Sidharth Kumar Mishra created ATLAS-4170:
--------------------------------------------
Summary: v2/entity/bulk Entity GET API is able to read
unauthorised entities too when skipFailedEntities is passed as True
Key: ATLAS-4170
URL: https://issues.apache.org/jira/browse/ATLAS-4170
Project: Atlas
Issue Type: Bug
Reporter: Sidharth Kumar Mishra
Assignee: Sidharth Kumar Mishra
As part of https://issues.apache.org/jira/browse/ATLAS-3855, skipFailedEntities
was introduced to ignore the entities where it fails to read
When skipFailedEntities is not passed or is passed as skipFailedEntities=False,
then we get 403 with below error as expected
{code:java}
{
"errorCode": "ATLAS-403-00-001",
"errorMessage": "hrt is not authorized to perform read entity:
guid=ad0f349c-1fe6-46f0-be6d-98ca2e754e1c"
} {code}
But when we pass skipFailedEntities=True, then API is able to retrieve the data
for even those entities on which the user has explicit deny conditions.
Ideally, we should be ignoring these unauthorised entities and return data only
for authorised ones.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
