Map for :: " + permissionType
+ " & " + principalType);
}
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap =
new HashMap<String, Map<AtlasResourceTypes, List<String>>>();
......@@ -108,7 +46,8 @@ public class PolicyUtil {
for (PolicyDef policyDef : policyDefList) {
LOG.info("Processing policy def : " + policyDef);
Map<String, List<AtlasActionTypes>> principalMap =
principalType.equals(AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef.getGroups();
principalType.equals(SimpleAtlasAuthorizer.AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef
.getGroups();
// For every policy extract the resource list and populate the user map
for (Entry<String, List<AtlasActionTypes>> e : principalMap.entrySet()) {
// Check if the user has passed permission type like READ
......@@ -150,12 +89,12 @@ public class PolicyUtil {
userResourceList.put(type, resourceList);
}
userReadMap.put(username, userResourceList);
LOG.info("userReadMap=====>>>>>> " + userReadMap);
LOG.info("userReadMap " + userReadMap);
}
}
if (isDebugEnabled) {
LOG.debug("Returning Map for " + principalType + " :: " + userReadMap);
LOG.debug("==> PolicyUtil createPermissionMap");
LOG.debug("<== PolicyUtil createPermissionMap");
}
return userReadMap;
......
webapp/src/test/java/org/apache/atlas/authorize/AtlasAuthorizationUtilsTest.java authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java
......@@ -16,11 +16,12 @@
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.testng.annotations.Test;
import java.util.List;
import java.util.Set;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertTrue;
......@@ -52,7 +53,7 @@ public class AtlasAuthorizationUtilsTest {
@Test
public void testGetAtlasResourceType() throws Exception {
String contextPath = "/api/atlas/types";
List<AtlasResourceTypes> resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
Set<AtlasResourceTypes> resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
assertEquals(resourceTypes.size(), 1);
assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
......@@ -73,15 +74,13 @@ public class AtlasAuthorizationUtilsTest {
contextPath = "/api/atlas/entities/111/traits";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
assertEquals(resourceTypes.size(), 2);
assertEquals(resourceTypes.size(), 1);
assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
contextPath = "/api/atlas/discovery/search";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
assertEquals(resourceTypes.size(), 2);
assertEquals(resourceTypes.size(), 1);
assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
contextPath = "/api/atlas/entities?type=Column";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
......@@ -101,11 +100,10 @@ public class AtlasAuthorizationUtilsTest {
contextPath = "/api/atlas/v1/taxonomies/taxonomy1/terms";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
assertEquals(resourceTypes.size(), 4);
assertEquals(resourceTypes.size(), 3);
assertTrue(resourceTypes.contains(AtlasResourceTypes.TAXONOMY));
assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
assertTrue(resourceTypes.contains(AtlasResourceTypes.TERM));
assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
contextPath = "/api/atlas/v1/entities/111";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
......@@ -114,8 +112,7 @@ public class AtlasAuthorizationUtilsTest {
contextPath = "/api/atlas/v1/entities/111/tags/foo";
resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath);
assertEquals(resourceTypes.size(), 2);
assertEquals(resourceTypes.size(), 1);
assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY));
assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE));
}
}
webapp/src/test/java/org/apache/atlas/authorize/PolicyParserTest.java authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java
......@@ -14,14 +14,19 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import static org.junit.Assert.assertEquals;
import static org.testng.AssertJUnit.assertEquals;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.apache.atlas.authorize.simple.PolicyDef;
import org.apache.atlas.authorize.simple.PolicyParser;
import org.testng.annotations.Test;
public class PolicyParserTest {
......@@ -34,7 +39,7 @@ public class PolicyParserTest {
Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
accessList1.add(AtlasActionTypes.READ);
accessList1.add(AtlasActionTypes.WRITE);
accessList1.add(AtlasActionTypes.CREATE);
accessList1.add(AtlasActionTypes.UPDATE);
groupMap.put("grp1", accessList1);
......@@ -50,7 +55,7 @@ public class PolicyParserTest {
List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
usr2AccessList.add(AtlasActionTypes.READ);
usr2AccessList.add(AtlasActionTypes.WRITE);
usr2AccessList.add(AtlasActionTypes.CREATE);
usersMap.put("usr2", usr2AccessList);
/* Creating resources data */
......@@ -87,7 +92,7 @@ public class PolicyParserTest {
Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
accessList1.add(AtlasActionTypes.READ);
accessList1.add(AtlasActionTypes.WRITE);
accessList1.add(AtlasActionTypes.CREATE);
accessList1.add(AtlasActionTypes.UPDATE);
groupMap.put("grp1", accessList1);
......@@ -139,7 +144,7 @@ public class PolicyParserTest {
List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
usr2AccessList.add(AtlasActionTypes.READ);
usr2AccessList.add(AtlasActionTypes.WRITE);
usr2AccessList.add(AtlasActionTypes.CREATE);
usersMap.put("usr2", usr2AccessList);
// Creating resources data
......
webapp/src/test/java/org/apache/atlas/authorize/PolicyUtilTest.java authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java
......@@ -14,15 +14,20 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import static org.junit.Assert.assertEquals;
import static org.testng.AssertJUnit.assertEquals;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.apache.atlas.authorize.simple.PolicyDef;
import org.apache.atlas.authorize.simple.PolicyParser;
import org.apache.atlas.authorize.simple.PolicyUtil;
import org.testng.annotations.Test;
public class PolicyUtilTest {
......@@ -52,7 +57,7 @@ public class PolicyUtilTest {
List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
assertEquals(permissionMap, createdPermissionMap);
......@@ -87,7 +92,7 @@ public class PolicyUtilTest {
List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
assertEquals(permissionMap, createdPermissionMap);
......
webapp/src/test/java/org/apache/atlas/authorize/SimpleAtlasAuthorizerTest.java authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java
......@@ -14,22 +14,25 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
package org.apache.atlas.authorize.simple;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.Map;
import org.apache.atlas.authorize.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.AssertJUnit;
import org.testng.annotations.Test;
public class SimpleAtlasAuthorizerTest {
private static Logger LOG = LoggerFactory.getLogger(SimpleAtlasAuthorizerTest.class);
private static Logger LOG = LoggerFactory
.getLogger(SimpleAtlasAuthorizerTest.class);
@Test
public void testAccessAllowedForUserAndGroup() {
......@@ -41,24 +44,29 @@ public class SimpleAtlasAuthorizerTest {
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
groupReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
userReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
Set<AtlasResourceTypes> resourceType = new HashSet<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "xsdfhjabc";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr1";
List<String> userGroups = new ArrayList<String>();
Set<String> userGroups = new HashSet<String>();
userGroups.add("grp3");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
try {
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
authorizer
.setResourcesForTesting(userReadMap, groupReadMap, action);
try {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
// getUserReadMap
AssertJUnit.assertEquals(true, isAccessAllowed);
......@@ -81,29 +89,34 @@ public class SimpleAtlasAuthorizerTest {
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// creating group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
groupReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
userReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
Set<AtlasResourceTypes> resourceType = new HashSet<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "PII";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr3";
List<String> userGroups = new ArrayList<String>();
Set<String> userGroups = new HashSet<String>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
resource, action, user, userGroups);
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
authorizer
.setResourcesForTesting(userReadMap, groupReadMap, action);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(true, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("AtlasAuthorizationException in Unit Test", e);
}
}
}
......@@ -119,22 +132,27 @@ public class SimpleAtlasAuthorizerTest {
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
groupReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
userReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
Set<AtlasResourceTypes> resourceType = new HashSet<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "abc";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr1";
List<String> userGroups = new ArrayList<String>();
Set<String> userGroups = new HashSet<String>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
resource, action, user, userGroups);
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
authorizer
.setResourcesForTesting(userReadMap, groupReadMap, action);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(false, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
......@@ -156,22 +174,27 @@ public class SimpleAtlasAuthorizerTest {
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
groupReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
userReadMap = policyUtil.createPermissionMap(policyDefs,
AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
Set<AtlasResourceTypes> resourceType = new HashSet<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "PII";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr3";
List<String> userGroups = new ArrayList<String>();
Set<String> userGroups = new HashSet<String>();
userGroups.add("grp3");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
AtlasAccessRequest request = new AtlasAccessRequest(resourceType,
resource, action, user, userGroups);
try {
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory
.getAtlasAuthorizer();
authorizer
.setResourcesForTesting(userReadMap, groupReadMap, action);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(false, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
......
common/pom.xml
......@@ -56,5 +56,11 @@
<artifactId>mockito-all</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
</dependencies>
</project>
webapp/src/main/java/org/apache/atlas/util/PropertiesUtil.java common/src/main/java/org/apache/atlas/utils/PropertiesUtil.java
/*
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
......@@ -6,33 +6,32 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.util;
package org.apache.atlas.utils;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import org.apache.log4j.Logger;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
public class PropertiesUtil extends PropertyPlaceholderConfigurer {
/**
* Util class for Properties.
*/
public final class PropertiesUtil extends PropertyPlaceholderConfigurer {
private static Map<String, String> propertiesMap = new HashMap<String, String>();
private static Logger logger = Logger.getLogger(PropertiesUtil.class);
protected List<String> xmlPropertyConfigurer = new ArrayList<String>();
......@@ -42,8 +41,7 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
}
@Override
protected void processProperties(ConfigurableListableBeanFactory beanFactory, Properties props)
throws BeansException {
protected void processProperties(ConfigurableListableBeanFactory beanFactory, Properties props) {
Properties sysProps = System.getProperties();
if (sysProps != null) {
......@@ -56,10 +54,14 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
}
}
Set<Object> keySet = props.keySet();
for (Object key : keySet) {
String keyStr = key.toString();
propertiesMap.put(keyStr, props.getProperty(keyStr).trim());
if (props != null) {
for (String key : props.stringPropertyNames()) {
String value = props.getProperty(key);
if (value != null) {
value = value.trim();
}
propertiesMap.put(key, value);
}
}
super.processProperties(beanFactory, props);
......@@ -132,4 +134,4 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
}
return Boolean.parseBoolean(value);
}
}
\ No newline at end of file
}
webapp/src/main/java/org/apache/atlas/util/XMLPropertiesUtil.java common/src/main/java/org/apache/atlas/utils/XMLPropertiesUtil.java
/*
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
......@@ -7,17 +7,16 @@
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.util;
package org.apache.atlas.utils;
import java.io.IOException;
import java.io.InputStream;
......@@ -32,7 +31,9 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
/**
* Util class for XMLProperties.
*/
public class XMLPropertiesUtil extends DefaultPropertiesPersister {
private static Logger logger = Logger.getLogger(XMLPropertiesUtil.class);
......@@ -40,8 +41,7 @@ public class XMLPropertiesUtil extends DefaultPropertiesPersister {
}
@Override
public void loadFromXml(Properties properties, InputStream inputStream)
throws IOException {
public void loadFromXml(Properties properties, InputStream inputStream) throws IOException {
try {
DocumentBuilderFactory xmlDocumentBuilderFactory = DocumentBuilderFactory
.newInstance();
......@@ -82,4 +82,4 @@ public class XMLPropertiesUtil extends DefaultPropertiesPersister {
}
}
}
\ No newline at end of file
}
distro/src/conf/atlas-application.properties
......@@ -127,3 +127,6 @@ atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt
# org.apache.atlas.typesystem.types.cache.ITypeCacheProvider.
# The default is DefaultTypeCacheProvider which is a local in-memory type cache.
#atlas.typesystem.cache.provider=
#########authorizer impl class #########
atlas.authorizer.impl=SIMPLE
distro/src/conf/policy-store.txt
......@@ -3,7 +3,5 @@
##Policy_Name;;User_Name1:Operations_Allowed,User_Name2:Operations_Allowed;;Group_Name1:Operations_Allowed,Group_Name2:Operations_Allowed;;Resource_Type1:Resource_Name,Resource_Type2:Resource_Name
##
adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
typeReadPolicy;;nixon:rw;;;;type:*,entity:*,taxonomy:*,term:*
classReadPolicy;;saqeeb:r;;;;type:*,entity:*,taxonomy:*,term:*
dataScientistPolicy;;;;DATA_SCIENTIST:r;;type:*,entity:*,taxonomy:*,term:*
dataStewardPolicy;;;;DATA_STEWARD:rwu;;type:*,entity:*,taxonomy:*,term:*
distro/src/conf/users-credentials.properties
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb
paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c
pom.xml
......@@ -463,16 +463,19 @@
<module>graphdb</module>
<module>titan</module>
<module>repository</module>
<module>authorization</module>
<module>catalog</module>
<!-- <module>dashboard</module> -->
<module>dashboardv2</module>
<module>webapp</module>
<module>docs</module>
<module>addons/hdfs-model</module>
<module>addons/hive-bridge</module>
<module>addons/falcon-bridge</module>
<module>addons/sqoop-bridge</module>
<module>addons/storm-bridge</module>
<module>distro</module>
</modules>
......
release-log.txt
......@@ -21,6 +21,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset
ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags)
ALL CHANGES:
ATLAS-495 Atlas Ranger Authorization Plugin (nixonrodrigues via shwethags)
ATLAS-805 Quickstart is failing if run after queries to the business taxonomy API (jspeidel via shwethags)
ATLAS-774 Better error handling from login.jsp (nixonrodrigues via shwethags)
ATLAS-683 Refactor local type-system cache with cache provider interface (vmadugun via shwethags)
......
webapp/pom.xml
......@@ -89,6 +89,12 @@
<artifactId>atlas-client</artifactId>
</dependency>
<dependency>
<groupId>org.apache.atlas</groupId>
<artifactId>atlas-authorization</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.atlas</groupId>
<artifactId>atlas-notification</artifactId>
......
webapp/src/main/java/org/apache/atlas/authorize/AtlasAccessorTypes.java deleted 100644 → 0
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public enum AtlasAccessorTypes {
USER, GROUP;
}
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthorizationFilter.java
......@@ -19,9 +19,9 @@
package org.apache.atlas.web.filters;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
......@@ -31,13 +31,11 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.atlas.AtlasClient;
import org.apache.atlas.AtlasException;
import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasAuthorizerFactory;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.apache.atlas.authorize.SimpleAtlasAuthorizer;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -45,7 +43,6 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import static org.apache.atlas.authorize.AtlasAuthorizationUtils.*;
import com.google.common.base.Strings;
......@@ -53,23 +50,36 @@ public class AtlasAuthorizationFilter extends GenericFilterBean {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationFilter.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private AtlasAuthorizer authorizer = SimpleAtlasAuthorizer.getInstance();
private AtlasAuthorizer authorizer = null;
private final String BASE_URL = "/" + AtlasClient.BASE_URI;
public AtlasAuthorizationFilter() {
if (isDebugEnabled) {
LOG.debug("<== AtlasAuthorizationFilter() -- " + "Now initializing the Apache Atlas Authorizer!!!");
LOG.debug("==> AtlasAuthorizationFilter() -- " + "Now initializing the Apache Atlas Authorizer!!!");
}
authorizer.init();
try {
authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
if (authorizer != null) {
authorizer.init();
} else {
LOG.warn("AtlasAuthorizer not initialized properly, please check the application logs and add proper configurations.");
}
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer. ", e);
}
}
@Override
public void destroy() {
if (isDebugEnabled) {
LOG.debug("<== AtlasAuthorizationFilter destroy");
LOG.debug("==> AtlasAuthorizationFilter destroy");
}
if (authorizer != null) {
authorizer.cleanUp();
}
authorizer.cleanUp();
super.destroy();
}
......@@ -83,15 +93,13 @@ public class AtlasAuthorizationFilter extends GenericFilterBean {
HttpServletRequest request = (HttpServletRequest) req;
String pathInfo = request.getServletPath();
if (pathInfo.startsWith(BASE_URL)) {
if (!Strings.isNullOrEmpty(pathInfo) && pathInfo.startsWith(BASE_URL)) {
if (isDebugEnabled) {
LOG.debug(pathInfo + " is a valid REST API request!!!");
}
AtlasActionTypes action = getAtlasAction(request.getMethod());
String userName = null;
List<String> groups = new ArrayList<String>();
StringBuilder sb = new StringBuilder();
Set<String> groups = new HashSet<String>();
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
......@@ -101,37 +109,43 @@ public class AtlasAuthorizationFilter extends GenericFilterBean {
for (GrantedAuthority c : authorities) {
groups.add(c.getAuthority());
}
sb.append("============================\n");
sb.append("UserName ==>> " + userName + "\nGroups ==>> " + groups);
} else {
if (LOG.isErrorEnabled()) {
LOG.error("Cannot obtain Security Context : " + auth);
}
throw new ServletException("Cannot obtain Security Context : " + auth);
}
sb.append("\n" + "URL :: " + request.getRequestURL() + " Action :: " + action);
sb.append("\nrequest.getServletPath() :: " + pathInfo);
sb.append("\n============================\n");
AtlasAccessRequest atlasRequest = new AtlasAccessRequest(request, userName, groups);
if (isDebugEnabled) {
LOG.debug(sb.toString());
LOG.debug("============================\n" + "UserName :: " + atlasRequest.getUser() + "\nGroups :: "
+ atlasRequest.getUserGroups() + "\nURL :: " + request.getRequestURL() + "\nAction :: "
+ atlasRequest.getAction() + "\nrequest.getServletPath() :: " + pathInfo
+ "\n============================\n");
}
sb = null;
List<AtlasResourceTypes> atlasResourceType = getAtlasResourceType(pathInfo);
String resource = getAtlasResource(request, action);
AtlasAccessRequest atlasRequest =
new AtlasAccessRequest(atlasResourceType, resource, action, userName, groups);
boolean accessAllowed = false;
try {
accessAllowed = authorizer.isAccessAllowed(atlasRequest);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Access Restricted. Could not process the request due to : " + e);
Set<AtlasResourceTypes> atlasResourceTypes = atlasRequest.getResourceTypes();
if (atlasResourceTypes.size() == 1 && atlasResourceTypes.contains(AtlasResourceTypes.UNKNOWN)) {
// Allowing access to unprotected resource types
if (LOG.isDebugEnabled()) {
LOG.debug("Allowing access to unprotected resource types " + atlasResourceTypes);
}
accessAllowed = true;
} else {
try {
if (authorizer != null) {
accessAllowed = authorizer.isAccessAllowed(atlasRequest);
}
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Access Restricted. Could not process the request :: " + e);
}
}
if (isDebugEnabled) {
LOG.debug("Authorizer result :: " + accessAllowed);
}
}
if (isDebugEnabled) {
LOG.debug("Authorizer result :: " + accessAllowed);
}
if (accessAllowed) {
if (isDebugEnabled) {
......@@ -140,17 +154,17 @@ public class AtlasAuthorizationFilter extends GenericFilterBean {
chain.doFilter(req, res);
} else {
JSONObject json = new JSONObject();
json.put("AuthorizationError", "Sorry you are not authorized for " + action.name() + " on "
+ atlasResourceType + " : " + resource);
json.put("AuthorizationError", "You are not authorized for " + atlasRequest.getAction().name() + " on "
+ atlasResourceTypes + " : " + atlasRequest.getResource());
HttpServletResponse response = (HttpServletResponse) res;
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.sendError(HttpServletResponse.SC_FORBIDDEN, json.toString());
if (isDebugEnabled) {
LOG.debug("Sorry you are not authorized for " + action.name() + " on " + atlasResourceType + " : "
+ resource);
LOG.debug("Returning 403 since the access is blocked update!!!!");
LOG.debug("You are not authorized for " + atlasRequest.getAction().name() + " on "
+ atlasResourceTypes + " : " + atlasRequest.getResource()
+ "\nReturning 403 since the access is blocked update!!!!");
}
return;
}
......
webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java
......@@ -22,7 +22,7 @@ import java.util.List;
import javax.annotation.PostConstruct;
import org.apache.atlas.util.PropertiesUtil;
import org.apache.atlas.utils.PropertiesUtil;
import org.apache.atlas.web.model.User;
import org.apache.log4j.Logger;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
......
webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java
......@@ -20,7 +20,7 @@ package org.apache.atlas.web.security;
import java.util.List;
import javax.annotation.PostConstruct;
import org.apache.atlas.util.PropertiesUtil;
import org.apache.atlas.utils.PropertiesUtil;
import org.apache.atlas.web.model.User;
import org.apache.log4j.Logger;
import org.springframework.ldap.core.support.LdapContextSource;
......
webapp/src/main/webapp/WEB-INF/applicationContext.xml
......@@ -24,9 +24,9 @@
<import resource="classpath:/spring-security.xml" />
<bean id="xmlPropertyConfigurer" class="org.apache.atlas.util.XMLPropertiesUtil" />
<bean id="xmlPropertyConfigurer" class="org.apache.atlas.utils.XMLPropertiesUtil" />
<bean id="propertyConfigurer" class="org.apache.atlas.util.PropertiesUtil">
<bean id="propertyConfigurer" class="org.apache.atlas.utils.PropertiesUtil">
<property name="locations">
<list>
<value>classpath:atlas-admin-site.xml
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment