[ https://issues.apache.org/jira/browse/ATLAS-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17095559#comment-17095559 ]
Madhan Neethiraj commented on ATLAS-3755: ----------------------------------------- [~bolke] - I suggest to introduce an API to update system attributes like homeId, isProxy, provenanceType - just as APIs to change entity classifications, labels and business-metadata. This is to prevent inadvertent update of system attributes by entity-update calls i.e. current API users don't explicitly provide system attribute values, but Atlas server will receive default values FALSE (for boolean), and 0 (for numbers). Also, updates to such system attributes should be infrequent, compared to entity-updates; hence it will help to not take the additional cost of updating these attributes during entity-updates. Is it necessary to have separate permissions for create and update i.e. {{entity-create-system-attribute and entity-create-system-attribute}}? I suggest to have only one - {{entity-update-system-attribute}}. Also, the patch introduces authorization for each attribute update. What is the use case for this? This can be very expensive - both in terms of CPU cycles and amount of audit logs generated (in Ranger). Hence I suggest sticking to {{entity-update}} permission to cover update to any attribute of the entity. > Allow system attributes to be updated when policy allows > -------------------------------------------------------- > > Key: ATLAS-3755 > URL: https://issues.apache.org/jira/browse/ATLAS-3755 > Project: Atlas > Issue Type: Improvement > Components: atlas-core > Affects Versions: 2.0.0, 2.1.0 > Reporter: Bolke de Bruin > Assignee: Bolke de Bruin > Priority: Critical > Attachments: > 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch, > 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch, > 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch > > > Atlas does not operate in a isolated environment, this is one of the reasons > the "homeId" system attribute was introduced. Unfortunately system attributes > can only be updated when importing. This means any integration with other > services is significantly limited (Kafka, Rest API will not work). (See also > ATLAS-3754) > To resolve this I propose to make it possible to update the system attributes > when policy allows it. This introduces new > AtlasPrivilege.ENTITY_UPDATE_SYSTEM_ATTRIBUTE and > AtlasPrivilege.ENTITY_CREATE_SYSTEM_ATTRIBUTE next to > AtlasPrivilege.ENTITY_UPDATE_ATTRIBUTE and > AtlasPrivilege.ENTITY_CREATE_ATTRIBUTE rather than just checking on the > entity level. In certain places we will then drop the requirement for an > import to be active as this can now happen through other channels as well. > This allows operators to specify policies that allow granular controls over > attributes and system attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005)