----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72615/#review221135 -----------------------------------------------------------
Consider updating all methods that deal with multiple entities to ignore unauthorized entities. Below is the list of such methods from quick look: - GET /bulk - EntityREST.getByGuids() - DELETE /bulk - EntityREST.deleteByGuids() - POST /bulk/classification - EntityREST.addClassification() - POST /bulk/setClassifications - EntityREST.setClassifications() - GET /bulk/headers - EntityREST.getEntityHeaders() - GET /bulk/uniqueAttribute/type/{typeName} - EntityREST.getEntitiesByUniqueAttributes() Instead of changing signature for all these methods, I suggest to add flag RequestContext.ignoreUnauthorizedEntities and populate this from AuditFilter.doFilter(). - Madhan Neethiraj On July 6, 2020, 3:02 p.m., chaitali wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72615/ > ----------------------------------------------------------- > > (Updated July 6, 2020, 3:02 p.m.) > > > Review request for atlas, Jayendra Parab, Nikhil Bonte, Nixon Rodrigues, and > Sarath Subramanian. > > > Bugs: ATLAS-3855 > https://issues.apache.org/jira/browse/ATLAS-3855 > > > Repository: atlas > > > Description > ------- > > API : /api/atlas/v2/entity/bulk/classification & v2/entity/bulk : if some > guids belong to entities on which user is unauthorized other guids belong to > entities on which user is authorized This APIs fail with 403 error without > returning the authorized entities. > > 1.Unauthorized guids are filtered with this patch for both the APIs. > 2.Added ignoreUnauthorisedGuids flag for /bulk/classification API as it > doesn't return any object > 2.Also added unauthorized guids in return object of /bulk in response for > user's reference. > > > Diffs > ----- > > > repository/src/main/java/org/apache/atlas/repository/store/graph/AtlasEntityStore.java > 7b9455ef3 > > repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java > bf1629cb3 > > repository/src/test/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2Test.java > b9cbef1b0 > webapp/src/main/java/org/apache/atlas/web/resources/EntityResource.java > 00b29e6c8 > webapp/src/main/java/org/apache/atlas/web/rest/EntityREST.java 88de8b679 > webapp/src/test/java/org/apache/atlas/web/adapters/TestEntitiesREST.java > 615bc0f1b > > > Diff: https://reviews.apache.org/r/72615/diff/7/ > > > Testing > ------- > > Tested with ranger policies: > For /bulk api following policy were applied: > 1.Added hive_column entity as entity type. > 2.Included admin as user and prohibited access for read entity all this under > deny policy. > > For /bulk/classification following policy were applied: > 1.Added hive_column entity as entity type. > 2.Gave all the access to admin but kwpt hive_column entity type in excluded > state. > > > Thanks, > > chaitali > >