[jira] [Commented] (ATLAS-3755) Allow system attributes to be updated when policy allows

Thu, 30 Apr 2020 04:22:21 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17096435#comment-17096435
 ] 

Bolke de Bruin commented on ATLAS-3755:
---------------------------------------

[~madhan] I have updated the patch to only use `entity-update` and 
`entity-create` and do the access request in one go. This makes the access 
request backwards incompatible and it would require an update to the Ranger 
plugin. I suggest putting the check against the attributes behind a feature 
flag so it remains backwards compatible and it would not affect anyone who 
isn't using access controls on attributes or system attributes. 

let me know what you think.

> Allow system attributes to be updated when policy allows
> --------------------------------------------------------
>
>                 Key: ATLAS-3755
>                 URL: https://issues.apache.org/jira/browse/ATLAS-3755
>             Project: Atlas
>          Issue Type: Improvement
>          Components:  atlas-core
>    Affects Versions: 2.0.0, 2.1.0
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Critical
>         Attachments: 
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch, 
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch, 
> 0001-ATLAS-3755-Allow-system-attributes-to-be-updated-by-.patch, feature.patch
>
>
> Atlas does not operate in a isolated environment, this is one of the reasons 
> the "homeId" system attribute was introduced. Unfortunately system attributes 
> can only be updated when importing. This means any integration with other 
> services is significantly limited (Kafka, Rest API will not work). (See also 
> ATLAS-3754)
> To resolve this I propose to make it possible to update the system attributes 
> when policy allows it. This introduces new 
> AtlasPrivilege.ENTITY_UPDATE_SYSTEM_ATTRIBUTE and 
> AtlasPrivilege.ENTITY_CREATE_SYSTEM_ATTRIBUTE next to 
> AtlasPrivilege.ENTITY_UPDATE_ATTRIBUTE and 
> AtlasPrivilege.ENTITY_CREATE_ATTRIBUTE rather than just checking on the 
> entity level. In certain places we will then drop the requirement for an 
> import to be active as this can now happen through other channels as well.
> This allows operators to specify policies that allow granular controls over 
> attributes and system attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to