Repository: incubator-atlas Updated Branches: refs/heads/0.7-incubating 6e96c91ac -> 9b15d1eb4
ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues via yhemanth) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/9b15d1eb Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/9b15d1eb Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/9b15d1eb Branch: refs/heads/0.7-incubating Commit: 9b15d1eb4c5670f94d7cb86d48083c885cdcc6ce Parents: 6e96c91 Author: Hemanth Yamijala <[email protected]> Authored: Tue Jun 21 22:48:09 2016 +0530 Committer: Hemanth Yamijala <[email protected]> Committed: Tue Jun 21 22:48:09 2016 +0530 ---------------------------------------------------------------------- .../twiki/Authentication-Authorization.twiki | 165 +++++++++++++++++++ docs/src/site/twiki/index.twiki | 1 + release-log.txt | 1 + 3 files changed, 167 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9b15d1eb/docs/src/site/twiki/Authentication-Authorization.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Authentication-Authorization.twiki b/docs/src/site/twiki/Authentication-Authorization.twiki new file mode 100644 index 0000000..1e35ceb --- /dev/null +++ b/docs/src/site/twiki/Authentication-Authorization.twiki @@ -0,0 +1,165 @@ +---++ Authentication & Authorization in Apache Atlas. + +---+++ Authentication + +Atlas supports following authentication methods + + * *File* + * *Kerberos* + * *LDAP* + + +Following properties should be set true to enable the authentication of that type in =atlas-application.properties= file. + + +<verbatim> +atlas.authentication.method.kerberos=true|false +atlas.authentication.method.ldap=true|false +atlas.authentication.method.file=true|false +</verbatim> + +If two or more authentication methods are set to true, then the authentication falls back to the latter method if the earlier one fails. +For example if Kerberos authentication is set to true and ldap authentication is also set to true then, if for a request without kerberos principal and keytab LDAP authentication will be used as a fallback scenario. + +---++++FILE method. + +File authentication requires users' login details in users credentials file in the format specified below and +the file path should set to property =atlas.authentication.method.file.filename= in =atlas-application.properties=. + +<verbatim> +atlas.authentication.method.file=true +atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties +</verbatim> + +The users credentials file should have below format +<verbatim> +username=group::sha256-password +</verbatim> + +For e.g. +<verbatim> +admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a +</verbatim> + +Users group can be either *ADMIN*, *DATA_STEWARD* OR *DATA_SCIENTIST* + +*Note*:-password is encoded with sha256 encoding method and can be generated using unix tool. + +For e.g. +<verbatim> +echo -n "Password" | sha256sum +e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a - +</verbatim> + +---++++ Kerberos Method. + +To enable the authentication in Kerberos mode in Atlas, set the property =atlas.authentication.method.kerberos= to true in =atlas-application.properties= + +<verbatim> +atlas.authentication.method.kerberos = true +</verbatim> + +Also following properties should be set. + +<verbatim> +atlas.authentication.method.kerberos.principal=<principal>/<fqdn>@EXAMPLE.COM +atlas.authentication.method.kerberos.keytab = /<key tab filepath>.keytab +atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0]([email protected])s/.*/atlas/ +</verbatim> + + +---++++ LDAP Method. + +To enable the authentication in LDAP mode in Atlas, set the property =atlas.authentication.method.ldap= to true and also set Ldap type to property =atlas.authentication.method.ldap.type= to LDAP or AD in =atlas-application.properties=. +Use AD if connecting to Active Directory. + +<verbatim> +atlas.authentication.method.ldap=true +atlas.authentication.method.ldap.type=ldap|ad +</verbatim> + + +For LDAP or AD the following configuration needs to be set in atlas application properties. + +*Active Directory* + +<verbatim> +atlas.authentication.method.ldap.ad.domain= example.com +atlas.authentication.method.ldap.ad.url=ldap://<AD server ip>:389 +atlas.authentication.method.ldap.ad.base.dn=DC=example,DC=com +atlas.authentication.method.ldap.ad.bind.dn=CN=Administrator,CN=Users,DC=example,DC=com +atlas.authentication.method.ldap.ad.bind.password=<password> +atlas.authentication.method.ldap.ad.referral=ignore +atlas.authentication.method.ldap.ad.user.searchfilter=(sAMAccountName={0}) +atlas.authentication.method.ldap.ad.default.role=ROLE_USER +</verbatim> + +*LDAP Directroy* + +<verbatim> +atlas.authentication.method.ldap.url=ldap://<Ldap server ip>:389 +atlas.authentication.method.ldap.userDNpattern=uid={0],ou=users,dc=example,dc=com +atlas.authentication.method.ldap.groupSearchBase=dc=example,dc=com +atlas.authentication.method.ldap.groupSearchFilter=(member=cn={0},ou=users,dc=example,dc=com +atlas.authentication.method.ldap.groupRoleAttribute=cn +atlas.authentication.method.ldap.base.dn=dc=example,dc=com +atlas.authentication.method.ldap.bind.dn=cn=Manager,dc=example,dc=com +atlas.authentication.method.ldap.bind.password=<password> +atlas.authentication.method.ldap.referral=ignore +atlas.authentication.method.ldap.user.searchfilter=(uid={0}) +atlas.authentication.method.ldap.default.role=ROLE_USER +</verbatim> + +---+++ Authorization + + +---++++ Atlas Authorization Methods [Simple/Ranger] +To set authorization in atlas, update the =atlas.authorizer.impl= properties in =atlas-application.properties= + * *Simple* + * *Ranger* + + + +<verbatim> +atlas.authorizer.impl=simple | ranger | <Qualified Authorizer Class Name> +</verbatim> + +---++++ Simple Authorizer. + +In Simple Authorizer the policy store file is configured locally. The path of policy store file is set in +=atlas.auth.policy.file= property of =atlas-application.properties= + +<verbatim> +atlas.auth.policy.file={{conf_dir}}/policy-store.txt +</verbatim> + +The policy store file format is as follows: + +<verbatim> +Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name +</verbatim> + +eg. of admin policy: +<verbatim> +adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:* +</verbatim> + +Note : The User_Name, Group_Name and Operations_Allowed are comma(,) separated lists. + +Authorizer Resource Types: + * Operation + * Type + * Entity + * Taxonomy + * Term + * Unknown + + +Operations_Allowed are r = read, w = write, u = update, d = delete + + +---++++ Ranger Authorizer. + +Ranger Authorizer is enabled by activating Atlas-Ranger plugin from Ambari. + +For more details visit the [[http://ranger.apache.org/][Apache-Ranger documentation]]. http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9b15d1eb/docs/src/site/twiki/index.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/index.twiki b/docs/src/site/twiki/index.twiki index 8c57d06..8dda474 100755 --- a/docs/src/site/twiki/index.twiki +++ b/docs/src/site/twiki/index.twiki @@ -42,6 +42,7 @@ allows integration with the whole enterprise data ecosystem. * [[Repository][Metadata Repository]] * [[Search][Search]] * [[security][Security]] + * [[Authentication-Authorization][Authentication and Authorization]] * [[Configuration][Configuration]] * Notification * [[Notification-Entity][Entity Notification]] http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9b15d1eb/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 661c149..89fdd91 100644 --- a/release-log.txt +++ b/release-log.txt @@ -30,6 +30,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags) ALL CHANGES: +ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues via yhemanth) ATLAS-930 QuickStart is failing when run after a specific sequence of operations (yhemanth via shwethags) ATLAS-904 Hive hook fails due to session state not being set (sumasai via yhemanth) ATLAS-929 Add test for trait preservation on column rename for non-default database (svimal2106 via shwethags)
