----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72895/ -----------------------------------------------------------
(Updated Sept. 29, 2020, 9:46 a.m.) Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, and Sarath Subramanian. Bugs: ATLAS-3950 https://issues.apache.org/jira/browse/ATLAS-3950 Repository: atlas Description ------- User is able to create an attribute for businessmetadata/classification/entitydef of typename which doesn't have read access in the ranger policy. UI works fine but but through REST , User is able to add any type as attribute typename. Steps to reproduce: User has following rights in ranger policy : CRUD permissions on hive_table type only CRUD permissions on all business_metadata type. hrt_qa creates a business metadata bm1 hrt_qa is able to create an attribute for bm1 - say attrib1 which allows Applicable types to be anything. UI displays only hive_table but through REST , hrt_qa is able to add any type as Applicable type. Diffs (updated) ----- repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java 2cb2b4789 repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java 6b4fa65ae repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java 9ffede4e3 repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java e5153de0e repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java 64ef18bf7 repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java 9a45f00c7 Diff: https://reviews.apache.org/r/72895/diff/12/ Changes: https://reviews.apache.org/r/72895/diff/11-12/ Testing ------- Tested with following JSON : Entity typedef creation with an attribute of typename which admin doesn't have type-read rights for: { "enumDefs": [], "structDefs": [], "classificationDefs": [], "entityDefs": [ { "category": "ENTITY", "createdBy": "admin", "updatedBy": "admin", "createTime": 1537261952180, "updateTime": 1537262097732, "version": 3, "name": "testtab", "description": "sport", "typeVersion": "1.4", "attributeDefs": [ { "name": "test_name", "typeName": "string", "isOptional": false, "cardinality": "SINGLE", "valuesMinCount": 1, "valuesMaxCount": 1, "isUnique": false, "isIndexable": false, "includeInNotification": false }, { "name": "year", "typeName": "int", "isOptional": false, "cardinality": "SINGLE", "valuesMinCount": 1, "valuesMaxCount": 1, "isUnique": false, "isIndexable": false, "includeInNotification": false }, { "name": "place", "typeName": "array<string>", "isOptional": true, "cardinality": "SINGLE", "valuesMinCount": 0, "valuesMaxCount": 1, "isUnique": false, "isIndexable": false, "includeInNotification": false } ], "superTypes": [ "DataSet" ], "subTypes": [] } ], "relationshipDefs": [] } Classification typedef creation with entitytypes for which doesn't have type-read rights for: { "classificationDefs": [ { "name": "testclass", "description": "oif", "superTypes": [], "attributeDefs": [], "entityTypes": [ "hdfs_path", "hive_table" ], "category": "CLASSIFICATION", "guid": "-123456789" } ], "entityDefs": [], "enumDefs": [], "structDefs": [] } Businessmetadata typedef creation with entitytypes for which admin doesn't have type-read rights for: { "enumDefs": [], "structDefs": [], "classificationDefs": [], "entityDefs": [], "businessMetadataDefs": [ { "category": "BUSINESS_METADATA", "createdBy": "admin", "updatedBy": "admin", "version": 1, "typeVersion": "1.1", "name": "testBM", "description": "", "attributeDefs": [ { "name": "attrtestBM", "typeName": "string", "isOptional": true, "cardinality": "SINGLE", "valuesMinCount": 0, "valuesMaxCount": 1, "isUnique": false, "isIndexable": true, "options": { "maxStrLength": "50", "applicableEntityTypes": "[\"hive_table\"]" }, "searchWeight": "5" } ] } ] } Expected Output : { "errorCode": "ATLAS-403-00-001", "errorMessage": "admin is not authorized to perform read type hive_table" } Thanks, chaitali