Re: Review Request 72895: ATLAS-3950 : Read Type Auth : Classification, Business metadata , Entity types are able to have attributes of type which are not permissible to read

[chaitali]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72895/
-----------------------------------------------------------

(Updated Sept. 29, 2020, 10:53 a.m.)


Review request for atlas, Jayendra Parab, Madhan Neethiraj, Nixon Rodrigues, 
and Sarath Subramanian.


Bugs: ATLAS-3950
    https://issues.apache.org/jira/browse/ATLAS-3950


Repository: atlas


Description
-------

User is able to create an attribute for 
businessmetadata/classification/entitydef of typename which doesn't have read 
access in the ranger policy. UI works fine but but through REST , User is able 
to add any type as attribute typename.

Steps to reproduce:

User has following rights in ranger policy :

CRUD permissions on hive_table type only

CRUD permissions on all business_metadata type.

hrt_qa creates a business metadata bm1

hrt_qa is able to create an attribute for bm1 - say attrib1 which allows 
Applicable types to be anything. UI displays only hive_table but through REST , 
hrt_qa is able to add any type as Applicable type.


Diffs (updated)
-----

  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasAbstractDefStoreV2.java
 2cb2b4789 
  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasBusinessMetadataDefStoreV2.java
 6b4fa65ae 
  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasClassificationDefStoreV2.java
 93e7012c2 
  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityDefStoreV2.java
 e5153de0e 
  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasRelationshipDefStoreV2.java
 64ef18bf7 
  
repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasStructDefStoreV2.java
 9a45f00c7 


Diff: https://reviews.apache.org/r/72895/diff/15/

Changes: https://reviews.apache.org/r/72895/diff/14-15/


Testing
-------

Tested with following JSON : 

Entity typedef creation with an attribute of typename which admin doesn't have 
type-read rights for:
{
"enumDefs": [],
"structDefs": [],
"classificationDefs": [],
"entityDefs": [
  {
"category": "ENTITY",
"createdBy": "admin",
"updatedBy": "admin",
"createTime": 1537261952180,
"updateTime": 1537262097732,
"version": 3,
"name": "testtab",
"description": "sport",
"typeVersion": "1.4",
"attributeDefs": [
  {
"name": "test_name",
"typeName": "string",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "year",
"typeName": "int",
"isOptional": false,
"cardinality": "SINGLE",
"valuesMinCount": 1,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
},
{
"name": "place",
"typeName": "array<string>",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false,
"includeInNotification": false
}
],
"superTypes": [
  "DataSet"
],
"subTypes": []
}
],
"relationshipDefs": []
}

Classification typedef creation with entitytypes for which doesn't have 
type-read rights for:

{
  "classificationDefs": [
    {
      "name": "testclass",
      "description": "oif",
      "superTypes": [],
      "attributeDefs": [],
      "entityTypes": [
        "hdfs_path",
        "hive_table"
      ],
      "category": "CLASSIFICATION",
      "guid": "-123456789"
    }
  ],
  "entityDefs": [],
  "enumDefs": [],
  "structDefs": []
}

Businessmetadata typedef creation with entitytypes for which admin doesn't have 
type-read rights for:

{
  "enumDefs": [],
  "structDefs": [],
  "classificationDefs": [],
  "entityDefs": [],
  "businessMetadataDefs": [
    {
      "category": "BUSINESS_METADATA",
      "createdBy": "admin",
      "updatedBy": "admin",
      "version": 1,
      "typeVersion": "1.1",
      "name": "testBM",
      "description": "",
      "attributeDefs": [
        {
          "name": "attrtestBM",
          "typeName": "string",
          "isOptional": true,
          "cardinality": "SINGLE",
          "valuesMinCount": 0,
          "valuesMaxCount": 1,
          "isUnique": false,
          "isIndexable": true,
          "options": {
            "maxStrLength": "50",
            "applicableEntityTypes": "[\"hive_table\"]"
          },
          "searchWeight": "5"
        }
      ]
    }
  ]
}

Expected Output :

{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "admin is not authorized to perform read type hive_table"
}


Thanks,

chaitali