Skip to content

A
atlas
Commit a963e980 by Hemanth Yamijala
Options

ATLAS-497 Simple Authorization (saqeeb.s via yhemanth)

parent 34f51a2a
Showing with 1570 additions and 4 deletions
distro/src/conf/atlas-application.properties
......@@ -124,3 +124,6 @@ atlas.login.method=FILE
### File path of users-credentials
atlas.login.credentials.file=${sys:atlas.home}/conf/users-credentials.properties
#########POLICY FILE PATH #########
atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt
distro/src/conf/policy-store.txt 0 → 100644
##Policy Format
##r-READ, w-WRITE, u-UPDATE, d-DELETE
##Policy_Name;;User_Name1:Operations_Allowed,User_Name2:Operations_Allowed;;Group_Name1:Operations_Allowed,Group_Name2:Operations_Allowed;;Resource_Type1:Resource_Name,Resource_Type2:Resource_Name
##
adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*
typeReadPolicy;;nixon:rw;;;;type:*,entity:*
classReadPolicy;;saqeeb:r;;;;type:*,entity:*
dataScientistPolicy;;;;DATA_SCIENTIST:r;;type:*,entity:*
dataStewardPolicy;;;;DATA_STEWARD:rwu;;type:*,entity:*
pom.xml
......@@ -1668,6 +1668,7 @@
<!-- atlas data directory creates when tests are run from IDE -->
<exclude>**/atlas.data/**</exclude>
<exclude>**/${sys:atlas.data}/**</exclude>
<exclude>**/policy-store.txt</exclude>
</excludes>
</configuration>
<executions>
......
release-log.txt
......@@ -3,6 +3,7 @@ Apache Atlas Release Notes
--trunk - unreleased
INCOMPATIBLE CHANGES:
ATLAS-497 Simple Authorization (saqeeb.s via yhemanth)
ATLAS-661 REST API Authentication (nixonrodrigues via yhemanth)
ATLAS-672 UI: Make dashboard v2 the default UI implementation (bergenholtz via yhemanth)
ATLAS-532 Change Data types of all timestamps in Hive model(currently long)(sumasai via yhemanth)
......
webapp/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.Date;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class AtlasAccessRequest {
private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private List<AtlasResourceTypes> resourceType = null;
private String resource = null;
private AtlasActionTypes action = null;
private String user = null;
private List<String> userGroups = null;
private Date accessTime = null;
private String clientIPAddress = null;
public AtlasAccessRequest(List<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action,
String user, List<String> userGroups) {
if (isDebugEnabled) {
LOG.debug("<== AtlasAccessRequestImpl-- Initializing AtlasAccessRequest");
}
setResource(resource);
setAction(action);
setUser(user);
setUserGroups(userGroups);
setResourceType(resourceType);
// set remaining fields to default value
setAccessTime(null);
setClientIPAddress(null);
}
public List<AtlasResourceTypes> getResourceTypes() {
return resourceType;
}
public void setResourceType(List<AtlasResourceTypes> resourceType) {
this.resourceType = resourceType;
}
public String getResource() {
return resource;
}
public void setResource(String resource) {
this.resource = resource;
}
public AtlasActionTypes getAction() {
return action;
}
public void setAction(AtlasActionTypes action) {
this.action = action;
}
public String getUser() {
return user;
}
public void setUser(String user) {
this.user = user;
}
public void setUserGroups(List<String> userGroups) {
this.userGroups = userGroups;
}
public List<String> getUserGroups() {
return userGroups;
}
public Date getAccessTime() {
return accessTime;
}
public void setAccessTime(Date accessTime) {
this.accessTime = accessTime;
}
public String getClientIPAddress() {
return clientIPAddress;
}
public void setClientIPAddress(String clientIPAddress) {
this.clientIPAddress = clientIPAddress;
}
@Override
public String toString() {
return "AtlasAccessRequest [resourceType=" + resourceType + ", resource=" + resource + ", action=" + action
+ ", user=" + user + ", userGroups=" + userGroups + ", accessTime=" + accessTime + ", clientIPAddress="
+ clientIPAddress + "]";
}
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAccessorTypes.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public enum AtlasAccessorTypes {
USER, GROUP;
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public enum AtlasActionTypes {
READ, WRITE, UPDATE, DELETE;
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationException.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public class AtlasAuthorizationException extends Exception {
private static final long serialVersionUID = 1L;
public AtlasAuthorizationException() {
}
public AtlasAuthorizationException(String message) {
super(message);
}
public AtlasAuthorizationException(String message, Throwable exception) {
super(message, exception);
}
public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression,
boolean writableStackTrace) {
super(message, exception, enableSuppression, writableStackTrace);
}
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.apache.atlas.AtlasClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.common.base.Strings;
public class AtlasAuthorizationUtils {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private static final String BASE_URL = "/" + AtlasClient.BASE_URI;
public static String parse(String fullPath, String subPath) {
String api = null;
if (!Strings.isNullOrEmpty(fullPath)) {
api = fullPath.substring(subPath.length(), fullPath.length());
}
if (isDebugEnabled) {
LOG.debug("Extracted " + api + " from path : " + fullPath);
}
return api;
}
public static String getApi(String u) {
if (isDebugEnabled) {
LOG.debug("getApi <=== from " + u);
}
if (u.startsWith(BASE_URL)) {
u = parse(u, BASE_URL);
}
String[] split = u.split("/");
return split[0];
}
public static AtlasActionTypes getAtlasAction(String method) {
AtlasActionTypes action = null;
switch (method.toUpperCase()) {
case "POST":
action = AtlasActionTypes.WRITE;
break;
case "GET":
action = AtlasActionTypes.READ;
break;
case "PUT":
action = AtlasActionTypes.UPDATE;
break;
case "DELETE":
action = AtlasActionTypes.DELETE;
break;
default:
if (isDebugEnabled) {
LOG.debug("Invalid HTTP method in request : " + method + " this is serious!!!");
}
break;
}
if (isDebugEnabled) {
LOG.debug("==> AtlasAuthorizationFilter getAtlasAction HTTP Method " + method + " mapped to AtlasAction : "
+ action);
}
return action;
}
public static List<AtlasResourceTypes> getAtlasResourceType(String contextPath) throws ServletException {
List<AtlasResourceTypes> resourceTypes = new ArrayList<AtlasResourceTypes>();
if (isDebugEnabled) {
LOG.debug("getAtlasResourceType <=== for " + contextPath);
}
String api = getApi(contextPath);
if (api.startsWith("types")) {
resourceTypes.add(AtlasResourceTypes.TYPE);
} else if ((api.startsWith("discovery") && api.contains("gremlin")) || api.startsWith("admin")
|| api.startsWith("graph")) {
resourceTypes.add(AtlasResourceTypes.OPERATION);
} else if ((api.startsWith("entities") && contextPath.contains("traits")) || api.startsWith("discovery")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
resourceTypes.add(AtlasResourceTypes.TYPE);
} else if (api.startsWith("entities") || api.startsWith("lineage")) {
resourceTypes.add(AtlasResourceTypes.ENTITY);
} else {
LOG.error("Unable to find Atlas Resource corresponding to : " + api);
throw new ServletException("Unable to find Atlas Resource corresponding to : " + api);
}
if (isDebugEnabled) {
LOG.debug("Returning AtlasResources " + resourceTypes + " for api " + api);
}
return resourceTypes;
}
/*
* This implementation will be changed for Resource level Authorization.
*/
public static String getAtlasResource(HttpServletRequest requeset, AtlasActionTypes action) {
if (isDebugEnabled) {
LOG.debug("getAtlasResource <=== "
+ "This implementation will be changed for Resource level Authorization.");
}
return "*";
}
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public interface AtlasAuthorizer {
/**
* This method will load the policy file and would initialize the required data-structures.
*/
public void init();
/**
* This method is responsible to perform the actual authorization for every REST API call. It will check the if the
* user:u can perform action:a on resource:r.
*
* @param request
* @return
*/
public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException;
/**
* This method is responsible to perform the cleanup and release activities. It must be called when you are done
* with the Authorization activity and once it's called a restart would be required. Try to invoke this while
* destroying the context.
*/
public void cleanUp();
}
webapp/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
public enum AtlasResourceTypes {
ENTITY, TYPE, OPERATION;
}
webapp/src/main/java/org/apache/atlas/authorize/PolicyDef.java 0 → 100644
/** Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.List;
import java.util.Map;
public class PolicyDef {
private String policyName;
private Map<String, List<AtlasActionTypes>> users;
private Map<String, List<AtlasActionTypes>> groups;
private Map<AtlasResourceTypes, List<String>> resources;
public String getPolicyName() {
return policyName;
}
public void setPolicyName(String policyName) {
this.policyName = policyName;
}
public Map<String, List<AtlasActionTypes>> getUsers() {
return users;
}
public void setUsers(Map<String, List<AtlasActionTypes>> users) {
this.users = users;
}
public Map<String, List<AtlasActionTypes>> getGroups() {
return groups;
}
public void setGroups(Map<String, List<AtlasActionTypes>> groups) {
this.groups = groups;
}
public Map<AtlasResourceTypes, List<String>> getResources() {
return resources;
}
public void setResources(Map<AtlasResourceTypes, List<String>> resources) {
this.resources = resources;
}
@Override
public String toString() {
return "PolicyDef [policyName=" + policyName + ", users=" + users + ", groups=" + groups + ", resources="
+ resources + "]";
}
}
webapp/src/main/java/org/apache/atlas/authorize/PolicyParser.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class PolicyParser {
private static Logger LOG = LoggerFactory.getLogger(PolicyParser.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
public static final int POLICYNAME = 0;
public static final int USER_INDEX = 1;
public static final int USERNAME = 0;
public static final int USER_AUTHORITIES = 1;
public static final int GROUP_INDEX = 2;
public static final int GROUPNAME = 0;
public static final int GROUP_AUTHORITIES = 1;
public static final int RESOURCE_INDEX = 3;
public static final int RESOURCE_TYPE = 0;
public static final int RESOURCE_NAME = 1;
private List<AtlasActionTypes> getListOfAutorities(String auth) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser getListOfAutorities");
}
List<AtlasActionTypes> authorities = new ArrayList<AtlasActionTypes>();
for (int i = 0; i < auth.length(); i++) {
char access = auth.toLowerCase().charAt(i);
switch (access) {
case 'r':
authorities.add(AtlasActionTypes.READ);
break;
case 'w':
authorities.add(AtlasActionTypes.WRITE);
break;
case 'u':
authorities.add(AtlasActionTypes.UPDATE);
break;
case 'd':
authorities.add(AtlasActionTypes.DELETE);
break;
default:
if (LOG.isErrorEnabled()) {
LOG.error("Invalid Action");
}
break;
}
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser getListOfAutorities");
}
return authorities;
}
public List<PolicyDef> parsePolicies(List<String> policies) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parsePolicies");
}
List<PolicyDef> policyDefs = new ArrayList<PolicyDef>();
for (String policy : policies) {
PolicyDef policyDef = parsePolicy(policy);
policyDefs.add(policyDef);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parsePolicies");
LOG.debug(policyDefs.toString());
}
return policyDefs;
}
private PolicyDef parsePolicy(String data) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parsePolicy");
}
PolicyDef def = new PolicyDef();
String[] props = data.split(";;");
def.setPolicyName(props[POLICYNAME]);
parseUsers(props[USER_INDEX], def);
parseGroups(props[GROUP_INDEX], def);
parseResources(props[RESOURCE_INDEX], def);
if (isDebugEnabled) {
LOG.debug("policy successfully parsed!!!");
LOG.debug("==> PolicyParser parsePolicy");
}
return def;
}
private boolean validateEntity(String entity) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser validateEntity");
}
boolean isValidEntity = Pattern.matches("(.+:.+)+", entity);
boolean isEmpty = entity.isEmpty();
if (isValidEntity == false || isEmpty == true) {
if (isDebugEnabled) {
LOG.debug("group/user/resource not properly define in Policy");
LOG.debug("==> PolicyParser validateEntity");
}
return false;
} else {
if (isDebugEnabled) {
LOG.debug("==> PolicyParser validateEntity");
}
return true;
}
}
private void parseUsers(String usersDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseUsers");
}
String[] users = usersDef.split(",");
String[] userAndRole = null;
Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
if (validateEntity(usersDef)) {
for (String user : users) {
if (!Pattern.matches("(.+:.+)+", user)) {
continue;
}
userAndRole = user.split(":");
if (def.getUsers() != null) {
usersMap = def.getUsers();
}
List<AtlasActionTypes> userAutorities = usersMap.get(userAndRole[USERNAME]);
if (userAutorities == null) {
userAutorities = new ArrayList<AtlasActionTypes>();
}
userAutorities = getListOfAutorities(userAndRole[USER_AUTHORITIES]);
usersMap.put(userAndRole[USERNAME], userAutorities);
def.setUsers(usersMap);
}
} else {
def.setUsers(usersMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseUsers");
}
}
private void parseGroups(String groupsDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseGroups");
}
String[] groups = groupsDef.split("\\,");
String[] groupAndRole = null;
Map<String, List<AtlasActionTypes>> groupsMap = new HashMap<String, List<AtlasActionTypes>>();
if (validateEntity(groupsDef.trim())) {
for (String group : groups) {
if (!Pattern.matches("(.+:.+)+", group)) {
continue;
}
groupAndRole = group.split("[:]");
if (def.getGroups() != null) {
groupsMap = def.getGroups();
}
List<AtlasActionTypes> groupAutorities = groupsMap.get(groupAndRole[GROUPNAME]);
if (groupAutorities == null) {
groupAutorities = new ArrayList<AtlasActionTypes>();
}
groupAutorities = getListOfAutorities(groupAndRole[GROUP_AUTHORITIES]);
groupsMap.put(groupAndRole[GROUPNAME], groupAutorities);
def.setGroups(groupsMap);
}
} else {
def.setGroups(groupsMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseGroups");
}
}
private void parseResources(String resourceDef, PolicyDef def) {
if (isDebugEnabled) {
LOG.debug("<== PolicyParser parseResources");
}
String[] resources = resourceDef.split(",");
String[] resourceTypeAndName = null;
Map<AtlasResourceTypes, List<String>> resourcesMap = new HashMap<AtlasResourceTypes, List<String>>();
if (validateEntity(resourceDef)) {
for (String resource : resources) {
if (!Pattern.matches("(.+:.+)+", resource)) {
continue;
}
resourceTypeAndName = resource.split("[:]");
if (def.getResources() != null) {
resourcesMap = def.getResources();
}
AtlasResourceTypes resourceType =
AtlasResourceTypes.valueOf(resourceTypeAndName[RESOURCE_TYPE].toUpperCase());
List<String> resourceList = resourcesMap.get(resourceType);
if (resourceList == null) {
resourceList = new ArrayList<String>();
}
resourceList.add(resourceTypeAndName[RESOURCE_NAME]);
resourcesMap.put(resourceType, resourceList);
def.setResources(resourcesMap);
}
} else {
def.setResources(resourcesMap);
}
if (isDebugEnabled) {
LOG.debug("==> PolicyParser parseResources");
}
}
}
webapp/src/main/java/org/apache/atlas/authorize/PolicyUtil.java 0 → 100644
/** Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class PolicyUtil {
private static Logger LOG = LoggerFactory.getLogger(PolicyUtil.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userWriteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userUpdateMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> userDeleteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupWriteMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupUpdateMap;
private Map<String, Map<AtlasResourceTypes, List<String>>> groupDeleteMap;
/**
* @return the userReadMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserReadMap() {
return userReadMap;
}
/**
* @return the userWriteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserWriteMap() {
return userWriteMap;
}
/**
* @return the userUpdateMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserUpdateMap() {
return userUpdateMap;
}
/**
* @return the userDeleteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getUserDeleteMap() {
return userDeleteMap;
}
/**
* @return the groupReadMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupReadMap() {
return groupReadMap;
}
/**
* @return the groupWriteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupWriteMap() {
return groupWriteMap;
}
/**
* @return the groupUpdateMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupUpdateMap() {
return groupUpdateMap;
}
/**
* @return the groupDeleteMap
*/
public Map<String, Map<AtlasResourceTypes, List<String>>> getGroupDeleteMap() {
return groupDeleteMap;
}
public Map<String, Map<AtlasResourceTypes, List<String>>> createPermissionMap(List<PolicyDef> policyDefList,
AtlasActionTypes permissionType, AtlasAccessorTypes principalType) {
if (isDebugEnabled) {
LOG.debug("<== PolicyUtil createPermissionMap");
LOG.debug("Creating Permission Map for :: " + permissionType + " & " + principalType);
}
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap =
new HashMap<String, Map<AtlasResourceTypes, List<String>>>();
// Iterate over the list of policies to create map
for (PolicyDef policyDef : policyDefList) {
LOG.info("Processing policy def : " + policyDef);
Map<String, List<AtlasActionTypes>> principalMap =
principalType.equals(AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef.getGroups();
// For every policy extract the resource list and populate the user map
for (Entry<String, List<AtlasActionTypes>> e : principalMap.entrySet()) {
// Check if the user has passed permission type like READ
if (!e.getValue().contains(permissionType)) {
continue;
}
// See if the current user is already added to map
String username = e.getKey();
Map<AtlasResourceTypes, List<String>> userResourceList = userReadMap.get(username);
// If its not added then create a new resource list
if (userResourceList == null) {
if (isDebugEnabled) {
LOG.debug("Resource list not found for " + username + ", creating it");
}
userResourceList = new HashMap<AtlasResourceTypes, List<String>>();
}
/*
* Iterate over resources from the current policy def and update the resource list for the current user
*/
for (Entry<AtlasResourceTypes, List<String>> resourceTypeMap : policyDef.getResources().entrySet()) {
// For the current resourceType in the policyDef, get the
// current list of resources already added
AtlasResourceTypes type = resourceTypeMap.getKey();
List<String> resourceList = userResourceList.get(type);
if (resourceList == null) {
// if the resource list was not added for this type then
// create and add all the resources in this policy
resourceList = new ArrayList<String>();
resourceList.addAll(resourceTypeMap.getValue());
} else {
// if the resource list is present then merge both the
// list
resourceList.removeAll(resourceTypeMap.getValue());
resourceList.addAll(resourceTypeMap.getValue());
}
userResourceList.put(type, resourceList);
}
userReadMap.put(username, userResourceList);
LOG.info("userReadMap=====>>>>>> " + userReadMap);
}
}
if (isDebugEnabled) {
LOG.debug("Returning Map for " + principalType + " :: " + userReadMap);
LOG.debug("==> PolicyUtil createPermissionMap");
}
return userReadMap;
}
}
webapp/src/main/java/org/apache/atlas/util/FileReaderUtil.java 0 → 100644
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.util;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.log4j.Logger;
public class FileReaderUtil {
private static Logger LOG = Logger.getLogger(FileReaderUtil.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
public static List<String> readFile(String path) throws IOException {
if (isDebugEnabled) {
LOG.debug("<== FileReaderUtil readFile");
}
LOG.info("reading the file" + path);
BufferedReader br = new BufferedReader(new FileReader(path));
List<String> list = new ArrayList<String>();
String line = null;
while ((line = br.readLine()) != null) {
if ((!line.startsWith("##")) && Pattern.matches(".+;;.*;;.*;;.+", line))
list.add(line);
}
if (isDebugEnabled) {
LOG.debug("==> FileReaderUtil readFile");
LOG.debug("Policies read :: " + list);
}
if (br != null) {
br.close();
}
return list;
}
}
\ No newline at end of file
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthorizationFilter.java 0 → 100644
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.web.filters;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.atlas.AtlasClient;
import org.apache.atlas.AtlasException;
import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasActionTypes;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.apache.atlas.authorize.SimpleAtlasAuthorizer;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import static org.apache.atlas.authorize.AtlasAuthorizationUtils.*;
import com.google.common.base.Strings;
public class AtlasAuthorizationFilter extends GenericFilterBean {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationFilter.class);
private static boolean isDebugEnabled = LOG.isDebugEnabled();
private AtlasAuthorizer authorizer = SimpleAtlasAuthorizer.getInstance();
private final String BASE_URL = "/" + AtlasClient.BASE_URI;
public AtlasAuthorizationFilter() {
if (isDebugEnabled) {
LOG.debug("<== AtlasAuthorizationFilter() -- " + "Now initializing the Apache Atlas Authorizer!!!");
}
authorizer.init();
}
@Override
public void destroy() {
if (isDebugEnabled) {
LOG.debug("<== AtlasAuthorizationFilter destroy");
}
authorizer.cleanUp();
super.destroy();
}
@SuppressWarnings("unchecked")
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
if (isDebugEnabled) {
LOG.debug("==> AuthorizationFilter.doFilter");
}
HttpServletRequest request = (HttpServletRequest) req;
String pathInfo = request.getServletPath();
if (pathInfo.startsWith(BASE_URL)) {
if (isDebugEnabled) {
LOG.debug(pathInfo + " is a valid REST API request!!!");
}
AtlasActionTypes action = getAtlasAction(request.getMethod());
String userName = null;
List<String> groups = new ArrayList<String>();
StringBuilder sb = new StringBuilder();
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
userName = String.valueOf(auth.getPrincipal());
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
for (GrantedAuthority c : authorities) {
groups.add(c.getAuthority());
}
sb.append("============================\n");
sb.append("UserName ==>> " + userName + "\nGroups ==>> " + groups);
} else {
if (LOG.isErrorEnabled()) {
LOG.error("Cannot obtain Security Context : " + auth);
}
throw new ServletException("Cannot obtain Security Context : " + auth);
}
sb.append("\n" + "URL :: " + request.getRequestURL() + " Action :: " + action);
sb.append("\nrequest.getServletPath() :: " + pathInfo);
sb.append("\n============================\n");
if (isDebugEnabled) {
LOG.debug(sb.toString());
}
sb = null;
List<AtlasResourceTypes> atlasResourceType = getAtlasResourceType(pathInfo);
String resource = getAtlasResource(request, action);
AtlasAccessRequest atlasRequest =
new AtlasAccessRequest(atlasResourceType, resource, action, userName, groups);
boolean accessAllowed = false;
try {
accessAllowed = authorizer.isAccessAllowed(atlasRequest);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Access Restricted. Could not process the request due to : " + e);
}
}
if (isDebugEnabled) {
LOG.debug("Authorizer result :: " + accessAllowed);
}
if (accessAllowed) {
if (isDebugEnabled) {
LOG.debug("Access is allowed so forwarding the request!!!");
}
chain.doFilter(req, res);
} else {
JSONObject json = new JSONObject();
json.put("AuthorizationError", "Sorry you are not authorized for " + action.name() + " on "
+ atlasResourceType + " : " + resource);
HttpServletResponse response = (HttpServletResponse) res;
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.sendError(HttpServletResponse.SC_FORBIDDEN, json.toString());
if (isDebugEnabled) {
LOG.debug("Sorry you are not authorized for " + action.name() + " on " + atlasResourceType + " : "
+ resource);
LOG.debug("Returning 403 since the access is blocked update!!!!");
}
return;
}
} else {
if (isDebugEnabled) {
LOG.debug("Ignoring request " + pathInfo);
}
chain.doFilter(req, res);
}
}
}
\ No newline at end of file
webapp/src/main/resources/spring-security.xml
......@@ -49,6 +49,7 @@
<security:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"
logout-url="/logout.html" />
<http-basic />
<security:custom-filter position="LAST" ref="atlasAuthorizationFilter"/>
</security:http>
<beans:bean id="formAuthenticationEntryPoint"
......@@ -86,4 +87,6 @@
pre-post-annotations="enabled" />
<context:component-scan base-package="org.apache.atlas.web" />
<beans:bean id = "atlasAuthorizationFilter" class="org.apache.atlas.web.filters.AtlasAuthorizationFilter"/>
</beans:beans>
webapp/src/test/java/org/apache/atlas/authorize/PolicyParserTest.java 0 → 100644
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import static org.junit.Assert.assertEquals;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.testng.annotations.Test;
public class PolicyParserTest {
@Test
public void testParsePoliciesWithAllProperties() {
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
/* Creating group data */
Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
accessList1.add(AtlasActionTypes.READ);
accessList1.add(AtlasActionTypes.WRITE);
accessList1.add(AtlasActionTypes.UPDATE);
groupMap.put("grp1", accessList1);
List<AtlasActionTypes> accessList2 = new ArrayList<AtlasActionTypes>();
accessList2.add(AtlasActionTypes.UPDATE);
groupMap.put("grp2", accessList2);
/* Creating user data */
Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> usr1AccessList = new ArrayList<AtlasActionTypes>();
usr1AccessList.add(AtlasActionTypes.READ);
usersMap.put("usr1", usr1AccessList);
List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
usr2AccessList.add(AtlasActionTypes.READ);
usr2AccessList.add(AtlasActionTypes.WRITE);
usersMap.put("usr2", usr2AccessList);
/* Creating resources data */
Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
List<String> resource1List = new ArrayList<String>();
resource1List.add("*abc");
resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
List<String> resource2List = new ArrayList<String>();
resource2List.add("*xyz");
resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
List<String> resource3List = new ArrayList<String>();
resource3List.add("PII");
resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
for (PolicyDef def : policyDefs) {
assertEquals(def.getPolicyName(), "hivePolicy");
assertEquals(def.getGroups(), groupMap);
assertEquals(def.getUsers(), usersMap);
assertEquals(def.getResources(), resourceMap);
}
}
@Test
public void testParsePoliciesWithOutUserProperties() {
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
// Creating group data
Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> accessList1 = new ArrayList<AtlasActionTypes>();
accessList1.add(AtlasActionTypes.READ);
accessList1.add(AtlasActionTypes.WRITE);
accessList1.add(AtlasActionTypes.UPDATE);
groupMap.put("grp1", accessList1);
List<AtlasActionTypes> accessList2 = new ArrayList<AtlasActionTypes>();
accessList2.add(AtlasActionTypes.UPDATE);
groupMap.put("grp2", accessList2);
// Creating user data
Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
// Creating resources data
Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
List<String> resource1List = new ArrayList<String>();
resource1List.add("*abc");
resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
List<String> resource2List = new ArrayList<String>();
resource2List.add("*xyz");
resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
List<String> resource3List = new ArrayList<String>();
resource3List.add("PII");
resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
for (PolicyDef def : policyDefs) {
assertEquals(def.getPolicyName(), "hivePolicy");
assertEquals(def.getGroups(), groupMap);
assertEquals(def.getUsers(), usersMap);
assertEquals(def.getResources(), resourceMap);
}
}
@Test
public void testParsePoliciesWithOutGroupProperties() {
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;;;entity:*abc,operation:*xyz,type:PII");
// Creating group data
Map<String, List<AtlasActionTypes>> groupMap = new HashMap<String, List<AtlasActionTypes>>();
// Creating user data
Map<String, List<AtlasActionTypes>> usersMap = new HashMap<String, List<AtlasActionTypes>>();
List<AtlasActionTypes> usr1AccessList = new ArrayList<AtlasActionTypes>();
usr1AccessList.add(AtlasActionTypes.READ);
usersMap.put("usr1", usr1AccessList);
List<AtlasActionTypes> usr2AccessList = new ArrayList<AtlasActionTypes>();
usr2AccessList.add(AtlasActionTypes.READ);
usr2AccessList.add(AtlasActionTypes.WRITE);
usersMap.put("usr2", usr2AccessList);
// Creating resources data
Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
List<String> resource1List = new ArrayList<String>();
resource1List.add("*abc");
resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
List<String> resource2List = new ArrayList<String>();
resource2List.add("*xyz");
resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
List<String> resource3List = new ArrayList<String>();
resource3List.add("PII");
resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
for (PolicyDef def : policyDefs) {
assertEquals(def.getPolicyName(), "hivePolicy");
assertEquals(def.getGroups(), groupMap);
assertEquals(def.getUsers(), usersMap);
assertEquals(def.getResources(), resourceMap);
}
}
}
\ No newline at end of file
webapp/src/test/java/org/apache/atlas/authorize/PolicyUtilTest.java 0 → 100644
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import static org.junit.Assert.assertEquals;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.testng.annotations.Test;
public class PolicyUtilTest {
@Test
public void testCreatePermissionMap() {
HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
List<String> resource1List = new ArrayList<String>();
resource1List.add("*abc");
resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
List<String> resource2List = new ArrayList<String>();
resource2List.add("*xyz");
resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
List<String> resource3List = new ArrayList<String>();
resource3List.add("PII");
resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
new HashMap<String, HashMap<AtlasResourceTypes, List<String>>>();
permissionMap.put("grp1", resourceMap);
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
assertEquals(permissionMap, createdPermissionMap);
}
@Test
public void testMergeCreatePermissionMap() {
HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<AtlasResourceTypes, List<String>>();
List<String> resource1List = new ArrayList<String>();
resource1List.add("*abc");
resourceMap.put(AtlasResourceTypes.ENTITY, resource1List);
List<String> resource2List = new ArrayList<String>();
resource2List.add("*x");
resource2List.add("*xyz");
resourceMap.put(AtlasResourceTypes.OPERATION, resource2List);
List<String> resource3List = new ArrayList<String>();
resource3List.add("PII");
resourceMap.put(AtlasResourceTypes.TYPE, resource3List);
Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap =
new HashMap<String, HashMap<AtlasResourceTypes, List<String>>>();
permissionMap.put("grp1", resourceMap);
List<String> policies = new ArrayList<String>();
policies.add("hivePolicys;;;;grp1:rwu;;entity:*abc,operation:*xyz,operation:*x");
policies.add("hivePolicy;;;;grp1:rwu;;entity:*abc,operation:*xyz");
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu;;entity:*abc,operation:*xyz");
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII");
List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies);
Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap =
new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
assertEquals(permissionMap, createdPermissionMap);
}
}
webapp/src/test/java/org/apache/atlas/authorize/SimpleAtlasAuthorizerTest.java 0 → 100644
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.authorize;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.AssertJUnit;
import org.testng.annotations.Test;
public class SimpleAtlasAuthorizerTest {
private static Logger LOG = LoggerFactory.getLogger(SimpleAtlasAuthorizerTest.class);
@Test
public void testAccessAllowedForUserAndGroup() {
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:*abc,type:PII");
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "xsdfhjabc";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr1";
List<String> userGroups = new ArrayList<String>();
userGroups.add("grp3");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
try {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
// getUserReadMap
AssertJUnit.assertEquals(true, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("AtlasAuthorizationException in Unit Test", e);
}
}
}
@Test
public void testAccessAllowedForGroup() {
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// creating group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "PII";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr3";
List<String> userGroups = new ArrayList<String>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
try {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(true, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("AtlasAuthorizationException in Unit Test", e);
}
}
}
@Test
public void testResourceNotAvailableInPolicy() {
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "abc";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr1";
List<String> userGroups = new ArrayList<String>();
userGroups.add("grp1");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
try {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(false, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("AtlasAuthorizationException in Unit Test", e);
}
}
}
@Test
public void testAccessNotAllowedForUserAndGroup() {
Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null;
Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null;
List<String> policies = new ArrayList<String>();
policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII");
List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies);
PolicyUtil policyUtil = new PolicyUtil();
// group read map
groupReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP);
// creating user readMap
userReadMap = policyUtil.createPermissionMap(policyDefs, AtlasActionTypes.READ, AtlasAccessorTypes.USER);
List<AtlasResourceTypes> resourceType = new ArrayList<AtlasResourceTypes>();
resourceType.add(AtlasResourceTypes.TYPE);
String resource = "PII";
AtlasActionTypes action = AtlasActionTypes.READ;
String user = "usr3";
List<String> userGroups = new ArrayList<String>();
userGroups.add("grp3");
AtlasAccessRequest request = new AtlasAccessRequest(resourceType, resource, action, user, userGroups);
SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) SimpleAtlasAuthorizer.getInstance();
authorizer.setResourcesForTesting(userReadMap, groupReadMap, action);
try {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
AssertJUnit.assertEquals(false, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("AtlasAuthorizationException in Unit Test", e);
}
}
}
}
webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
......@@ -60,7 +60,7 @@ public class FileAuthenticationTest {
public void setup() throws Exception {
String persistDir = TestUtils.getTempDirectory();
setUpPolicyStore(persistDir);
setupUserCredential(persistDir);
setUpAltasApplicationProperties(persistDir);
......@@ -75,15 +75,15 @@ public class FileAuthenticationTest {
}
private void setUpAltasApplicationProperties(String persistDir) throws Exception{
private void setUpAltasApplicationProperties(String persistDir) throws Exception {
final PropertiesConfiguration configuration = new PropertiesConfiguration();
configuration.setProperty("atlas.login.method", "FILE");
configuration.setProperty("atlas.login.credentials.file", persistDir
+ "/users-credentials");
configuration.setProperty("atlas.auth.policy.file",persistDir
+ "/policy-store.txt" );
TestUtils.writeConfiguration(configuration, persistDir + File.separator
+ ApplicationProperties.APPLICATION_PROPERTIES);
}
private void setupUserCredential(String tmpDir) throws Exception {
......@@ -98,6 +98,15 @@ public class FileAuthenticationTest {
FileUtils.write(credentialFile, credentialFileStr.toString());
}
private void setUpPolicyStore(String tmpDir) throws Exception {
StringBuilder policyStr = new StringBuilder(1024);
policyStr.append("adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*");
File policyFile = new File(tmpDir, "policy-store.txt");
FileUtils.write(policyFile, policyStr.toString());
}
@Test
public void testValidUserLogin() {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment