[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276628#comment-15276628
]
Hemanth Yamijala commented on ATLAS-497:
Tested ATLAS-497.9.patch in the following scenarios:
* With default policy settings in {{policy-store.txt}}, admin user is able to
do all operations.
* Changed resource type rule for admin user to remove some resource types and
verified that those resources cannot be accessed.
* Changed allowed operations rule for admin user to removed some operations,
and verified those operations cannot be performed.
* Verified hive hook is working fine (no dependency on user for this).
Will commit this patch now.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch,
> ATLAS-497.7.patch, ATLAS-497.8.patch, ATLAS-497.9.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276542#comment-15276542
]
ATLAS QA commented on ATLAS-497:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12803002/ATLAS-497.9.patch
against master revision 34f51a2.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 4 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
+1 checkstyle. The patch generated 0 code style errors.
{color:red}-1 findbugs{color}. The patch appears to introduce 369 new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in :
org.apache.atlas.repository.audit.HBaseBasedAuditRepositoryTest
./repository/target/surefire-reports/junitreports/TEST-org.apache.atlas.repository.audit.HBaseBasedAuditRepositoryTest
./repository/target/surefire-reports/junitreports/TEST-org.apache.atlas.service.DefaultMetadataServiceTest
org.apache.atlas.service.DefaultMetadataServiceTest
Test results:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningsrepository.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningstitan.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningswebapp.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningstypesystem.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningsclient.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningsnotification.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningscommon.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningshive-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningshdfs-model.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningsstorm-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/222//artifact/patchprocess/newPatchFindbugsWarningssqoop-bridge.html
Console output: https://builds.apache.org/job/PreCommit-ATLAS-Build/222//console
This message is automatically generated.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch,
> ATLAS-497.7.patch, ATLAS-497.8.patch, ATLAS-497.9.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276406#comment-15276406 ] Saqeeb Shaikh commented on ATLAS-497: - [~yhemanth] seems this was caused after adding the filter in the spring-security.xml file. I have fixed the test case and attached the latest patch here. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch, > ATLAS-497.7.patch, ATLAS-497.8.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276379#comment-15276379
]
ATLAS QA commented on ATLAS-497:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12802983/ATLAS-497.8.patch
against master revision 34f51a2.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
+1 checkstyle. The patch generated 0 code style errors.
{color:red}-1 findbugs{color}. The patch appears to introduce 369 new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in :
./webapp/test-output/junitreports/TEST-org.apache.atlas.web.resources.EntityJerseyResourceIT
./webapp/test-output/junitreports/TEST-org.apache.atlas.web.resources.TypesJerseyResourceIT
./webapp/test-output/junitreports/TEST-org.apache.atlas.web.resources.RexsterGraphJerseyResourceIT
./webapp/test-output/junitreports/TEST-org.apache.atlas.web.resources.AdminJerseyResourceIT
./webapp/test-output/junitreports/TEST-org.apache.atlas.web.resources.MetadataDiscoveryJerseyResourceIT
./webapp/target/surefire-reports/junitreports/TEST-org.apache.atlas.web.security.FileAuthenticationTest
org.apache.atlas.web.security.FileAuthenticationTest
Test results:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningswebapp.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningsnotification.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningssqoop-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningshive-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningsstorm-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningshdfs-model.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningstypesystem.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningsrepository.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningstitan.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningsclient.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/221//artifact/patchprocess/newPatchFindbugsWarningscommon.html
Console output: https://builds.apache.org/job/PreCommit-ATLAS-Build/221//console
This message is automatically generated.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch,
> ATLAS-497.7.patch, ATLAS-497.8.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276307#comment-15276307 ] Saqeeb Shaikh commented on ATLAS-497: - [~yhemanth] have updated the review request with your patch + spring security changes. Would appreciate if you please review it : https://reviews.apache.org/r/46700/ > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch, > ATLAS-497.7.patch, ATLAS-497.8.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276276#comment-15276276
]
ATLAS QA commented on ATLAS-497:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12802965/ATLAS-497.7.patch
against master revision 34f51a2.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
+1 checkstyle. The patch generated 0 code style errors.
{color:red}-1 findbugs{color}. The patch appears to introduce 369 new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in :
org.apache.atlas.repository.audit.HBaseBasedAuditRepositoryTest
./repository/target/surefire-reports/junitreports/TEST-org.apache.atlas.repository.audit.HBaseBasedAuditRepositoryTest
./repository/target/surefire-reports/junitreports/TEST-org.apache.atlas.service.DefaultMetadataServiceTest
org.apache.atlas.service.DefaultMetadataServiceTest
Test results:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningswebapp.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningsclient.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningshive-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningshdfs-model.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningssqoop-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningsstorm-bridge.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningscommon.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningstypesystem.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningsnotification.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningstitan.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-ATLAS-Build/220//artifact/patchprocess/newPatchFindbugsWarningsrepository.html
Console output: https://builds.apache.org/job/PreCommit-ATLAS-Build/220//console
This message is automatically generated.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch,
> ATLAS-497.7.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15276171#comment-15276171
]
Hemanth Yamijala commented on ATLAS-497:
Tests fail when running {{mvn clean install}}. Fixing them:
{code}
Running org.apache.atlas.authorize.SimpleAtlasAuthorizerTest
Tests run: 4, Failures: 4, Errors: 0, Skipped: 0, Time elapsed: 0.846 sec <<<
FAILURE! - in org.apache.atlas.authorize.SimpleAtlasAuthorizerTest
testAccessAllowedForGroup(org.apache.atlas.authorize.SimpleAtlasAuthorizerTest)
Time elapsed: 0.043 sec <<< FAILURE!
java.lang.IllegalArgumentException: No enum constant
org.apache.atlas.authorize.AtlasResourceTypes.TERM
at java.lang.Enum.valueOf(Enum.java:236)
at
org.apache.atlas.authorize.AtlasResourceTypes.valueOf(AtlasResourceTypes.java:21)
at
org.apache.atlas.authorize.PolicyParser.parseResources(PolicyParser.java:220)
at
org.apache.atlas.authorize.PolicyParser.parsePolicy(PolicyParser.java:107)
at
org.apache.atlas.authorize.PolicyParser.parsePolicies(PolicyParser.java:88)
at
org.apache.atlas.authorize.SimpleAtlasAuthorizerTest.testAccessAllowedForGroup(SimpleAtlasAuthorizerTest.java:81)
testAccessAllowedForUserAndGroup(org.apache.atlas.authorize.SimpleAtlasAuthorizerTest)
Time elapsed: 0.005 sec <<< FAILURE!
java.lang.IllegalArgumentException: No enum constant
org.apache.atlas.authorize.AtlasResourceTypes.TERM
at java.lang.Enum.valueOf(Enum.java:236)
at
org.apache.atlas.authorize.AtlasResourceTypes.valueOf(AtlasResourceTypes.java:21)
at
org.apache.atlas.authorize.PolicyParser.parseResources(PolicyParser.java:220)
at
org.apache.atlas.authorize.PolicyParser.parsePolicy(PolicyParser.java:107)
at
org.apache.atlas.authorize.PolicyParser.parsePolicies(PolicyParser.java:88)
at
org.apache.atlas.authorize.SimpleAtlasAuthorizerTest.testAccessAllowedForUserAndGroup(SimpleAtlasAuthorizerTest.java:41)
testAccessNotAllowedForUserAndGroup(org.apache.atlas.authorize.SimpleAtlasAuthorizerTest)
Time elapsed: 0.007 sec <<< FAILURE!
java.lang.IllegalArgumentException: No enum constant
org.apache.atlas.authorize.AtlasResourceTypes.TERM
at java.lang.Enum.valueOf(Enum.java:236)
at
org.apache.atlas.authorize.AtlasResourceTypes.valueOf(AtlasResourceTypes.java:21)
at
org.apache.atlas.authorize.PolicyParser.parseResources(PolicyParser.java:220)
at
org.apache.atlas.authorize.PolicyParser.parsePolicy(PolicyParser.java:107)
at
org.apache.atlas.authorize.PolicyParser.parsePolicies(PolicyParser.java:88)
at
org.apache.atlas.authorize.SimpleAtlasAuthorizerTest.testAccessNotAllowedForUserAndGroup(SimpleAtlasAuthorizerTest.java:156)
testResourceNotAvailableInPolicy(org.apache.atlas.authorize.SimpleAtlasAuthorizerTest)
Time elapsed: 0.003 sec <<< FAILURE!
java.lang.IllegalArgumentException: No enum constant
org.apache.atlas.authorize.AtlasResourceTypes.TERM
at java.lang.Enum.valueOf(Enum.java:236)
at
org.apache.atlas.authorize.AtlasResourceTypes.valueOf(AtlasResourceTypes.java:21)
at
org.apache.atlas.authorize.PolicyParser.parseResources(PolicyParser.java:220)
at
org.apache.atlas.authorize.PolicyParser.parsePolicy(PolicyParser.java:107)
at
org.apache.atlas.authorize.PolicyParser.parsePolicies(PolicyParser.java:88)
at
org.apache.atlas.authorize.SimpleAtlasAuthorizerTest.testResourceNotAvailableInPolicy(SimpleAtlasAuthorizerTest.java:119)
{code}
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch,
> ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15273641#comment-15273641 ] Hemanth Yamijala commented on ATLAS-497: Only did a cursory glance at the patch, assuming Selvamohan Neethiraj has looked at it closely. My review comments seem to be incorporated. We need ATLAS-661 committed for this to proceed. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch, > ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15273633#comment-15273633 ] Hemanth Yamijala commented on ATLAS-497: Only did a cursory glance at the patch, assuming [~sneethiraj] has looked at it closely. My review comments seem to be incorporated. We need ATLAS-611 committed for this to proceed. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.6.patch, > ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15272467#comment-15272467 ] Saqeeb Shaikh commented on ATLAS-497: - Thanks for the review comment, [~yhemanth]. Please find the updated patch on the review board : https://reviews.apache.org/r/46700/ > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266146#comment-15266146
]
Hemanth Yamijala commented on ATLAS-497:
Thanks for your response [~saqeeb.s]
Regarding merging updates / creates - will try to help provide a response on
this after discussion with other as well. OK with taking this as another JIRA.
Regarding the issue of multiple resource types, in
SimpleAtlasAuthorizer.checkAccess, I am assuming it is this code checking for
access of multiple resource types:
{code}
boolean result = true;
Map rescMap = map.get(accessor);
if (rescMap != null) {
for (AtlasResourceTypes resourceType : resourceTypes) {
List accessList = rescMap.get(resourceType);
if (isDebugEnabled) {
LOG.debug("\nChecking for resource : " + resource + " in
list : " + accessList + "\n");
}
if (accessList != null) {
result = result && isMatch(resource, accessList);
}
if (result == true) {
return result;
}
}
}
{code}
If yes, say of the two resource types, the first allows access, but the second
doesn't. Doesn't the code then return true just based on the first one's
response (because result is initialized to true). That's the reason why I
thought we aren't checking for all resource types - can you pl. clarify?
Other responses are fine.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15264200#comment-15264200 ] Saqeeb Shaikh commented on ATLAS-497: - Thanks [~yhemanth] for reviewing the patch. Please find my comments inline. * Do we have a requirement for separating creates and updates? Can we merge them into one write operation? In fact many operations in Atlas backend are a create or update kind of operation. Merging into one may be better, IMHO. ** *Can we please finalize the requirement for this and track it as part of another JIRA?* * In AtlasAccessRequest and PolicyUtil there are many unused methods. Please remove them. ** *Some of the unused methods from AtlasAccessRequest, will be used when I add support for RangerPlugin. I will remove the setter methods from the PolicyUtils.* * In the authorization code path where AtlasException is thrown due to authorization problems, maybe it is better to throw a custom AtlasAuthorizationException. This could have information about what was attempted to be accessed etc. ** *Will make this change* * For requests that require access to multiple resource types (e.g. paths like entities/traits - which requires access to both entities & traits), access should be granted only if all of them are allowed, no? Currently, even if one matches we are allowing access, as far as I can tell. ** *Yes, you are right, the access to such resources is granted only if the user or group have access to both the resource types. In SimpleAtlasAuthorizer.checkAccess() method, I am iterating through each of the resourceTypes that the user has access to and if he has access to all of them only then he is granted access.* * Currently, since we don't have resource specific match, in SimpleAtlasAuthorizer, can we simplify the resource check logic and just check for access to resourcetypes for now? ** *Yes, I can change it for now, however I had added this keeping in mind that down the line we will support resource filtering as well.* * Without the above, there are some important issues: for e.g. since SimpleAtlasAuthorizer is a singleton object, the value isMatchAny is being accessed in a non-thread safe manner. ** *Yes, I will fix this* * In a later JIRA, we'll need to figure how principal information like user name / groups will be got in Kerberos authentication case. This is because currently we are picking these up from Spring security context. ** *Yes, I will raise another JIRA for this.* * Can we please add a merge test in PolicyUtilTest - one that has > 1 policies with different (possibly conflicting) rules and see how the end result works out? * Please add some tests for AtlasAuthorizationFilter. ** *Yes, I am adding more test cases for this feature.* > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15263662#comment-15263662 ] Hemanth Yamijala commented on ATLAS-497: Also, I have several other code improvement / simplification comments that I think will greatly improve the quality of this patch. However, to break work up into smaller units, maybe these can be done in a follow-up patch. I will create a separate JIRA for those (in case there are no objections from the community for this). > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15263656#comment-15263656 ] Hemanth Yamijala commented on ATLAS-497: Few comments: * Do we have a requirement for separating creates and updates? Can we merge them into one write operation? In fact many operations in Atlas backend are a create or update kind of operation. Merging into one may be better, IMHO. * In AtlasAccessRequest and PolicyUtil there are many unused methods. Please remove them. * In the authorization code path where AtlasException is thrown due to authorization problems, maybe it is better to throw a custom AtlasAuthorizationException. This could have information about what was attempted to be accessed etc. * For requests that require access to multiple resource types (e.g. paths like entities/traits - which requires access to both entities & traits), access should be granted only if all of them are allowed, no? Currently, even if one matches we are allowing access, as far as I can tell. * Currently, since we don't have resource specific match, in SimpleAtlasAuthorizer, can we simplify the resource check logic and just check for access to resourcetypes for now? * Without the above, there are some important issues: for e.g. since SimpleAtlasAuthorizer is a singleton object, the value isMatchAny is being accessed in a non-thread safe manner. * In a later JIRA, we'll need to figure how principal information like user name / groups will be got in Kerberos authentication case. This is because currently we are picking these up from Spring security context. * Can we please add a merge test in PolicyUtilTest - one that has > 1 policies with different (possibly conflicting) rules and see how the end result works out? * Please add some tests for AtlasAuthorizationFilter. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15259643#comment-15259643 ] Hemanth Yamijala commented on ATLAS-497: Tried applying ATLAS-491.1.patch on top of ATLAS-661.patch. There are some conflicts in spring-security.xml file. Can you pl. check. I'll try to look through once ignoring these changes. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz >Assignee: Saqeeb Shaikh > Fix For: 0.7-incubating > > Attachments: ATLAS-497.1.patch, ATLAS-497.patch > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15258310#comment-15258310
]
ATLAS QA commented on ATLAS-497:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12800808/ATLAS-497.1.patch
against master revision 5357472.
{color:red}-1 patch{color}. master compilation may be broken.
Console output: https://builds.apache.org/job/PreCommit-ATLAS-Build/180//console
This message is automatically generated.
> Simple Authorization
>
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
>Affects Versions: 0.7-incubating
>Reporter: Erik Bergenholtz
>Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ATLAS-497) Simple Authorization
[ https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15206433#comment-15206433 ] Erik Bergenholtz commented on ATLAS-497: Determining if the store for persisting user/role mappings can be HBase - TBD. > Simple Authorization > > > Key: ATLAS-497 > URL: https://issues.apache.org/jira/browse/ATLAS-497 > Project: Atlas > Issue Type: New Feature >Affects Versions: 0.7-incubating >Reporter: Erik Bergenholtz > Fix For: 0.7-incubating > > > Atlas needs to support a simple (out of box) authorization mechanism. > Defined Roles: > - Data Scientist: provides a read only view (GET) > - Data Steward: provides a read/edit view (PUT, POST, DELETE) > - Admin (can do anything) > All can comment on entity > Requirements > - Atlas will implement a simple file based store for providing user to role > mapping > - The out of box experience will be this file based mechanism for > authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
