[
https://issues.apache.org/jira/browse/ATLAS-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17095559#comment-17095559
]
Madhan Neethiraj commented on ATLAS-3755:
-----------------------------------------
[~bolke] - I suggest to introduce an API to update system attributes like
homeId, isProxy, provenanceType - just as APIs to change entity
classifications, labels and business-metadata. This is to prevent inadvertent
update of system attributes by entity-update calls i.e. current API users don't
explicitly provide system attribute values, but Atlas server will receive
default values FALSE (for boolean), and 0 (for numbers). Also, updates to such
system attributes should be infrequent, compared to entity-updates; hence it
will help to not take the additional cost of updating these attributes during
entity-updates.
Is it necessary to have separate permissions for create and update i.e.
{{entity-create-system-attribute and entity-create-system-attribute}}? I
suggest to have only one - {{entity-update-system-attribute}}.
Also, the patch introduces authorization for each attribute update. What is the
use case for this? This can be very expensive - both in terms of CPU cycles and
amount of audit logs generated (in Ranger). Hence I suggest sticking to
{{entity-update}} permission to cover update to any attribute of the entity.
> Allow system attributes to be updated when policy allows
> --------------------------------------------------------
>
> Key: ATLAS-3755
> URL: https://issues.apache.org/jira/browse/ATLAS-3755
> Project: Atlas
> Issue Type: Improvement
> Components: atlas-core
> Affects Versions: 2.0.0, 2.1.0
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Critical
> Attachments:
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch,
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch,
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch
>
>
> Atlas does not operate in a isolated environment, this is one of the reasons
> the "homeId" system attribute was introduced. Unfortunately system attributes
> can only be updated when importing. This means any integration with other
> services is significantly limited (Kafka, Rest API will not work). (See also
> ATLAS-3754)
> To resolve this I propose to make it possible to update the system attributes
> when policy allows it. This introduces new
> AtlasPrivilege.ENTITY_UPDATE_SYSTEM_ATTRIBUTE and
> AtlasPrivilege.ENTITY_CREATE_SYSTEM_ATTRIBUTE next to
> AtlasPrivilege.ENTITY_UPDATE_ATTRIBUTE and
> AtlasPrivilege.ENTITY_CREATE_ATTRIBUTE rather than just checking on the
> entity level. In certain places we will then drop the requirement for an
> import to be active as this can now happen through other channels as well.
> This allows operators to specify policies that allow granular controls over
> attributes and system attributes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
