[
https://issues.apache.org/jira/browse/ATLAS-3916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17176262#comment-17176262
]
Yue Dong commented on ATLAS-3916:
---------------------------------
[~sarath] I get you point. I've tried to add the new functionality. The biggest
problem I had was checking permissions of field EntityId (value of
entity-unique attribute). It's what you comment, individual entities need to be
checked according user permissions. So I had to add one more method to
authorization interface, which
* checks the permissions of AtlasPrivilege, entityTypes and classifications
* and, if everything goes well, it will return a subquery that allows to scrub
the entities which the user doesn't have access.
With the new method,
* when it is a user with EntityId restriction, the count query will be:
_$v$"__typeName" : (hive_db) AND $v$"__state" : (ACTIVE)
AND $v$"Referenceable.qualifiedName" : (public_data* OR module_a*)_
* and when it is admin, the query will be: (Maybe it'd be better without _AND
$v$"Referenceable.qualifiedName" : (*)_)
_$v$"__typeName" : (hive_db) AND $v$"__state" : (ACTIVE)
AND $v$"Referenceable.qualifiedName" : (*)_
And the new behavior of the method getMetrics is:
* if the user does't have entities read or types permissions, the count query
will not be executed.
* if the user has restriction, like EntityId, the count query will be executed
with authorization subquery.
At the moment it seems to work fine for my requirement. Maybe I miss something,
I can show you the code with a wip pull request if you want. I would like to
help with this requirement.
> Get metrics according to the user permissions
> ---------------------------------------------
>
> Key: ATLAS-3916
> URL: https://issues.apache.org/jira/browse/ATLAS-3916
> Project: Atlas
> Issue Type: New Feature
> Components: atlas-core
> Affects Versions: 2.0.0, 2.1.0
> Reporter: Yue Dong
> Priority: Major
> Attachments: Captura-de-pantalla-de-2020-08-11-10-20-06.png
>
>
> I have two user groups: admin who has access to all tables and reader can
> only see public data and module A tables. So I have configured Atlas to use a
> simple authorizer with a little variation, which is to hide entities that are
> not accessible to the user.
> The searches and displaying results work properly.
> The only problem I find is that the metrics. In the elements of search by
> type, it indicates the number of all the entities of each type in the system.
> And this is not consistent with the search result of a reader user.
> !Captura-de-pantalla-de-2020-08-11-10-20-06.png!
>
> I have verified that these numbers come from the getMetrics method, which is
> not secured so it does not obtain the numbers according to the users'
> configuration. Am I missing something? Is there any way to change these
> numbers?
> Maybe it'd be nice to have something that allows to modify the querys of the
> metrics based on security and authorization, like
> AtlasAuthorizer.scrubSearchResults in search methods.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
