[ https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16856722#comment-16856722 ]
Adam Rempter commented on ATLAS-3261: ------------------------------------- I did some checking on this issue, and what happens, when new message is received, security check is done by AtlasAuthorizationUtils before entity is created. public static boolean isAccessAllowed(AtlasAdminAccessRequest request) { boolean ret = false; *String userName = getCurrentUserName(); <-- returns ""* *if (StringUtils.isNotEmpty(userName)) { <-- false* try { AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); request.setUser(userName, getCurrentUserGroups()); request.setClientIPAddress(RequestContext.get().getClientIPAddress()); ret = authorizer.isAccessAllowed(request); } catch (AtlasAuthorizationException e) { LOG.error("Unable to obtain AtlasAuthorizer", e); } *} else { <-- if no user return true* ret = true; } Now I added user from kafka as current security principal (see patch) and then it properly calls authorizer: rg.apache.atlas.exception.AtlasBaseException: *testuser is not authorized to perform create entity: type=server* at org.apache.atlas.authorize.AtlasAuthorizationUtils.verifyAccess(AtlasAuthorizationUtils.java:61) at org.apache.atlas.repository.store.graph.v2.AtlasEntityStoreV2.createOrUpdate(AtlasEntityStoreV2.java:664) But I am not sure it this is best way to handle this case... > Ranger Authorizer for Atlas is not checked for kafka messages > ------------------------------------------------------------- > > Key: ATLAS-3261 > URL: https://issues.apache.org/jira/browse/ATLAS-3261 > Project: Atlas > Issue Type: Bug > Components: atlas-intg > Affects Versions: 1.1.0, 2.0.0 > Reporter: Adam Rempter > Priority: Major > Labels: security > Attachments: 0001-set-message-user-as-principal.patch > > > Atlas can be configured to authorize user actions with Ranger > ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]). > > When I use user via REST it works: > curl -X GET -u testuser:testuser > http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0 > {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to > perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"} > > When I send lineage to ATLAS_HOOK, I can create lineage successfully: > 2019-06-04 14:01:38,974 > 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119 > In above, I think user is taken from lineage message field user in json. > > Of course above is valid if another policy in ranger (kafka plugin) allows > puting messages to ATLAS_HOOK topic. > > But if I have one user (technical account) to produce to kafka and I want to > deny access in Atlas based on user from message, atlas ranger authorizer > doens't work. > > > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)