ATLAS-3622: added authorization for add/remove of labels, update of namespace attributes

authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java

@@ -28,45 +28,53 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
     private final AtlasEntityHeader   entity;
     private final String              entityId;
     private final AtlasClassification classification;
+    private final String              label;
+    private final String              namespaceName;
     private final String              attributeName;
     private final AtlasTypeRegistry   typeRegistry;
     private final Set<String>         entityClassifications;
 
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) {
-        this(typeRegistry, action, null, null, null, null, null);
+        this(typeRegistry, action, null, null, null, null, null, null, null);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity) {
-        this(typeRegistry, action, entity, null, null, null, null);
+        this(typeRegistry, action, entity, null, null, null, null, null, null);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification) {
-        this(typeRegistry, action, entity, classification, null, null, null);
+        this(typeRegistry, action, entity, classification, null, null, null, null, null);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName) {
-        this(typeRegistry, action, entity, null, attributeName, null, null);
+        this(typeRegistry, action, entity, null, attributeName, null, null, null, null);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String userName, Set<String> userGroups) {
-        this(typeRegistry, action, entity, null, null, userName, userGroups);
+        this(typeRegistry, action, entity, null, null, null, null, userName, userGroups);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String userName, Set<String> userGroups) {
-        this(typeRegistry, action, entity, classification, null, userName, userGroups);
+        this(typeRegistry, action, entity, classification, null, null, null, userName, userGroups);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName, String userName, Set<String> userGroups) {
-        this(typeRegistry, action, entity, null, attributeName, userName, userGroups);
+        this(typeRegistry, action, entity, null, attributeName, null, null, userName, userGroups);
     }
 
     public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String attributeName, String userName, Set<String> userGroups) {
+        this(typeRegistry, action, entity, classification, attributeName, null, null, userName, userGroups);
+    }
+
+    public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String attributeName, String label, String namespaceName, String userName, Set<String> userGroups) {
         super(action, userName, userGroups);
 
         this.entity                = entity;
         this.entityId              = super.getEntityId(entity, typeRegistry);
         this.classification        = classification;
+        this.label                 = label;
+        this.namespaceName         = namespaceName;
         this.attributeName         = attributeName;
         this.typeRegistry          = typeRegistry;
         this.entityClassifications = super.getClassificationNames(entity);
@@ -84,6 +92,14 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
         return classification;
     }
 
+    public String getLabel() {
+        return label;
+    }
+
+    public String getNamespaceName() {
+        return namespaceName;
+    }
+
     public String getAttributeName() {
         return attributeName;
     }
@@ -106,11 +122,80 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
 
     @Override
     public String toString() {
-        return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", attributeName=" + attributeName +
+        return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", label=" + label + ", namespaceName=" + namespaceName + ", attributeName=" + attributeName +
                 ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
                 ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
                 ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
     }
+
+    public static class AtlasEntityAccessRequestBuilder {
+        private final AtlasTypeRegistry   typeRegistry;
+        private final AtlasPrivilege      action;
+        private       String              userName;
+        private       Set<String>         userGroups;
+        private       AtlasEntityHeader   entity;
+        private       AtlasClassification classification;
+        private       String              label;
+        private       String              namespaceName;
+        private       String              attributeName;
+
+        public AtlasEntityAccessRequestBuilder(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) {
+            this.typeRegistry = typeRegistry;
+            this.action       = action;
+        }
+
+        public AtlasEntityAccessRequestBuilder(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity) {
+            this.typeRegistry = typeRegistry;
+            this.action       = action;
+            this.entity       = entity;
+        }
+
+        public AtlasEntityAccessRequestBuilder setUserName(String userName) {
+            this.userName = userName;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setUserGroups(Set<String> userGroups) {
+            this.userGroups = userGroups;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setEntity(AtlasEntityHeader entity) {
+            this.entity = entity;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setClassification(AtlasClassification classification) {
+            this.classification = classification;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setLabel(String label) {
+            this.label = label;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setNamespaceName(String namespaceName) {
+            this.namespaceName = namespaceName;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequestBuilder setAttributeName(String attributeName) {
+            this.attributeName = attributeName;
+
+            return this;
+        }
+
+        public AtlasEntityAccessRequest build() {
+            return new AtlasEntityAccessRequest(typeRegistry, action, entity, classification, attributeName, label, namespaceName, userName, userGroups);
+        }
+    }
 }
 
 

authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java

@@ -37,7 +37,12 @@ public enum AtlasPrivilege {
      RELATIONSHIP_ADD("add-relationship"),
      RELATIONSHIP_UPDATE("update-relationship"),
      RELATIONSHIP_REMOVE("remove-relationship"),
-     ADMIN_PURGE("admin-purge");
+
+     ADMIN_PURGE("admin-purge"),
+
+     ENTITY_ADD_LABEL("entity-add-label"),
+     ENTITY_REMOVE_LABEL("entity-remove-label"),
+     ENTITY_UPDATE_NAMESPACE("entity-update-namespace");
 
      private final String type;
 

authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java

@@ -238,8 +238,9 @@ public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
 
             if (permissions != null) {
                 for (AtlasEntityPermission permission : permissions) {
-                    // match entity-type/entity-id/attribute
-                    if (isMatchAny(entityTypes, permission.getEntityTypes()) && isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes())) {
+                    // match entity-type/entity-id/lable/namespace/attribute
+                    if (isMatchAny(entityTypes, permission.getEntityTypes()) && isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes())
+                         && isLabelMatch(request, permission) && isNamespaceMatch(request, permission)) {
                         // match permission/classification
                         if (!hasEntityAccess) {
                             if (isMatch(action, permission.getPrivileges()) && isMatch(classification, permission.getClassifications())) {
@@ -458,6 +459,14 @@ public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
             }
         }
     }
+
+    private boolean isLabelMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) {
+        return (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) ? isMatch(request.getLabel(), permission.getLabels()) : true;
+    }
+
+    private boolean isNamespaceMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) {
+        return AtlasPrivilege.ENTITY_UPDATE_NAMESPACE.equals(request.getAction()) ? isMatch(request.getNamespaceName(), permission.getNamespaces()) : true;
+    }
 }
 
 

authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java

@@ -209,16 +209,24 @@ public class AtlasSimpleAuthzPolicy implements Serializable {
         private List<String> entityTypes;     // name of entity-type, wildcards supported
         private List<String> entityIds;       // value of entity-unique attribute, wildcards supported
         private List<String> classifications; // name of classification-type, wildcards supported
+        private List<String> labels;          // labels, wildcards supported
+        private List<String> namespaces;      // name of namespace-type, wildcards supported
         private List<String> attributes;      // name of entity-attribute, wildcards supported
 
         public AtlasEntityPermission() {
         }
 
         public AtlasEntityPermission(List<String> privileges, List<String> entityTypes, List<String> entityIds, List<String> classifications, List<String> attributes) {
+            this(privileges, entityTypes, entityIds, classifications, attributes, null, null);
+        }
+
+        public AtlasEntityPermission(List<String> privileges, List<String> entityTypes, List<String> entityIds, List<String> classifications, List<String> labels, List<String> namespaces, List<String> attributes) {
             this.privileges      = privileges;
             this.entityTypes     = entityTypes;
             this.entityIds       = entityIds;
             this.classifications = classifications;
+            this.labels          = labels;
+            this.namespaces      = namespaces;
             this.attributes      = attributes;
         }
 
@@ -254,6 +262,22 @@ public class AtlasSimpleAuthzPolicy implements Serializable {
             this.classifications = classifications;
         }
 
+        public List<String> getLabels() {
+            return labels;
+        }
+
+        public void setLabels(List<String> labels) {
+            this.namespaces = labels;
+        }
+
+        public List<String> getNamespaces() {
+            return namespaces;
+        }
+
+        public void setNamespaces(List<String> namespaces) {
+            this.namespaces = namespaces;
+        }
+
         public List<String> getAttributes() {
             return attributes;
         }

authorization/src/main/resources/atlas-simple-authz-policy.json

@@ -18,7 +18,9 @@
           "privileges":      [ ".*" ],
           "entityTypes":     [ ".*" ],
           "entityIds":       [ ".*" ],
-          "classifications": [ ".*" ]
+          "classifications": [ ".*" ],
+          "labels":          [ ".*" ],
+          "namespaces":      [ ".*" ]
         }
       ],
       "relationshipPermissions": [
@@ -41,7 +43,9 @@
           "privileges":      [ "entity-read", "entity-read-classification" ],
           "entityTypes":     [ ".*" ],
           "entityIds":       [ ".*" ],
-          "classifications": [ ".*" ]
+          "classifications": [ ".*" ],
+          "labels":          [ ".*" ],
+          "namespaces":      [ ".*" ]
         }
       ]
     },
@@ -49,10 +53,12 @@
     "DATA_STEWARD": {
       "entityPermissions": [
         {
-          "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
+          "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification", "entity-add-label", "entity-remove-label", "entity-update-namespace" ],
           "entityTypes":     [ ".*" ],
           "entityIds":       [ ".*" ],
-          "classifications": [ ".*" ]
+          "classifications": [ ".*" ],
+          "labels":          [ ".*" ],
+          "namespaces":      [ ".*" ]
         }
       ],
       "relationshipPermissions": [

authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java

@@ -29,6 +29,10 @@ import java.util.Collections;
 public class AtlasSimpleAuthorizerTest {
     private static Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
 
+    private static final String USER_DATA_SCIENTIST = "dataScientist1";
+    private static final String USER_DATA_STEWARD   = "dataSteward1";
+
+
     private String          originalConf;
     private AtlasAuthorizer authorizer;
 
@@ -104,4 +108,67 @@ public class AtlasSimpleAuthorizerTest {
             AssertJUnit.fail();
         }
     }
+
+    @Test(enabled = true)
+    public void testLabels() {
+        try {
+            AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_LABEL);
+
+            request.setUser(USER_DATA_SCIENTIST, Collections.emptySet());
+
+            boolean isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_SCIENTIST + " shouldn't be allowed to add label", false, isAccessAllowed);
+
+
+            request.setUser(USER_DATA_STEWARD, Collections.emptySet());
+
+            isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should be allowed to add label", true, isAccessAllowed);
+
+
+            request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_REMOVE_LABEL);
+
+            request.setUser(USER_DATA_SCIENTIST, Collections.emptySet());
+
+            isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_SCIENTIST + " shouldn't be allowed to remove label", false, isAccessAllowed);
+
+
+            request.setUser(USER_DATA_STEWARD, Collections.emptySet());
+
+            isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should be allowed to remove label", true, isAccessAllowed);
+        } catch (AtlasAuthorizationException e) {
+            LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
+
+            AssertJUnit.fail();
+        }
+    }
+
+    @Test(enabled = true)
+    public void testNamespaces() {
+        try {
+            AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE_NAMESPACE);
+
+            request.setUser(USER_DATA_SCIENTIST, Collections.emptySet());
+
+            boolean isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_SCIENTIST + " shouldn't be allowed to update namespace", false, isAccessAllowed);
+
+            request.setUser(USER_DATA_STEWARD, Collections.emptySet());
+
+            isAccessAllowed = authorizer.isAccessAllowed(request);
+
+            AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should be allowed to update namespace", true, isAccessAllowed);
+        } catch (AtlasAuthorizationException e) {
+            LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
+
+            AssertJUnit.fail();
+        }
+    }
 }

authorization/src/test/resources/atlas-simple-authz-policy.json

@@ -43,7 +43,9 @@
           "privileges":      [ "entity-read", "entity-read-classification" ],
           "entityTypes":     [ ".*" ],
           "entityIds":       [ ".*" ],
-          "classifications": [ ".*" ]
+          "classifications": [ ".*" ],
+          "labels":          [ ".*" ],
+          "namespaces":      [ ".*" ]
         }
       ]
     },
@@ -51,10 +53,12 @@
     "DATA_STEWARD": {
       "entityPermissions": [
         {
-          "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
+          "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification", "entity-add-label", "entity-remove-label", "entity-update-namespace" ],
           "entityTypes":     [ ".*" ],
           "entityIds":       [ ".*" ],
-          "classifications": [ ".*" ]
+          "classifications": [ ".*" ],
+          "labels":          [ ".*" ],
+          "namespaces":      [ ".*" ]
         }
       ]
     }
@@ -62,7 +66,9 @@
 
   "userRoles": {
     "admin": [ "ROLE_ADMIN" ],
-    "rangertagsync": [ "DATA_SCIENTIST" ]
+    "rangertagsync": [ "DATA_SCIENTIST" ],
+    "dataScientist1": [ "DATA_SCIENTIST"],
+    "dataSteward1": [ "DATA_STEWARD"]
   },
 
   "groupRoles": {

repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java

@@ -25,6 +25,7 @@ import org.apache.atlas.annotation.GraphTransaction;
 import org.apache.atlas.authorize.AtlasAdminAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizationUtils;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest.AtlasEntityAccessRequestBuilder;
 import org.apache.atlas.authorize.AtlasPrivilege;
 import org.apache.atlas.exception.AtlasBaseException;
 import org.apache.atlas.model.TypeCategory;
@@ -66,6 +67,7 @@ import javax.inject.Inject;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -834,14 +836,44 @@ public class AtlasEntityStoreV2 implements AtlasEntityStore {
             throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "guid is null/empty");
         }
 
+        if (MapUtils.isEmpty(entityNamespaces)) {
+            throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "entityNamespaces is null/empty");
+        }
+
         AtlasVertex entityVertex = AtlasGraphUtilsV2.findByGuid(guid);
 
         if (entityVertex == null) {
             throw new AtlasBaseException(AtlasErrorCode.INSTANCE_GUID_NOT_FOUND, guid);
         }
 
-        String          typeName   = getTypeName(entityVertex);
-        AtlasEntityType entityType = typeRegistry.getEntityTypeByName(typeName);
+        String                           typeName       = getTypeName(entityVertex);
+        AtlasEntityType                  entityType     = typeRegistry.getEntityTypeByName(typeName);
+        AtlasEntityHeader                entityHeader   = entityRetriever.toAtlasEntityHeaderWithClassifications(entityVertex);
+        Map<String, Map<String, Object>> currNamespaces = entityRetriever.getEntityNamespaces(entityVertex);
+        Set<String>                      updatedNsNames = new HashSet<>();
+
+        for (String nsName : entityType.getNamespaceAttributes().keySet()) {
+            Map<String, Object> nsAttrs     = entityNamespaces.get(nsName);
+            Map<String, Object> currNsAttrs = currNamespaces != null ? currNamespaces.get(nsName) : null;
+
+            if (nsAttrs == null && !isOverwrite) {
+                continue;
+            } else if (MapUtils.isEmpty(nsAttrs) && MapUtils.isEmpty(currNsAttrs)) { // no change
+                continue;
+            } else if (Objects.equals(nsAttrs, currNsAttrs)) { // no change
+                continue;
+            }
+
+            updatedNsNames.add(nsName);
+        }
+
+        AtlasEntityAccessRequestBuilder  requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_UPDATE_NAMESPACE, entityHeader);
+
+        for (String nsName : updatedNsNames) {
+            requestBuilder.setNamespaceName(nsName);
+
+            AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "add/update namespace: guid=", guid, ", namespace=", nsName);
+        }
 
         validateNamespaceAttributes(entityVertex, entityType, entityNamespaces, isOverwrite);
 
@@ -867,14 +899,27 @@ public class AtlasEntityStoreV2 implements AtlasEntityStore {
             throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "guid is null/empty");
         }
 
+        if (MapUtils.isEmpty(entityNamespaces)) {
+            throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "entityNamespaces is null/empty");
+        }
+
         AtlasVertex entityVertex = AtlasGraphUtilsV2.findByGuid(guid);
 
         if (entityVertex == null) {
             throw new AtlasBaseException(AtlasErrorCode.INSTANCE_GUID_NOT_FOUND, guid);
         }
 
-        String          typeName   = getTypeName(entityVertex);
-        AtlasEntityType entityType = typeRegistry.getEntityTypeByName(typeName);
+        String                          typeName       = getTypeName(entityVertex);
+        AtlasEntityType                 entityType     = typeRegistry.getEntityTypeByName(typeName);
+        AtlasEntityHeader               entityHeader   = entityRetriever.toAtlasEntityHeaderWithClassifications(entityVertex);
+
+        AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_UPDATE_NAMESPACE, entityHeader);
+
+        for (String nsName : entityNamespaces.keySet()) {
+            requestBuilder.setNamespaceName(nsName);
+
+            AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "remove namespace: guid=", guid, ", namespace=", nsName);
+        }
 
         entityGraphMapper.removeNamespaceAttributes(entityVertex, entityType, entityNamespaces);
 
@@ -902,6 +947,39 @@ public class AtlasEntityStoreV2 implements AtlasEntityStore {
 
         validateLabels(labels);
 
+        AtlasEntityHeader entityHeader  = entityRetriever.toAtlasEntityHeaderWithClassifications(entityVertex);
+        Set<String>       addedLabels   = Collections.emptySet();
+        Set<String>       removedLabels = Collections.emptySet();
+
+        if (CollectionUtils.isEmpty(entityHeader.getLabels())) {
+            addedLabels = labels;
+        } else if (CollectionUtils.isEmpty(labels)) {
+            removedLabels = entityHeader.getLabels();
+        } else {
+            addedLabels   = new HashSet<String>(CollectionUtils.subtract(labels, entityHeader.getLabels()));
+            removedLabels = new HashSet<String>(CollectionUtils.subtract(entityHeader.getLabels(), labels));
+        }
+
+        if (addedLabels != null) {
+            AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_ADD_LABEL, entityHeader);
+
+            for (String label : addedLabels) {
+                requestBuilder.setLabel(label);
+
+                AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "add label: guid=", guid, ", label=", label);
+            }
+        }
+
+        if (removedLabels != null) {
+            AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_REMOVE_LABEL, entityHeader);
+
+            for (String label : removedLabels) {
+                requestBuilder.setLabel(label);
+
+                AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "remove label: guid=", guid, ", label=", label);
+            }
+        }
+
         entityGraphMapper.setLabels(entityVertex, labels);
 
         if (LOG.isDebugEnabled()) {
@@ -920,12 +998,25 @@ public class AtlasEntityStoreV2 implements AtlasEntityStore {
             throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "guid is null/empty");
         }
 
+        if (CollectionUtils.isEmpty(labels)) {
+            throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "labels is null/empty");
+        }
+
         AtlasVertex entityVertex = AtlasGraphUtilsV2.findByGuid(guid);
 
         if (entityVertex == null) {
             throw new AtlasBaseException(AtlasErrorCode.INSTANCE_GUID_NOT_FOUND, guid);
         }
 
+        AtlasEntityHeader               entityHeader   = entityRetriever.toAtlasEntityHeaderWithClassifications(entityVertex);
+        AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_REMOVE_LABEL, entityHeader);
+
+        for (String label : labels) {
+            requestBuilder.setLabel(label);
+
+            AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "remove label: guid=", guid, ", label=", label);
+        }
+
         validateLabels(labels);
 
         entityGraphMapper.removeLabels(entityVertex, labels);
@@ -946,12 +1037,25 @@ public class AtlasEntityStoreV2 implements AtlasEntityStore {
             throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "guid is null/empty");
         }
 
+        if (CollectionUtils.isEmpty(labels)) {
+            throw new AtlasBaseException(AtlasErrorCode.INVALID_PARAMETERS, "labels is null/empty");
+        }
+
         AtlasVertex entityVertex = AtlasGraphUtilsV2.findByGuid(guid);
 
         if (entityVertex == null) {
             throw new AtlasBaseException(AtlasErrorCode.INSTANCE_GUID_NOT_FOUND, guid);
         }
 
+        AtlasEntityHeader               entityHeader   = entityRetriever.toAtlasEntityHeaderWithClassifications(entityVertex);
+        AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequestBuilder(typeRegistry, AtlasPrivilege.ENTITY_ADD_LABEL, entityHeader);
+
+        for (String label : labels) {
+            requestBuilder.setLabel(label);
+
+            AtlasAuthorizationUtils.verifyAccess(requestBuilder.build(), "add/update label: guid=", guid, ", label=", label);
+        }
+
         validateLabels(labels);
 
         entityGraphMapper.addLabels(entityVertex, labels);

repository/src/main/java/org/apache/atlas/repository/store/graph/v2/EntityGraphMapper.java

@@ -353,7 +353,7 @@ public class EntityGraphMapper {
             removedLabels = null;
         } else if (CollectionUtils.isEmpty(labels)) {
             addedLabels   = null;
-            removedLabels = labels;
+            removedLabels = currentLabels;
         } else {
             addedLabels   = new HashSet<String>(CollectionUtils.subtract(labels, currentLabels));
             removedLabels = new HashSet<String>(CollectionUtils.subtract(currentLabels, labels));

repository/src/main/java/org/apache/atlas/repository/store/graph/v2/EntityGraphRetriever.java

@@ -221,6 +221,41 @@ public class EntityGraphRetriever {
         return ret;
     }
 
+    public Map<String, Map<String, Object>> getEntityNamespaces(AtlasVertex entityVertex) throws AtlasBaseException {
+        Map<String, Map<String, Object>>                  ret                  = null;
+        String                                            entityTypeName       = getTypeName(entityVertex);
+        AtlasEntityType                                   entityType           = typeRegistry.getEntityTypeByName(entityTypeName);
+        Map<String, Map<String, AtlasNamespaceAttribute>> entityTypeNamespaces = entityType != null ? entityType.getNamespaceAttributes() : null;
+
+        if (MapUtils.isNotEmpty(entityTypeNamespaces)) {
+            for (Map.Entry<String, Map<String, AtlasNamespaceAttribute>> entry : entityTypeNamespaces.entrySet()) {
+                String                               nsName        = entry.getKey();
+                Map<String, AtlasNamespaceAttribute> nsAttributes  = entry.getValue();
+                Map<String, Object>                  entityNsAttrs = null;
+
+                for (AtlasNamespaceAttribute nsAttribute : nsAttributes.values()) {
+                    Object nsAttrValue = mapVertexToAttribute(entityVertex, nsAttribute, null, false, false);
+
+                    if (nsAttrValue != null) {
+                        if (ret == null) {
+                            ret = new HashMap<>();
+                        }
+
+                        if (entityNsAttrs == null) {
+                            entityNsAttrs = new HashMap<>();
+
+                            ret.put(nsName, entityNsAttrs);
+                        }
+
+                        entityNsAttrs.put(nsAttribute.getName(), nsAttrValue);
+                    }
+                }
+            }
+        }
+
+        return ret;
+    }
+
     public Object getEntityAttribute(AtlasVertex entityVertex, AtlasAttribute attribute) {
         Object ret = null;
 
@@ -770,23 +805,7 @@ public class EntityGraphRetriever {
     }
 
     private void mapNamespaceAttributes(AtlasVertex entityVertex, AtlasEntity entity) throws AtlasBaseException {
-        AtlasEntityType                                   entityType           = typeRegistry.getEntityTypeByName(entity.getTypeName());
-        Map<String, Map<String, AtlasNamespaceAttribute>> entityTypeNamespaces = entityType != null ? entityType.getNamespaceAttributes() : null;
-
-        if (MapUtils.isNotEmpty(entityTypeNamespaces)) {
-            for (Map.Entry<String, Map<String, AtlasNamespaceAttribute>> entry : entityTypeNamespaces.entrySet()) {
-                String                               nsName       = entry.getKey();
-                Map<String, AtlasNamespaceAttribute> nsAttributes = entry.getValue();
-
-                for (AtlasNamespaceAttribute nsAttribute : nsAttributes.values()) {
-                    Object nsAttrValue = mapVertexToAttribute(entityVertex, nsAttribute, null, false, false);
-
-                    if (nsAttrValue != null) {
-                        entity.setNamespaceAttribute(nsName, nsAttribute.getName(), nsAttrValue);
-                    }
-                }
-            }
-        }
+        entity.setNamespaceAttributes(getEntityNamespaces(entityVertex));
     }
 
     public List<AtlasClassification> getAllClassifications(AtlasVertex entityVertex) throws AtlasBaseException {