ATLAS-765 Need documentation for Authentication and Authorization features of…

ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues via yhemanth)

ATLAS-765 Need documentation for Authentication and Authorization features of…
b25d198c · Hemanth Yamijala · dfd9c96b · b25d198c · b25d198c · b25d198c
Commit b25d198c authored Jun 21, 2016 by Hemanth Yamijala
Showing with 167 additions and 0 deletions

Authentication-Authorization.twiki docs/src/site/twiki/Authentication-Authorization.twiki +165 -0

index.twiki docs/src/site/twiki/index.twiki +1 -0

release-log.txt release-log.txt +1 -0

No files found.
--- a/docs/src/site/twiki/Authentication-Authorization.twiki
+++ b/docs/src/site/twiki/Authentication-Authorization.twiki
+---++ Authentication & Authorization in Apache Atlas.
+
+---+++ Authentication
+
+Atlas supports following authentication methods
+
+   * *File*
+   * *Kerberos*
+   * *LDAP*
+
+
+Following properties should be set true to enable the authentication of that type in =atlas-application.properties= file.
+
+
+<verbatim>
+atlas.authentication.method.kerberos=true|false
+atlas.authentication.method.ldap=true|false
+atlas.authentication.method.file=true|false
+</verbatim>
+
+If two or more authentication methods are set to true, then the authentication falls back to the latter method if the earlier one fails.
+For example if Kerberos authentication is set to true and ldap authentication is also set to true then, if for a request without kerberos principal and keytab LDAP authentication will be used as a fallback scenario.
+
+---++++FILE method.
+
+File authentication requires users' login details in users credentials file in the format specified below and
+the file path should set to property =atlas.authentication.method.file.filename= in =atlas-application.properties=.
+
+<verbatim>
+atlas.authentication.method.file=true
+atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
+</verbatim>
+
+The users credentials file should have below format
+<verbatim>
+username=group::sha256-password
+</verbatim>
+
+For e.g.
+<verbatim>
+admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
+</verbatim>
+
+Users group can be either *ADMIN*, *DATA_STEWARD* OR *DATA_SCIENTIST*
+
+*Note*:-password is encoded with sha256 encoding method and can be generated using unix tool.
+
+For e.g.
+<verbatim>
+echo -n "Password" | sha256sum
+e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a  -
+</verbatim>
+
+---++++ Kerberos Method.
+
+To enable the authentication in Kerberos mode in Atlas, set the property =atlas.authentication.method.kerberos= to true in =atlas-application.properties=
+
+<verbatim>
+atlas.authentication.method.kerberos = true
+</verbatim>
+
+Also following properties should be set.
+
+<verbatim>
+atlas.authentication.method.kerberos.principal=<principal>/<fqdn>@EXAMPLE.COM
+atlas.authentication.method.kerberos.keytab = /<key tab filepath>.keytab
+atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/
+</verbatim>
+
+
+---++++ LDAP Method.
+
+To enable the authentication in LDAP mode in Atlas, set the property =atlas.authentication.method.ldap= to true and also set Ldap type to property =atlas.authentication.method.ldap.type= to LDAP or AD in =atlas-application.properties=.
+Use AD if connecting to Active Directory.
+
+<verbatim>
+atlas.authentication.method.ldap=true
+atlas.authentication.method.ldap.type=ldap|ad
+</verbatim>
+
+
+For LDAP or AD the following configuration needs to be set in atlas application properties.
+
+*Active Directory*
+
+<verbatim>
+atlas.authentication.method.ldap.ad.domain= example.com
+atlas.authentication.method.ldap.ad.url=ldap://<AD server ip>:389
+atlas.authentication.method.ldap.ad.base.dn=DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.dn=CN=Administrator,CN=Users,DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.password=<password>
+atlas.authentication.method.ldap.ad.referral=ignore
+atlas.authentication.method.ldap.ad.user.searchfilter=(sAMAccountName={0})
+atlas.authentication.method.ldap.ad.default.role=ROLE_USER
+</verbatim>
+
+*LDAP Directroy*
+
+<verbatim>
+atlas.authentication.method.ldap.url=ldap://<Ldap server ip>:389
+atlas.authentication.method.ldap.userDNpattern=uid={0],ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchBase=dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchFilter=(member=cn={0},ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupRoleAttribute=cn
+atlas.authentication.method.ldap.base.dn=dc=example,dc=com
+atlas.authentication.method.ldap.bind.dn=cn=Manager,dc=example,dc=com
+atlas.authentication.method.ldap.bind.password=<password>
+atlas.authentication.method.ldap.referral=ignore
+atlas.authentication.method.ldap.user.searchfilter=(uid={0})
+atlas.authentication.method.ldap.default.role=ROLE_USER
+</verbatim>
+
+---+++ Authorization
+
+
+---++++ Atlas Authorization Methods [Simple/Ranger]
+To set authorization in atlas, update the =atlas.authorizer.impl= properties in =atlas-application.properties=
+   * *Simple*
+   * *Ranger*
+
+
+
+<verbatim>
+atlas.authorizer.impl=simple | ranger | <Qualified Authorizer Class Name>
+</verbatim>
+
+---++++ Simple Authorizer.
+
+In Simple Authorizer the policy store file is configured locally. The path of policy store file is set in
+=atlas.auth.policy.file= property of =atlas-application.properties=
+
+<verbatim>
+atlas.auth.policy.file={{conf_dir}}/policy-store.txt
+</verbatim>
+
+The policy store file format is as follows:
+
+<verbatim>
+Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name
+</verbatim>
+
+eg. of admin policy:
+<verbatim>
+adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
+</verbatim>
+
+Note : The User_Name, Group_Name and Operations_Allowed are comma(,) separated lists.
+
+Authorizer Resource Types:
+   * Operation
+   * Type
+   * Entity
+   * Taxonomy
+   * Term
+   * Unknown
+
+
+Operations_Allowed are  r = read, w = write, u = update, d = delete
+
+
+---++++ Ranger Authorizer.
+
+Ranger Authorizer is enabled by activating Atlas-Ranger plugin from Ambari.
+
+For more details visit the [[http://ranger.apache.org/][Apache-Ranger documentation]].
--- a/docs/src/site/twiki/index.twiki
+++ b/docs/src/site/twiki/index.twiki
@@ -42,6 +42,7 @@ allows integration with the whole enterprise data ecosystem.
   * [[Repository][Metadata Repository]]
   * [[Search][Search]]
   * [[security][Security]]
+   * [[Authentication-Authorization][Authentication and Authorization]]
   * [[Configuration][Configuration]]
   * Notification
      * [[Notification-Entity][Entity Notification]]

--- a/release-log.txt
+++ b/release-log.txt
@@ -39,6 +39,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset
 ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags)

 ALL CHANGES:
+ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues via yhemanth)
 ATLAS-930 QuickStart is failing when run after a specific sequence of operations (yhemanth via shwethags)
 ATLAS-904 Hive hook fails due to session state not being set (sumasai via yhemanth)
 ATLAS-929 Add test for trait preservation on column rename for non-default database (svimal2106 via shwethags)