-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72615/#review221135
-----------------------------------------------------------
Consider updating all methods that deal with multiple entities to ignore
unauthorized entities. Below is the list of such methods from quick look:
- GET /bulk - EntityREST.getByGuids()
- DELETE /bulk - EntityREST.deleteByGuids()
- POST /bulk/classification -
EntityREST.addClassification()
- POST /bulk/setClassifications -
EntityREST.setClassifications()
- GET /bulk/headers - EntityREST.getEntityHeaders()
- GET /bulk/uniqueAttribute/type/{typeName} -
EntityREST.getEntitiesByUniqueAttributes()
Instead of changing signature for all these methods, I suggest to add flag
RequestContext.ignoreUnauthorizedEntities and populate this from
AuditFilter.doFilter().
- Madhan Neethiraj
On July 6, 2020, 3:02 p.m., chaitali wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72615/
> -----------------------------------------------------------
>
> (Updated July 6, 2020, 3:02 p.m.)
>
>
> Review request for atlas, Jayendra Parab, Nikhil Bonte, Nixon Rodrigues, and
> Sarath Subramanian.
>
>
> Bugs: ATLAS-3855
> https://issues.apache.org/jira/browse/ATLAS-3855
>
>
> Repository: atlas
>
>
> Description
> -------
>
> API : /api/atlas/v2/entity/bulk/classification & v2/entity/bulk : if some
> guids belong to entities on which user is unauthorized other guids belong to
> entities on which user is authorized This APIs fail with 403 error without
> returning the authorized entities.
>
> 1.Unauthorized guids are filtered with this patch for both the APIs.
> 2.Added ignoreUnauthorisedGuids flag for /bulk/classification API as it
> doesn't return any object
> 2.Also added unauthorized guids in return object of /bulk in response for
> user's reference.
>
>
> Diffs
> -----
>
>
> repository/src/main/java/org/apache/atlas/repository/store/graph/AtlasEntityStore.java
> 7b9455ef3
>
> repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java
> bf1629cb3
>
> repository/src/test/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2Test.java
> b9cbef1b0
> webapp/src/main/java/org/apache/atlas/web/resources/EntityResource.java
> 00b29e6c8
> webapp/src/main/java/org/apache/atlas/web/rest/EntityREST.java 88de8b679
> webapp/src/test/java/org/apache/atlas/web/adapters/TestEntitiesREST.java
> 615bc0f1b
>
>
> Diff: https://reviews.apache.org/r/72615/diff/7/
>
>
> Testing
> -------
>
> Tested with ranger policies:
> For /bulk api following policy were applied:
> 1.Added hive_column entity as entity type.
> 2.Included admin as user and prohibited access for read entity all this under
> deny policy.
>
> For /bulk/classification following policy were applied:
> 1.Added hive_column entity as entity type.
> 2.Gave all the access to admin but kwpt hive_column entity type in excluded
> state.
>
>
> Thanks,
>
> chaitali
>
>
