http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java deleted file mode 100644 index f61bbf7..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyParser.java +++ /dev/null @@ -1,252 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.regex.Pattern; - -public class PolicyParser { - - private static Logger LOG = LoggerFactory.getLogger(PolicyParser.class); - private static boolean isDebugEnabled = LOG.isDebugEnabled(); - public static final int POLICYNAME = 0; - - public static final int USER_INDEX = 1; - public static final int USERNAME = 0; - public static final int USER_AUTHORITIES = 1; - - public static final int GROUP_INDEX = 2; - public static final int GROUPNAME = 0; - public static final int GROUP_AUTHORITIES = 1; - - public static final int RESOURCE_INDEX = 3; - public static final int RESOURCE_TYPE = 0; - public static final int RESOURCE_NAME = 1; - - private List<AtlasActionTypes> getListOfAutorities(String auth) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser getListOfAutorities"); - } - List<AtlasActionTypes> authorities = new ArrayList<>(); - - for (int i = 0; i < auth.length(); i++) { - char access = auth.toLowerCase().charAt(i); - switch (access) { - case 'r': - authorities.add(AtlasActionTypes.READ); - break; - case 'w': - authorities.add(AtlasActionTypes.CREATE); - break; - case 'u': - authorities.add(AtlasActionTypes.UPDATE); - break; - case 'd': - authorities.add(AtlasActionTypes.DELETE); - break; - - default: - if (LOG.isErrorEnabled()) { - LOG.error("Invalid action: '{}'", access); - } - break; - } - } - if (isDebugEnabled) { - LOG.debug("<== PolicyParser getListOfAutorities"); - } - return authorities; - } - - public List<PolicyDef> parsePolicies(List<String> policies) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser parsePolicies"); - } - List<PolicyDef> policyDefs = new ArrayList<>(); - for (String policy : policies) { - PolicyDef policyDef = parsePolicy(policy); - if (policyDef != null) { - policyDefs.add(policyDef); - } - } - if (isDebugEnabled) { - LOG.debug("<== PolicyParser parsePolicies"); - LOG.debug(policyDefs.toString()); - } - return policyDefs; - } - - private PolicyDef parsePolicy(String data) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser parsePolicy"); - } - PolicyDef def = null; - String[] props = data.split(";;"); - - if (props.length < RESOURCE_INDEX) { - LOG.warn("skipping invalid policy line: {}", data); - } else { - def = new PolicyDef(); - def.setPolicyName(props[POLICYNAME]); - parseUsers(props[USER_INDEX], def); - parseGroups(props[GROUP_INDEX], def); - parseResources(props[RESOURCE_INDEX], def); - if (isDebugEnabled) { - LOG.debug("policy successfully parsed!!!"); - LOG.debug("<== PolicyParser parsePolicy"); - } - } - return def; - } - - private boolean validateEntity(String entity) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser validateEntity"); - } - boolean isValidEntity = Pattern.matches("(.+:.+)+", entity); - boolean isEmpty = entity.isEmpty(); - if (!isValidEntity || isEmpty) { - if (isDebugEnabled) { - LOG.debug("group/user/resource not properly define in Policy"); - LOG.debug("<== PolicyParser validateEntity"); - } - return false; - } else { - if (isDebugEnabled) { - LOG.debug("<== PolicyParser validateEntity"); - } - return true; - } - - } - - private void parseUsers(String usersDef, PolicyDef def) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser parseUsers"); - } - String[] users = usersDef.split(","); - String[] userAndRole = null; - Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>(); - if (validateEntity(usersDef)) { - for (String user : users) { - if (!Pattern.matches("(.+:.+)+", user)) { - continue; - } - userAndRole = user.split(":"); - if (def.getUsers() != null) { - usersMap = def.getUsers(); - } - List<AtlasActionTypes> userAutorities = getListOfAutorities(userAndRole[USER_AUTHORITIES]); - usersMap.put(userAndRole[USERNAME], userAutorities); - def.setUsers(usersMap); - } - - } else { - def.setUsers(usersMap); - } - if (isDebugEnabled) { - LOG.debug("<== PolicyParser parseUsers"); - } - } - - private void parseGroups(String groupsDef, PolicyDef def) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser parseGroups"); - } - String[] groups = groupsDef.split("\\,"); - String[] groupAndRole = null; - Map<String, List<AtlasActionTypes>> groupsMap = new HashMap<>(); - if (validateEntity(groupsDef.trim())) { - for (String group : groups) { - if (!Pattern.matches("(.+:.+)+", group)) { - continue; - } - groupAndRole = group.split("[:]"); - if (def.getGroups() != null) { - groupsMap = def.getGroups(); - } - List<AtlasActionTypes> groupAutorities = getListOfAutorities(groupAndRole[GROUP_AUTHORITIES]); - groupsMap.put(groupAndRole[GROUPNAME], groupAutorities); - def.setGroups(groupsMap); - } - - } else { - def.setGroups(groupsMap); - } - if (isDebugEnabled) { - LOG.debug("<== PolicyParser parseGroups"); - } - - } - - private void parseResources(String resourceDef, PolicyDef def) { - if (isDebugEnabled) { - LOG.debug("==> PolicyParser parseResources"); - } - String[] resources = resourceDef.split(","); - String[] resourceTypeAndName = null; - Map<AtlasResourceTypes, List<String>> resourcesMap = new HashMap<>(); - if (validateEntity(resourceDef)) { - for (String resource : resources) { - if (!Pattern.matches("(.+:.+)+", resource)) { - continue; - } - resourceTypeAndName = resource.split("[:]"); - if (def.getResources() != null) { - resourcesMap = def.getResources(); - } - AtlasResourceTypes resourceType = null; - String type = resourceTypeAndName[RESOURCE_TYPE].toUpperCase(); - if (type.equalsIgnoreCase("ENTITY")) { - resourceType = AtlasResourceTypes.ENTITY; - } else if (type.equalsIgnoreCase("OPERATION")) { - resourceType = AtlasResourceTypes.OPERATION; - } else if (type.equalsIgnoreCase("TYPE")) { - resourceType = AtlasResourceTypes.TYPE; - } else if (type.equalsIgnoreCase("RELATIONSHIP")) { - resourceType = AtlasResourceTypes.RELATIONSHIP; - } else { - LOG.warn(type + " is invalid resource please check PolicyStore file"); - continue; - } - - List<String> resourceList = resourcesMap.get(resourceType); - if (resourceList == null) { - resourceList = new ArrayList<>(); - } - resourceList.add(resourceTypeAndName[RESOURCE_NAME]); - resourcesMap.put(resourceType, resourceList); - def.setResources(resourcesMap); - } - } else { - def.setResources(resourcesMap); - } - if (isDebugEnabled) { - LOG.debug("<== PolicyParser parseResources"); - } - } - -}
http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java deleted file mode 100644 index 9c08e40..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyUtil.java +++ /dev/null @@ -1,107 +0,0 @@ -/** Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class PolicyUtil { - - private static Logger LOG = LoggerFactory.getLogger(PolicyUtil.class); - private static boolean isDebugEnabled = LOG.isDebugEnabled(); - - - public static Map<String, Map<AtlasResourceTypes, List<String>>> createPermissionMap(List<PolicyDef> policyDefList, - AtlasActionTypes permissionType, SimpleAtlasAuthorizer.AtlasAccessorTypes principalType) { - if (isDebugEnabled) { - LOG.debug("==> PolicyUtil createPermissionMap\nCreating Permission Map for :: {} & {}", permissionType, principalType); - } - Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = - new HashMap<>(); - - // Iterate over the list of policies to create map - for (PolicyDef policyDef : policyDefList) { - if (LOG.isDebugEnabled()) { - LOG.debug("Processing policy def : {}", policyDef); - } - - Map<String, List<AtlasActionTypes>> principalMap = - principalType.equals(SimpleAtlasAuthorizer.AtlasAccessorTypes.USER) ? policyDef.getUsers() : policyDef - .getGroups(); - // For every policy extract the resource list and populate the user map - for (Entry<String, List<AtlasActionTypes>> e : principalMap.entrySet()) { - // Check if the user has passed permission type like READ - if (!e.getValue().contains(permissionType)) { - continue; - } - // See if the current user is already added to map - String username = e.getKey(); - Map<AtlasResourceTypes, List<String>> userResourceList = userReadMap.get(username); - - // If its not added then create a new resource list - if (userResourceList == null) { - if (isDebugEnabled) { - LOG.debug("Resource list not found for {}, creating it", username); - } - userResourceList = new HashMap<>(); - } - /* - * Iterate over resources from the current policy def and update the resource list for the current user - */ - for (Entry<AtlasResourceTypes, List<String>> resourceTypeMap : policyDef.getResources().entrySet()) { - // For the current resourceType in the policyDef, get the - // current list of resources already added - AtlasResourceTypes type = resourceTypeMap.getKey(); - List<String> resourceList = userResourceList.get(type); - - if (resourceList == null) { - // if the resource list was not added for this type then - // create and add all the resources in this policy - resourceList = new ArrayList<>(); - resourceList.addAll(resourceTypeMap.getValue()); - } else { - // if the resource list is present then merge both the - // list - resourceList.removeAll(resourceTypeMap.getValue()); - resourceList.addAll(resourceTypeMap.getValue()); - } - - userResourceList.put(type, resourceList); - } - userReadMap.put(username, userResourceList); - - if (LOG.isDebugEnabled()) { - LOG.debug("userReadMap {}", userReadMap); - } - } - } - if (isDebugEnabled) { - LOG.debug("Returning Map for {} :: {}", principalType, userReadMap); - LOG.debug("<== PolicyUtil createPermissionMap"); - } - return userReadMap; - - } -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java deleted file mode 100644 index 2eb0cd5..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizer.java +++ /dev/null @@ -1,381 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.atlas.authorize.simple; - -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.Map; - -import org.apache.atlas.ApplicationProperties; -import org.apache.atlas.AtlasException; -import org.apache.atlas.authorize.AtlasAccessRequest; -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasAuthorizationException; -import org.apache.atlas.authorize.AtlasAuthorizer; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.apache.atlas.utils.PropertiesUtil; -import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.io.IOCase; -import org.apache.commons.lang.StringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; - -public final class SimpleAtlasAuthorizer implements AtlasAuthorizer { - - public enum AtlasAccessorTypes { - USER, GROUP - } - - private static final Logger LOG = LoggerFactory.getLogger(SimpleAtlasAuthorizer.class); - private boolean isDebugEnabled = LOG.isDebugEnabled(); - private final static String WILDCARD_ASTERISK = "*"; - private final static String WILDCARDS = "*?"; - private boolean optIgnoreCase = false; - - private Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> userWriteMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> userUpdateMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> userDeleteMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> groupWriteMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> groupUpdateMap = null; - private Map<String, Map<AtlasResourceTypes, List<String>>> groupDeleteMap = null; - - public SimpleAtlasAuthorizer() { - } - - - @Override - public void init() { - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer init"); - } - try { - - PolicyParser parser = new PolicyParser(); - optIgnoreCase = Boolean.valueOf(PropertiesUtil.getProperty("optIgnoreCase", "false")); - - if (isDebugEnabled) { - LOG.debug("Read from PropertiesUtil --> optIgnoreCase :: {}", optIgnoreCase); - } - - InputStream policyStoreStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.auth.policy.file", "policy-store.txt"); - List<String> policies = null; - try { - policies = FileReaderUtil.readFile(policyStoreStream); - } - finally { - policyStoreStream.close(); - } - List<PolicyDef> policyDef = parser.parsePolicies(policies); - - userReadMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.USER); - userWriteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.USER); - userUpdateMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.USER); - userDeleteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.USER); - - groupReadMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.READ, AtlasAccessorTypes.GROUP); - groupWriteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.CREATE, AtlasAccessorTypes.GROUP); - groupUpdateMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.UPDATE, AtlasAccessorTypes.GROUP); - groupDeleteMap = PolicyUtil.createPermissionMap(policyDef, AtlasActionTypes.DELETE, AtlasAccessorTypes.GROUP); - - if (isDebugEnabled) { - LOG.debug("\n\nUserReadMap :: {}\nGroupReadMap :: {}", userReadMap, groupReadMap); - LOG.debug("\n\nUserWriteMap :: {}\nGroupWriteMap :: {}", userWriteMap, groupWriteMap); - LOG.debug("\n\nUserUpdateMap :: {}\nGroupUpdateMap :: {}", userUpdateMap, groupUpdateMap); - LOG.debug("\n\nUserDeleteMap :: {}\nGroupDeleteMap :: {}", userDeleteMap, groupDeleteMap); - } - - } catch (IOException | AtlasException e) { - if (LOG.isErrorEnabled()) { - LOG.error("SimpleAtlasAuthorizer could not be initialized properly due to : ", e); - } - throw new RuntimeException(e); - } - } - - @Override - public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException { - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer isAccessAllowed"); - LOG.debug("isAccessAllowd({})", request); - } - String user = request.getUser(); - Set<String> groups = request.getUserGroups(); - AtlasActionTypes action = request.getAction(); - String resource = request.getResource(); - Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes(); - if (isDebugEnabled) - LOG.debug("Checking for :: \nUser :: {}\nGroups :: {}\nAction :: {}\nResource :: {}", user, groups, action, resource); - - boolean isAccessAllowed = false; - boolean isUser = user != null; - boolean isGroup = groups != null; - - if ((!isUser && !isGroup) || action == null || resource == null) { - if (isDebugEnabled) { - LOG.debug("Please check the formation AtlasAccessRequest."); - } - return isAccessAllowed; - } else { - if (isDebugEnabled) { - LOG.debug("checkAccess for Operation :: {} on Resource {}:{}", action, resourceTypes, resource); - } - switch (action) { - case READ: - isAccessAllowed = checkAccess(user, resourceTypes, resource, userReadMap); - isAccessAllowed = - isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupReadMap); - break; - case CREATE: - isAccessAllowed = checkAccess(user, resourceTypes, resource, userWriteMap); - isAccessAllowed = - isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupWriteMap); - break; - case UPDATE: - isAccessAllowed = checkAccess(user, resourceTypes, resource, userUpdateMap); - isAccessAllowed = - isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupUpdateMap); - break; - case DELETE: - isAccessAllowed = checkAccess(user, resourceTypes, resource, userDeleteMap); - isAccessAllowed = - isAccessAllowed || checkAccessForGroups(groups, resourceTypes, resource, groupDeleteMap); - break; - default: - if (isDebugEnabled) { - LOG.debug("Invalid Action {}\nRaising AtlasAuthorizationException!!!", action); - } - throw new AtlasAuthorizationException("Invalid Action :: " + action); - } - } - - if (isDebugEnabled) { - LOG.debug("<== SimpleAtlasAuthorizer isAccessAllowed = {}", isAccessAllowed); - } - - return isAccessAllowed; - } - - private boolean checkAccess(String accessor, Set<AtlasResourceTypes> resourceTypes, String resource, - Map<String, Map<AtlasResourceTypes, List<String>>> map) { - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer checkAccess"); - LOG.debug("Now checking access for accessor : {}\nResource Types : {}\nResource : {}\nMap : {}", accessor, resourceTypes, resource, map); - } - boolean result = true; - Map<AtlasResourceTypes, List<String>> rescMap = map.get(accessor); - if (rescMap != null) { - for (AtlasResourceTypes resourceType : resourceTypes) { - List<String> accessList = rescMap.get(resourceType); - if (isDebugEnabled) { - LOG.debug("\nChecking for resource : {} in list : {}\n", resource, accessList); - } - if (accessList != null) { - result = result && isMatch(resource, accessList); - } else { - result = false; - } - } - } else { - result = false; - if (isDebugEnabled) - LOG.debug("Key {} missing. Returning with result : {}", accessor, result); - } - - if (isDebugEnabled) { - LOG.debug("Check for {} :: {}", accessor, result); - LOG.debug("<== SimpleAtlasAuthorizer checkAccess"); - } - return result; - } - - private boolean checkAccessForGroups(Set<String> groups, Set<AtlasResourceTypes> resourceType, String resource, - Map<String, Map<AtlasResourceTypes, List<String>>> map) { - boolean isAccessAllowed = false; - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer checkAccessForGroups"); - } - - if(CollectionUtils.isNotEmpty(groups)) { - for (String group : groups) { - isAccessAllowed = checkAccess(group, resourceType, resource, map); - if (isAccessAllowed) { - break; - } - } - } - - if (isDebugEnabled) { - LOG.debug("<== SimpleAtlasAuthorizer checkAccessForGroups"); - } - return isAccessAllowed; - } - - private boolean resourceMatchHelper(List<String> policyResource) { - boolean isMatchAny = false; - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer resourceMatchHelper"); - } - - boolean optWildCard = true; - - List<String> policyValues = new ArrayList<>(); - - if (policyResource != null) { - boolean isWildCardPresent = !optWildCard; - for (String policyValue : policyResource) { - if (StringUtils.isEmpty(policyValue)) { - continue; - } - if (StringUtils.containsOnly(policyValue, WILDCARD_ASTERISK)) { - isMatchAny = true; - } else if (!isWildCardPresent && StringUtils.containsAny(policyValue, WILDCARDS)) { - isWildCardPresent = true; - } - policyValues.add(policyValue); - } - optWildCard = optWildCard && isWildCardPresent; - } else { - isMatchAny = false; - } - - if (isDebugEnabled) { - LOG.debug("<== SimpleAtlasAuthorizer resourceMatchHelper"); - } - return isMatchAny; - } - - private boolean isMatch(String resource, List<String> policyValues) { - if (isDebugEnabled) { - LOG.debug("==> SimpleAtlasAuthorizer isMatch"); - } - boolean isMatchAny = resourceMatchHelper(policyValues); - boolean isMatch = false; - boolean allValuesRequested = isAllValuesRequested(resource); - - if (allValuesRequested || isMatchAny) { - isMatch = isMatchAny; - } else { - for (String policyValue : policyValues) { - if (policyValue.contains("*")) { - isMatch = - optIgnoreCase ? FilenameUtils.wildcardMatch(resource, policyValue, IOCase.INSENSITIVE) - : FilenameUtils.wildcardMatch(resource, policyValue, IOCase.SENSITIVE); - } else { - isMatch = - optIgnoreCase ? StringUtils.equalsIgnoreCase(resource, policyValue) : StringUtils.equals( - resource, policyValue); - } - if (isMatch) { - break; - } - } - } - - if (!isMatch) { - if (isDebugEnabled) { - StringBuilder sb = new StringBuilder(); - sb.append("["); - for (String policyValue : policyValues) { - sb.append(policyValue); - sb.append(" "); - } - sb.append("]"); - - LOG.debug("AtlasDefaultResourceMatcher.isMatch returns FALSE, (resource={}, policyValues={})", resource, sb.toString()); - } - - } - - if (isDebugEnabled) { - LOG.debug("<== SimpleAtlasAuthorizer isMatch({}): {}", resource, isMatch); - } - - return isMatch; - } - - private boolean isAllValuesRequested(String resource) { - return StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource); - } - - @Override - public void cleanUp() { - if (isDebugEnabled) { - LOG.debug("==> +SimpleAtlasAuthorizer cleanUp"); - } - userReadMap = null; - userWriteMap = null; - userUpdateMap = null; - userDeleteMap = null; - groupReadMap = null; - groupWriteMap = null; - groupUpdateMap = null; - groupDeleteMap = null; - if (isDebugEnabled) { - LOG.debug("<== +SimpleAtlasAuthorizer cleanUp"); - } - } - - /* - * NOTE :: This method is added for setting the maps for testing purpose. - */ - @VisibleForTesting - public void setResourcesForTesting(Map<String, Map<AtlasResourceTypes, List<String>>> userMap, - Map<String, Map<AtlasResourceTypes, List<String>>> groupMap, AtlasActionTypes actionTypes) { - - switch (actionTypes) { - case READ: - this.userReadMap = userMap; - this.groupReadMap = groupMap; - break; - - case CREATE: - - this.userWriteMap = userMap; - this.groupWriteMap = groupMap; - break; - case UPDATE: - - this.userUpdateMap = userMap; - this.groupUpdateMap = groupMap; - break; - case DELETE: - - this.userDeleteMap = userMap; - this.groupDeleteMap = groupMap; - break; - - default: - if (isDebugEnabled) { - LOG.debug("No such action available"); - } - break; - } - } - -} - - http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/resources/atlas-simple-authz-policy.json ---------------------------------------------------------------------- diff --git a/authorization/src/main/resources/atlas-simple-authz-policy.json b/authorization/src/main/resources/atlas-simple-authz-policy.json new file mode 100644 index 0000000..01104a8 --- /dev/null +++ b/authorization/src/main/resources/atlas-simple-authz-policy.json @@ -0,0 +1,61 @@ +{ + "roles": { + "ROLE_ADMIN": { + "adminPermissions": [ + { + "privileges": [ ".*" ] + } + ], + + "entityPermissions": [ + { + "privileges": [ ".*" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ], + + "typePermissions": [ + { + "privileges": [ ".*" ], + "typeCategories": [ ".*" ], + "typeNames": [ ".*" ] + } + ] + }, + + "DATA_SCIENTIST": { + "entityPermissions": [ + { + "privileges": [ "entity-read", "entity-read-classification" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ] + }, + + "DATA_STEWARD": { + "entityPermissions": [ + { + "privileges": [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ] + } + }, + + "userRoles": { + "admin": [ "ROLE_ADMIN" ] + }, + + "groupRoles": { + "ROLE_ADMIN": [ "ROLE_ADMIN" ], + "hadoop": [ "DATA_STEWARD" ], + "DATA_STEWARD": [ "DATA_STEWARD" ], + "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ] + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java deleted file mode 100644 index adebb62..0000000 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtilsTest.java +++ /dev/null @@ -1,105 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.atlas.authorize.simple; - -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.testng.annotations.Test; - -import java.util.Set; - -import static org.testng.Assert.assertEquals; -import static org.testng.Assert.assertTrue; - -/** - * Unit tests for AtlasAuthorizationUtils. - */ -public class AtlasAuthorizationUtilsTest { - @Test - public void testGetApi() { - String contextPath = "/api/atlas/entities"; - assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities"); - - contextPath = "/api/atlas/entities/111/traits"; - assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities"); - - contextPath = "/api/atlas/v1/entities"; - assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities"); - - contextPath = "/api/atlas/v1/entities/111/tags"; - assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "entities"); - - // not sure of this use case but the code appears to support url's that don't - // begin with base url. - contextPath = "/foo/bar"; - assertEquals(AtlasAuthorizationUtils.getApi(contextPath), "foo"); - } - - @Test - public void testGetAtlasResourceType() throws Exception { - String contextPath = "/api/atlas/types"; - Set<AtlasResourceTypes> resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.TYPE)); - - contextPath = "/api/atlas/admin/foo"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION)); - - contextPath = "/api/atlas/graph/foo"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION)); - - contextPath = "/api/atlas/discovery/search/gremlin"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.OPERATION)); - - contextPath = "/api/atlas/entities/111/traits"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - - contextPath = "/api/atlas/discovery/search"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - - contextPath = "/api/atlas/entities?type=Column"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - - contextPath = "/api/atlas/lineage"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - - contextPath = "/api/atlas/v1/entities/111"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - - contextPath = "/api/atlas/v1/entities/111/tags/foo"; - resourceTypes = AtlasAuthorizationUtils.getAtlasResourceType(contextPath); - assertEquals(resourceTypes.size(), 1); - assertTrue(resourceTypes.contains(AtlasResourceTypes.ENTITY)); - } -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java new file mode 100644 index 0000000..16c8c8c --- /dev/null +++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java @@ -0,0 +1,107 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize.simple; + +import org.apache.atlas.authorize.*; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; +import org.testng.AssertJUnit; + +import java.util.Collections; + +public class AtlasSimpleAuthorizerTest { + private static Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class); + + private String originalConf; + private AtlasAuthorizer authorizer; + + @BeforeMethod + public void setup1() { + originalConf = System.getProperty("atlas.conf"); + + System.setProperty("atlas.conf", "src/test/resources"); + + try { + authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); + } catch (Exception e) { + LOG.error("Exception in AtlasSimpleAuthorizerTest setup failed", e); + } + } + + @AfterClass + public void tearDown() throws Exception { + if (originalConf != null) { + System.setProperty("atlas.conf", originalConf); + } + + authorizer = null; + } + + @Test(enabled = true) + public void testAccessAllowedForUserAndGroup() { + try { + AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE); + + request.setUser("admin", Collections.singleton("ROLE_ADMIN")); + + boolean isAccessAllowed = authorizer.isAccessAllowed(request); + + AssertJUnit.assertEquals(true, isAccessAllowed); + } catch (Exception e) { + LOG.error("Exception in AtlasSimpleAuthorizerTest", e); + + AssertJUnit.fail(); + } + } + + @Test(enabled = true) + public void testAccessAllowedForGroup() { + try { + AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE); + + request.setUser("nonmappeduser", Collections.singleton("ROLE_ADMIN")); + + boolean isAccessAllowed = authorizer.isAccessAllowed(request); + + AssertJUnit.assertEquals(true, isAccessAllowed); + } catch (AtlasAuthorizationException e) { + LOG.error("Exception in AtlasSimpleAuthorizerTest", e); + + AssertJUnit.fail(); + } + } + + @Test(enabled = true) + public void testAccessNotAllowedForUserAndGroup() { + try { + AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE); + + request.setUser("nonmappeduser", Collections.singleton("GROUP-NOT-IN-POLICYFILE")); + + boolean isAccessAllowed = authorizer.isAccessAllowed(request); + + AssertJUnit.assertEquals(false, isAccessAllowed); + } catch (AtlasAuthorizationException e) { + LOG.error("Exception in AtlasSimpleAuthorizerTest", e); + + AssertJUnit.fail(); + } + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java deleted file mode 100644 index 3b7869a..0000000 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyParserTest.java +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import static org.testng.AssertJUnit.assertEquals; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.apache.atlas.authorize.simple.PolicyDef; -import org.apache.atlas.authorize.simple.PolicyParser; -import org.testng.annotations.Test; - -public class PolicyParserTest { - - @Test - public void testParsePoliciesWithAllProperties() { - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII"); - /* Creating group data */ - Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>(); - List<AtlasActionTypes> accessList1 = new ArrayList<>(); - accessList1.add(AtlasActionTypes.READ); - accessList1.add(AtlasActionTypes.CREATE); - accessList1.add(AtlasActionTypes.UPDATE); - - groupMap.put("grp1", accessList1); - List<AtlasActionTypes> accessList2 = new ArrayList<>(); - accessList2.add(AtlasActionTypes.UPDATE); - groupMap.put("grp2", accessList2); - - /* Creating user data */ - Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>(); - List<AtlasActionTypes> usr1AccessList = new ArrayList<>(); - usr1AccessList.add(AtlasActionTypes.READ); - usersMap.put("usr1", usr1AccessList); - - List<AtlasActionTypes> usr2AccessList = new ArrayList<>(); - usr2AccessList.add(AtlasActionTypes.READ); - usr2AccessList.add(AtlasActionTypes.CREATE); - usersMap.put("usr2", usr2AccessList); - - /* Creating resources data */ - Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>(); - List<String> resource1List = new ArrayList<>(); - resource1List.add("*abc"); - resourceMap.put(AtlasResourceTypes.ENTITY, resource1List); - - List<String> resource2List = new ArrayList<>(); - resource2List.add("*xyz"); - resourceMap.put(AtlasResourceTypes.OPERATION, resource2List); - - List<String> resource3List = new ArrayList<>(); - resource3List.add("PII"); - resourceMap.put(AtlasResourceTypes.TYPE, resource3List); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - for (PolicyDef def : policyDefs) { - - assertEquals(def.getPolicyName(), "hivePolicy"); - assertEquals(def.getGroups(), groupMap); - assertEquals(def.getUsers(), usersMap); - assertEquals(def.getResources(), resourceMap); - - } - - } - - @Test - public void testParsePoliciesWithOutUserProperties() { - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII"); - // Creating group data - Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>(); - List<AtlasActionTypes> accessList1 = new ArrayList<>(); - accessList1.add(AtlasActionTypes.READ); - accessList1.add(AtlasActionTypes.CREATE); - accessList1.add(AtlasActionTypes.UPDATE); - - groupMap.put("grp1", accessList1); - List<AtlasActionTypes> accessList2 = new ArrayList<>(); - accessList2.add(AtlasActionTypes.UPDATE); - groupMap.put("grp2", accessList2); - - // Creating user data - Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>(); - - // Creating resources data - Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>(); - List<String> resource1List = new ArrayList<>(); - resource1List.add("*abc"); - resourceMap.put(AtlasResourceTypes.ENTITY, resource1List); - - List<String> resource2List = new ArrayList<>(); - resource2List.add("*xyz"); - resourceMap.put(AtlasResourceTypes.OPERATION, resource2List); - - List<String> resource3List = new ArrayList<>(); - resource3List.add("PII"); - resourceMap.put(AtlasResourceTypes.TYPE, resource3List); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - for (PolicyDef def : policyDefs) { - - assertEquals(def.getPolicyName(), "hivePolicy"); - assertEquals(def.getGroups(), groupMap); - assertEquals(def.getUsers(), usersMap); - assertEquals(def.getResources(), resourceMap); - - } - - } - - @Test - public void testParsePoliciesWithOutGroupProperties() { - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;;;entity:*abc,operation:*xyz,type:PII"); - // Creating group data - Map<String, List<AtlasActionTypes>> groupMap = new HashMap<>(); - - // Creating user data - Map<String, List<AtlasActionTypes>> usersMap = new HashMap<>(); - List<AtlasActionTypes> usr1AccessList = new ArrayList<>(); - usr1AccessList.add(AtlasActionTypes.READ); - usersMap.put("usr1", usr1AccessList); - - List<AtlasActionTypes> usr2AccessList = new ArrayList<>(); - usr2AccessList.add(AtlasActionTypes.READ); - usr2AccessList.add(AtlasActionTypes.CREATE); - usersMap.put("usr2", usr2AccessList); - - // Creating resources data - Map<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>(); - List<String> resource1List = new ArrayList<>(); - resource1List.add("*abc"); - resourceMap.put(AtlasResourceTypes.ENTITY, resource1List); - - List<String> resource2List = new ArrayList<>(); - resource2List.add("*xyz"); - resourceMap.put(AtlasResourceTypes.OPERATION, resource2List); - - List<String> resource3List = new ArrayList<>(); - resource3List.add("PII"); - resourceMap.put(AtlasResourceTypes.TYPE, resource3List); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - for (PolicyDef def : policyDefs) { - assertEquals(def.getPolicyName(), "hivePolicy"); - assertEquals(def.getGroups(), groupMap); - assertEquals(def.getUsers(), usersMap); - assertEquals(def.getResources(), resourceMap); - } - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java deleted file mode 100644 index 1cefbcd..0000000 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/PolicyUtilTest.java +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import static org.testng.AssertJUnit.assertEquals; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer; -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.apache.atlas.authorize.simple.PolicyDef; -import org.apache.atlas.authorize.simple.PolicyParser; -import org.apache.atlas.authorize.simple.PolicyUtil; -import org.testng.annotations.Test; - -public class PolicyUtilTest { - - @Test - public void testCreatePermissionMap() { - - HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>(); - List<String> resource1List = new ArrayList<>(); - resource1List.add("*abc"); - resourceMap.put(AtlasResourceTypes.ENTITY, resource1List); - - List<String> resource2List = new ArrayList<>(); - resource2List.add("*xyz"); - resourceMap.put(AtlasResourceTypes.OPERATION, resource2List); - - List<String> resource3List = new ArrayList<>(); - resource3List.add("PII"); - resourceMap.put(AtlasResourceTypes.TYPE, resource3List); - - Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap = - new HashMap<>(); - permissionMap.put("grp1", resourceMap); - - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII"); - List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies); - - Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap = - new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - - assertEquals(permissionMap, createdPermissionMap); - - } - - @Test - public void testMergeCreatePermissionMap() { - - HashMap<AtlasResourceTypes, List<String>> resourceMap = new HashMap<>(); - List<String> resource1List = new ArrayList<>(); - resource1List.add("*abc"); - resourceMap.put(AtlasResourceTypes.ENTITY, resource1List); - - List<String> resource2List = new ArrayList<>(); - resource2List.add("*x"); - resource2List.add("*xyz"); - resourceMap.put(AtlasResourceTypes.OPERATION, resource2List); - - List<String> resource3List = new ArrayList<>(); - resource3List.add("PII"); - resourceMap.put(AtlasResourceTypes.TYPE, resource3List); - - Map<String, HashMap<AtlasResourceTypes, List<String>>> permissionMap = - new HashMap<>(); - permissionMap.put("grp1", resourceMap); - - List<String> policies = new ArrayList<>(); - policies.add("hivePolicys;;;;grp1:rwu;;entity:*abc,operation:*xyz,operation:*x"); - policies.add("hivePolicy;;;;grp1:rwu;;entity:*abc,operation:*xyz"); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu;;entity:*abc,operation:*xyz"); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;entity:*abc,operation:*xyz,type:PII"); - List<PolicyDef> policyDefList = new PolicyParser().parsePolicies(policies); - - Map<String, Map<AtlasResourceTypes, List<String>>> createdPermissionMap = - new PolicyUtil().createPermissionMap(policyDefList, AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - - assertEquals(permissionMap, createdPermissionMap); - - } -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java deleted file mode 100644 index b36c9c7..0000000 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/SimpleAtlasAuthorizerTest.java +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.Map; - -import org.apache.atlas.authorize.*; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.testng.AssertJUnit; -import org.testng.annotations.Test; - -public class SimpleAtlasAuthorizerTest { - - private static Logger LOG = LoggerFactory - .getLogger(SimpleAtlasAuthorizerTest.class); - - @Test - public void testAccessAllowedForUserAndGroup() { - - Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null; - Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null; - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:*abc,type:PII"); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - PolicyUtil policyUtil = new PolicyUtil(); - // group read map - groupReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - // creating user readMap - userReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER); - - Set<AtlasResourceTypes> resourceType = new HashSet<>(); - resourceType.add(AtlasResourceTypes.TYPE); - String resource = "xsdfhjabc"; - AtlasActionTypes action = AtlasActionTypes.READ; - String user = "usr1"; - - Set<String> userGroups = new HashSet<>(); - userGroups.add("grp3"); - try { - AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups,"127.0.0.1"); - SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory - .getAtlasAuthorizer(); - - authorizer - .setResourcesForTesting(userReadMap, groupReadMap, action); - - boolean isAccessAllowed = authorizer.isAccessAllowed(request); - // getUserReadMap - AssertJUnit.assertEquals(true, isAccessAllowed); - } catch (AtlasAuthorizationException e) { - if (LOG.isErrorEnabled()) { - LOG.error("AtlasAuthorizationException in Unit Test", e); - } - } - - } - - @Test - public void testAccessAllowedForGroup() { - - Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null; - Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null; - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII"); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - PolicyUtil policyUtil = new PolicyUtil(); - // creating group read map - groupReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - // creating user readMap - userReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER); - - Set<AtlasResourceTypes> resourceType = new HashSet<>(); - resourceType.add(AtlasResourceTypes.TYPE); - String resource = "PII"; - AtlasActionTypes action = AtlasActionTypes.READ; - String user = "usr3"; - Set<String> userGroups = new HashSet<>(); - userGroups.add("grp1"); - AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups,"127.0.0.1"); - try { - SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory - .getAtlasAuthorizer(); - authorizer - .setResourcesForTesting(userReadMap, groupReadMap, action); - - boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals(true, isAccessAllowed); - } catch (AtlasAuthorizationException e) { - if (LOG.isErrorEnabled()) { - LOG.error("AtlasAuthorizationException in Unit Test", e); - } - - } - - } - - @Test - public void testResourceNotAvailableInPolicy() { - - Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null; - Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null; - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII"); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - PolicyUtil policyUtil = new PolicyUtil(); - // group read map - groupReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - // creating user readMap - userReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER); - - Set<AtlasResourceTypes> resourceType = new HashSet<>(); - resourceType.add(AtlasResourceTypes.TYPE); - String resource = "abc"; - AtlasActionTypes action = AtlasActionTypes.READ; - String user = "usr1"; - Set<String> userGroups = new HashSet<>(); - userGroups.add("grp1"); - AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups,"127.0.0.1"); - try { - SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory - .getAtlasAuthorizer(); - authorizer - .setResourcesForTesting(userReadMap, groupReadMap, action); - - boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals(false, isAccessAllowed); - } catch (AtlasAuthorizationException e) { - if (LOG.isErrorEnabled()) { - LOG.error("AtlasAuthorizationException in Unit Test", e); - } - } - - } - - @Test - public void testAccessNotAllowedForUserAndGroup() { - - Map<String, Map<AtlasResourceTypes, List<String>>> userReadMap = null; - Map<String, Map<AtlasResourceTypes, List<String>>> groupReadMap = null; - List<String> policies = new ArrayList<>(); - policies.add("hivePolicy;;usr1:r,usr2:rw;;grp1:rwu,grp2:u;;type:PII"); - - List<PolicyDef> policyDefs = new PolicyParser().parsePolicies(policies); - PolicyUtil policyUtil = new PolicyUtil(); - // group read map - groupReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.GROUP); - // creating user readMap - userReadMap = policyUtil.createPermissionMap(policyDefs, - AtlasActionTypes.READ, SimpleAtlasAuthorizer.AtlasAccessorTypes.USER); - - Set<AtlasResourceTypes> resourceType = new HashSet<>(); - resourceType.add(AtlasResourceTypes.TYPE); - String resource = "PII"; - AtlasActionTypes action = AtlasActionTypes.READ; - String user = "usr3"; - Set<String> userGroups = new HashSet<>(); - userGroups.add("grp3"); - AtlasAccessRequest request = new AtlasAccessRequest(resourceType, - resource, action, user, userGroups,"127.0.0.1"); - try { - SimpleAtlasAuthorizer authorizer = (SimpleAtlasAuthorizer) AtlasAuthorizerFactory - .getAtlasAuthorizer(); - authorizer - .setResourcesForTesting(userReadMap, groupReadMap, action); - - boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals(false, isAccessAllowed); - } catch (AtlasAuthorizationException e) { - if (LOG.isErrorEnabled()) { - LOG.error("AtlasAuthorizationException in Unit Test", e); - } - } - - } - -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/authorization/src/test/resources/atlas-application.properties b/authorization/src/test/resources/atlas-application.properties new file mode 100644 index 0000000..e1357b1 --- /dev/null +++ b/authorization/src/test/resources/atlas-application.properties @@ -0,0 +1,149 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +#system property +atlas.data=${sys:user.dir}/target/data + + + +#re-use existing property +atlas.graph.data=${atlas.data}/graph + +#plain property +atlas.service=atlas + +#invalid system property +atlas.db=${atlasdb} + +atlas.TypeSystem.impl=org.apache.atlas.typesystem.types.TypeSystem + + + +######### Atlas Server Configs ######### +atlas.rest.address=http://localhost:31000 + +######### Graph Database Configs ######### + + +# Graph database implementation. Value inserted by maven. +atlas.graphdb.backend=${graphdb.backend.impl} + +# Graph Storage +atlas.graph.storage.backend=${graph.storage.backend} + +# Entity repository implementation +atlas.EntityAuditRepository.impl=${entity.repository.impl} + +# Graph Search Index Backend +atlas.graph.index.search.backend=${graph.index.backend} + +#Berkeley storage directory +atlas.graph.storage.directory=${sys:atlas.data}/berkley + +#hbase +#For standalone mode , specify localhost +#for distributed mode, specify zookeeper quorum here - For more information refer http://s3.thinkaurelius.com/docs/titan/current/hbase.html#_remote_server_mode_2 + +atlas.graph.storage.hostname=${graph.storage.hostname} +atlas.graph.storage.hbase.regions-per-server=1 +atlas.graph.storage.lock.wait-time=10000 + +#ElasticSearch +atlas.graph.index.search.directory=${sys:atlas.data}/es +atlas.graph.index.search.elasticsearch.client-only=false +atlas.graph.index.search.elasticsearch.local-mode=true +atlas.graph.index.search.elasticsearch.create.sleep=2000 + +# Solr cloud mode properties +atlas.graph.index.search.solr.mode=cloud +atlas.graph.index.search.solr.zookeeper-url=${solr.zk.address} +atlas.graph.index.search.solr.embedded=${tests.solr.embedded} +atlas.graph.index.search.max-result-set-size=150 + +######### Hive Lineage Configs ######### +## Schema +atlas.lineage.schema.query.hive_table=hive_table where __guid='%s'\, columns +atlas.lineage.schema.query.hive_table_v1=hive_table_v1 where __guid='%s'\, columns + +######### Notification Configs ######### +atlas.notification.embedded=true + +atlas.kafka.zookeeper.connect=localhost:19026 +atlas.kafka.bootstrap.servers=localhost:19027 +atlas.kafka.data=${sys:atlas.data}/kafka +atlas.kafka.zookeeper.session.timeout.ms=4000 +atlas.kafka.zookeeper.sync.time.ms=20 +atlas.kafka.consumer.timeout.ms=4000 +atlas.kafka.auto.commit.interval.ms=100 +atlas.kafka.hook.group.id=atlas +atlas.kafka.entities.group.id=atlas_entities +#atlas.kafka.auto.commit.enable=false + +atlas.kafka.enable.auto.commit=false +atlas.kafka.auto.offset.reset=earliest +atlas.kafka.session.timeout.ms=30000 + + + +######### Entity Audit Configs ######### +atlas.audit.hbase.tablename=ATLAS_ENTITY_AUDIT_EVENTS +atlas.audit.zookeeper.session.timeout.ms=1000 +atlas.audit.hbase.zookeeper.quorum=localhost +atlas.audit.hbase.zookeeper.property.clientPort=19026 + +######### Security Properties ######### + +# SSL config +atlas.enableTLS=false +atlas.server.https.port=31443 + +######### Security Properties ######### + +hbase.security.authentication=simple + +atlas.hook.falcon.synchronous=true + +######### JAAS Configuration ######## + +atlas.jaas.KafkaClient.loginModuleName = com.sun.security.auth.module.Krb5LoginModule +atlas.jaas.KafkaClient.loginModuleControlFlag = required +atlas.jaas.KafkaClient.option.useKeyTab = true +atlas.jaas.KafkaClient.option.storeKey = true +atlas.jaas.KafkaClient.option.serviceName = kafka +atlas.jaas.KafkaClient.option.keyTab = /etc/security/keytabs/atlas.service.keytab +atlas.jaas.KafkaClient.option.principal = atlas/_h...@example.com + +######### High Availability Configuration ######## +atlas.server.ha.enabled=false +#atlas.server.ids=id1 +#atlas.server.address.id1=localhost:21000 + +######### Atlas Authorization ######### +#atlas.authorizer.impl=none +atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json + +######### Atlas Authentication ######### +atlas.authentication.method.file=true +atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false +# atlas.authentication.method.file.filename=users-credentials.properties + +######### Gremlin Search Configuration ######### +# Set to false to disable gremlin search. +atlas.search.gremlin.enable=true http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/test/resources/atlas-simple-authz-policy.json ---------------------------------------------------------------------- diff --git a/authorization/src/test/resources/atlas-simple-authz-policy.json b/authorization/src/test/resources/atlas-simple-authz-policy.json new file mode 100644 index 0000000..01104a8 --- /dev/null +++ b/authorization/src/test/resources/atlas-simple-authz-policy.json @@ -0,0 +1,61 @@ +{ + "roles": { + "ROLE_ADMIN": { + "adminPermissions": [ + { + "privileges": [ ".*" ] + } + ], + + "entityPermissions": [ + { + "privileges": [ ".*" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ], + + "typePermissions": [ + { + "privileges": [ ".*" ], + "typeCategories": [ ".*" ], + "typeNames": [ ".*" ] + } + ] + }, + + "DATA_SCIENTIST": { + "entityPermissions": [ + { + "privileges": [ "entity-read", "entity-read-classification" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ] + }, + + "DATA_STEWARD": { + "entityPermissions": [ + { + "privileges": [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ], + "entityTypes": [ ".*" ], + "entityIds": [ ".*" ], + "classifications": [ ".*" ] + } + ] + } + }, + + "userRoles": { + "admin": [ "ROLE_ADMIN" ] + }, + + "groupRoles": { + "ROLE_ADMIN": [ "ROLE_ADMIN" ], + "hadoop": [ "DATA_STEWARD" ], + "DATA_STEWARD": [ "DATA_STEWARD" ], + "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ] + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/distro/src/conf/atlas-application.properties ---------------------------------------------------------------------- diff --git a/distro/src/conf/atlas-application.properties b/distro/src/conf/atlas-application.properties index 1f38705..355abf4 100755 --- a/distro/src/conf/atlas-application.properties +++ b/distro/src/conf/atlas-application.properties @@ -184,8 +184,9 @@ atlas.server.ha.enabled=false -#########POLICY FILE PATH ######### -atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=simple +atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json ######### Type Cache Implementation ######## # A type cache class which implements @@ -193,9 +194,6 @@ atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt # The default implementation is org.apache.atlas.typesystem.types.cache.DefaultTypeCache which is a local in-memory type cache. #atlas.TypeCache.impl= -#########authorizer impl class ######### -atlas.authorizer.impl=SIMPLE - ######### Performance Configs ######### #atlas.graph.storage.lock.retries=10 #atlas.graph.storage.cache.db-cache-time=120000 http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/ApplicationProperties.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java index 320563e..c79c549 100644 --- a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java +++ b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java @@ -174,57 +174,57 @@ public final class ApplicationProperties extends PropertiesConfiguration { * @throws AtlasException if no file was found or if there was an error loading the file */ public static InputStream getFileAsInputStream(Configuration configuration, String propertyName, String defaultFileName) throws AtlasException { - File fileToLoad = null; - String fileName = configuration.getString(propertyName); + File fileToLoad = null; + String fileName = configuration.getString(propertyName); + if (fileName == null) { if (defaultFileName == null) { throw new AtlasException(propertyName + " property not set and no default value specified"); } + + LOG.info("{} property not set; defaulting to {}", propertyName, defaultFileName); + fileName = defaultFileName; + String atlasConfDir = System.getProperty(ATLAS_CONFIGURATION_DIRECTORY_PROPERTY); + if (atlasConfDir != null) { // Look for default filename in Atlas config directory fileToLoad = new File(atlasConfDir, fileName); - } - else { + } else { // Look for default filename under the working directory fileToLoad = new File(fileName); } - if (LOG.isDebugEnabled()) { - LOG.debug("{} property not set - defaulting to {}", propertyName, fileToLoad.getPath()); - } - } - else { + } else { // Look for configured filename fileToLoad = new File(fileName); - if (LOG.isDebugEnabled()) { - LOG.debug("Using {} property setting: {}", propertyName, fileToLoad.getPath()); - } } InputStream inStr = null; + if (fileToLoad.exists()) { try { + LOG.info("Loading file {} from {}", fileName, fileToLoad.getPath()); + inStr = new FileInputStream(fileToLoad); } catch (FileNotFoundException e) { throw new AtlasException("Error loading file " + fileName, e); } - if (LOG.isDebugEnabled()) { - LOG.debug("Loaded file from : {}", fileToLoad.getPath()); - } - } - else { + } else { // Look for file as class loader resource inStr = Thread.currentThread().getContextClassLoader().getResourceAsStream(fileName); + if (inStr == null) { String msg = fileName + " not found in file system or as class loader resource"; + LOG.error(msg); + throw new AtlasException(msg); } - if (LOG.isDebugEnabled()) { - LOG.debug("Loaded {} as resource from : {}", fileName, Thread.currentThread().getContextClassLoader().getResource(fileName).toString()); - } + + LOG.info("Loaded {} as resource from {}", fileName, Thread.currentThread().getContextClassLoader().getResource(fileName).toString()); } + return inStr; } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java b/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java index f1d4536..6ac7786 100644 --- a/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java +++ b/intg/src/main/java/org/apache/atlas/AtlasErrorCode.java @@ -126,6 +126,8 @@ public enum AtlasErrorCode { CLASSIFICATION_DELETE_FROM_PROPAGATED_ENTITY(400, "ATLAS-400-00-06C", "Delete of classification {0} is not allowed from propagated entity"), CLASSIFICATION_NOT_ASSOCIATED_WITH_ENTITY(400, "ATLAS-400-00-06D", "Classification {0} is not associated with entity"), + UNAUTHORIZED_ACCESS(403, "ATLAS-403-00-001", "{0} is not authorized to perform {1}"), + // All Not found enums go here TYPE_NAME_NOT_FOUND(404, "ATLAS-404-00-001", "Given typename {0} was invalid"), TYPE_GUID_NOT_FOUND(404, "ATLAS-404-00-002", "Given type guid {0} was invalid"), @@ -142,6 +144,7 @@ public enum AtlasErrorCode { RELATIONSHIPDEF_END_TYPE_NAME_NOT_FOUND(404, "ATLAS-404-00-00E", "RelationshipDef {0} endDef typename {0} cannot be found"), RELATIONSHIP_ALREADY_DELETED(404, "ATLAS-404-00-00F", "Attempting to delete a relationship which is already deleted : {0}"), INVALID_ENTITY_GUID_FOR_CLASSIFICATION_UPDATE(404, "ATLAS-404-00-010", "Updating entityGuid of classification is not allowed."), + INSTANCE_GUID_NOT_DATASET(404, "ATLAS-404-00-011", "Given instance guid {0} is not a dataset"), // All data conflict errors go here TYPE_ALREADY_EXISTS(409, "ATLAS-409-00-001", "Given type {0} already exists"), http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java b/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java index 340cd05..9db9200 100644 --- a/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java +++ b/intg/src/main/java/org/apache/atlas/model/instance/AtlasEntityHeader.java @@ -23,6 +23,7 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.databind.annotation.JsonSerialize; import java.io.Serializable; +import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.Objects; @@ -36,6 +37,7 @@ import org.apache.atlas.model.PList; import org.apache.atlas.model.SearchFilter.SortType; import org.apache.atlas.model.typedef.AtlasBaseTypeDef; import org.apache.atlas.model.typedef.AtlasEntityDef; +import org.apache.commons.collections.CollectionUtils; import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE; import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY; @@ -98,6 +100,20 @@ public class AtlasEntityHeader extends AtlasStruct implements Serializable { } } + public AtlasEntityHeader(AtlasEntity entity){ + super(entity.getTypeName(), entity.getAttributes()); + setGuid(entity.getGuid()); + setClassifications(entity.getClassifications()); + + if (CollectionUtils.isNotEmpty(entity.getClassifications())) { + this.classificationNames = new ArrayList<>(entity.getClassifications().size()); + + for (AtlasClassification classification : entity.getClassifications()) { + this.classificationNames.add(classification.getTypeName()); + } + } + } + public String getGuid() { return guid; } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java b/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java index ae0c206..abacd78 100644 --- a/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java +++ b/intg/src/main/java/org/apache/atlas/type/AtlasClassificationType.java @@ -45,6 +45,7 @@ public class AtlasClassificationType extends AtlasStructType { private Set<String> subTypes = Collections.emptySet(); private Set<String> allSubTypes = Collections.emptySet(); private Set<String> typeAndAllSubTypes = Collections.emptySet(); + private Set<String> typeAndAllSuperTypes = Collections.emptySet(); private String typeAndAllSubTypesQryStr = ""; // we need to store the entityTypes specified in our supertypes. i.e. our parent classificationDefs may specify more entityTypes @@ -113,6 +114,10 @@ public class AtlasClassificationType extends AtlasStructType { this.entityTypes = new HashSet<>(); // this will be populated in resolveReferencesPhase3() this.typeAndAllSubTypes.add(this.getTypeName()); + + this.typeAndAllSuperTypes = new HashSet<>(this.allSuperTypes); + this.typeAndAllSuperTypes.add(this.getTypeName()); + this.typeAndAllSuperTypes = Collections.unmodifiableSet(this.typeAndAllSuperTypes); } @Override @@ -241,6 +246,8 @@ public class AtlasClassificationType extends AtlasStructType { public Set<String> getTypeAndAllSubTypes() { return typeAndAllSubTypes; } + public Set<String> getTypeAndAllSuperTypes() { return typeAndAllSuperTypes; } + public String getTypeQryStr() { return typeQryStr; } public String getTypeAndAllSubTypesQryStr() { http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java b/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java index 9aacb2d..7d65bb6 100644 --- a/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java +++ b/intg/src/main/java/org/apache/atlas/utils/AtlasJson.java @@ -46,6 +46,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.IOException; +import java.io.InputStream; import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; @@ -156,6 +157,20 @@ public class AtlasJson { return ret; } + public static <T> T fromJson(InputStream inputStream, Class<T> type) throws IOException { + T ret = null; + + if (inputStream != null) { + ret = mapper.readValue(inputStream, type); + + if (ret instanceof Struct) { + ((Struct) ret).normalize(); + } + } + + return ret; + } + public static String toV1Json(Object obj) { return toJson(obj); } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/intg/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/intg/src/test/resources/atlas-application.properties b/intg/src/test/resources/atlas-application.properties index 373bf68..9015f89 100644 --- a/intg/src/test/resources/atlas-application.properties +++ b/intg/src/test/resources/atlas-application.properties @@ -133,14 +133,17 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none -# atlas.authentication.method.file.filename=users-credentials.properties atlas.authentication.method.kerberos=false +# atlas.authentication.method.file.filename=users-credentials.properties ######### Gremlin Search Configuration ######### # Set to false to disable gremlin search. -atlas.search.gremlin.enable=true \ No newline at end of file +atlas.search.gremlin.enable=true http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/repository/pom.xml ---------------------------------------------------------------------- diff --git a/repository/pom.xml b/repository/pom.xml index 87fe7fd..b1d6b1f 100755 --- a/repository/pom.xml +++ b/repository/pom.xml @@ -112,6 +112,12 @@ <type>pom</type> <scope>test</scope> </dependency> + + <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-authorization</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.apache.atlas</groupId>