ATLAS-2459: Authorization enhancements to support instance level access controls
Signed-off-by: Madhan Neethiraj <mad...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/afbc6975 Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/afbc6975 Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/afbc6975 Branch: refs/heads/master Commit: afbc6975b3eb0ece492f26f508792cf363ad2211 Parents: be9b39b Author: nixonrodrigues <ni...@apache.org> Authored: Fri Feb 23 15:45:31 2018 -0800 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Mon Feb 26 10:37:47 2018 -0800 ---------------------------------------------------------------------- .../test/resources/atlas-application.properties | 9 +- .../test/resources/atlas-application.properties | 9 +- .../test/resources/atlas-application.properties | 9 +- .../test/resources/atlas-application.properties | 9 +- .../test/resources/atlas-application.properties | 9 +- authorization/pom.xml | 10 + .../atlas/authorize/AtlasAccessRequest.java | 85 ++--- .../atlas/authorize/AtlasActionTypes.java | 22 -- .../authorize/AtlasAdminAccessRequest.java | 38 ++ .../authorize/AtlasAuthorizationUtils.java | 161 ++++++++ .../apache/atlas/authorize/AtlasAuthorizer.java | 34 +- .../atlas/authorize/AtlasAuthorizerFactory.java | 52 +-- .../authorize/AtlasEntityAccessRequest.java | 146 +++++++ .../atlas/authorize/AtlasNoneAuthorizer.java | 47 +++ .../apache/atlas/authorize/AtlasPrivilege.java | 46 +++ .../atlas/authorize/AtlasResourceTypes.java | 23 -- .../atlas/authorize/AtlasTypeAccessRequest.java | 49 +++ .../simple/AtlasAuthorizationUtils.java | 182 --------- .../authorize/simple/AtlasSimpleAuthorizer.java | 346 +++++++++++++++++ .../simple/AtlasSimpleAuthzPolicy.java | 255 +++++++++++++ .../atlas/authorize/simple/FileReaderUtil.java | 56 --- .../atlas/authorize/simple/PolicyDef.java | 70 ---- .../atlas/authorize/simple/PolicyParser.java | 252 ------------ .../atlas/authorize/simple/PolicyUtil.java | 107 ------ .../authorize/simple/SimpleAtlasAuthorizer.java | 381 ------------------- .../resources/atlas-simple-authz-policy.json | 61 +++ .../simple/AtlasAuthorizationUtilsTest.java | 105 ----- .../simple/AtlasSimpleAuthorizerTest.java | 107 ++++++ .../authorize/simple/PolicyParserTest.java | 172 --------- .../atlas/authorize/simple/PolicyUtilTest.java | 100 ----- .../simple/SimpleAtlasAuthorizerTest.java | 208 ---------- .../test/resources/atlas-application.properties | 149 ++++++++ .../resources/atlas-simple-authz-policy.json | 61 +++ distro/src/conf/atlas-application.properties | 8 +- .../org/apache/atlas/ApplicationProperties.java | 40 +- .../java/org/apache/atlas/AtlasErrorCode.java | 3 + .../atlas/model/instance/AtlasEntityHeader.java | 16 + .../atlas/type/AtlasClassificationType.java | 7 + .../java/org/apache/atlas/utils/AtlasJson.java | 15 + .../test/resources/atlas-application.properties | 11 +- repository/pom.xml | 6 + .../atlas/discovery/EntityLineageService.java | 45 +-- .../graph/v1/AtlasClassificationDefStoreV1.java | 24 +- .../store/graph/v1/AtlasEntityDefStoreV1.java | 23 ++ .../store/graph/v1/AtlasEntityStoreV1.java | 297 +++++++++------ .../store/graph/v1/AtlasStructDefStoreV1.java | 23 +- .../store/graph/v1/EntityGraphRetriever.java | 31 +- .../util/AtlasRepositoryConfiguration.java | 42 +- .../repository/impexp/ExportServiceTest.java | 2 +- .../repository/impexp/ImportServiceTest.java | 2 +- .../impexp/ZipFileResourceTestUtils.java | 2 +- .../store/graph/AtlasTypeDefGraphStoreTest.java | 2 +- .../store/graph/v1/AtlasEntityStoreV1Test.java | 4 +- .../graph/v1/AtlasRelationshipStoreV1Test.java | 2 +- .../graph/v1/InverseReferenceUpdateV1Test.java | 4 +- .../java/org/apache/atlas/RequestContextV1.java | 18 +- .../java/org/apache/atlas/aspect/Loggable.java | 29 -- .../java/org/apache/atlas/aspect/Monitored.java | 29 -- .../atlas/discovery/DiscoveryException.java | 74 ---- .../exception/SchemaNotFoundException.java | 40 -- .../atlas/exception/TraitNotFoundException.java | 45 --- .../java/org/apache/atlas/metrics/Metrics.java | 68 ---- .../notification/NotificationHookConsumer.java | 91 +++-- .../web/filters/AtlasAuthenticationFilter.java | 5 +- .../web/filters/AtlasAuthorizationFilter.java | 180 --------- .../apache/atlas/web/filters/AuditFilter.java | 115 ++++-- .../atlas/web/resources/AdminResource.java | 26 +- .../org/apache/atlas/web/rest/TypesREST.java | 2 + .../atlas/web/security/AtlasSecurityConfig.java | 8 +- .../apache/atlas/web/util/DateTimeHelper.java | 84 +--- webapp/src/main/resources/spring-security.xml | 5 +- .../AtlasAuthenticationSimpleFilterIT.java | 18 - .../atlas/web/resources/AdminResourceTest.java | 4 +- .../test/resources/atlas-application.properties | 11 +- .../src/test/resources/test-spring-security.xml | 3 - 75 files changed, 2168 insertions(+), 2666 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/falcon-bridge/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/addons/falcon-bridge/src/test/resources/atlas-application.properties b/addons/falcon-bridge/src/test/resources/atlas-application.properties index 282127c..d1c3f71 100644 --- a/addons/falcon-bridge/src/test/resources/atlas-application.properties +++ b/addons/falcon-bridge/src/test/resources/atlas-application.properties @@ -115,10 +115,13 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false # atlas.authentication.method.file.filename=users-credentials.properties -atlas.authentication.method.kerberos=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/hbase-bridge/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/addons/hbase-bridge/src/test/resources/atlas-application.properties b/addons/hbase-bridge/src/test/resources/atlas-application.properties index 282127c..d1c3f71 100644 --- a/addons/hbase-bridge/src/test/resources/atlas-application.properties +++ b/addons/hbase-bridge/src/test/resources/atlas-application.properties @@ -115,10 +115,13 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false # atlas.authentication.method.file.filename=users-credentials.properties -atlas.authentication.method.kerberos=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/hive-bridge/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/addons/hive-bridge/src/test/resources/atlas-application.properties b/addons/hive-bridge/src/test/resources/atlas-application.properties index 282127c..d1c3f71 100644 --- a/addons/hive-bridge/src/test/resources/atlas-application.properties +++ b/addons/hive-bridge/src/test/resources/atlas-application.properties @@ -115,10 +115,13 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false # atlas.authentication.method.file.filename=users-credentials.properties -atlas.authentication.method.kerberos=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/sqoop-bridge/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/addons/sqoop-bridge/src/test/resources/atlas-application.properties b/addons/sqoop-bridge/src/test/resources/atlas-application.properties index 282127c..d1c3f71 100644 --- a/addons/sqoop-bridge/src/test/resources/atlas-application.properties +++ b/addons/sqoop-bridge/src/test/resources/atlas-application.properties @@ -115,10 +115,13 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false # atlas.authentication.method.file.filename=users-credentials.properties -atlas.authentication.method.kerberos=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/addons/storm-bridge/src/test/resources/atlas-application.properties ---------------------------------------------------------------------- diff --git a/addons/storm-bridge/src/test/resources/atlas-application.properties b/addons/storm-bridge/src/test/resources/atlas-application.properties index f46477a..6e9042a 100644 --- a/addons/storm-bridge/src/test/resources/atlas-application.properties +++ b/addons/storm-bridge/src/test/resources/atlas-application.properties @@ -117,10 +117,13 @@ atlas.server.ha.enabled=false #atlas.server.ids=id1 #atlas.server.address.id1=localhost:21000 -#########POLICY FILE PATH ######### -# atlas.auth.policy.file=policy-store.txt +######### Atlas Authorization ######### +atlas.authorizer.impl=none +# atlas.authorizer.impl=simple +# atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json +######### Atlas Authentication ######### atlas.authentication.method.file=true atlas.authentication.method.ldap.type=none +atlas.authentication.method.kerberos=false # atlas.authentication.method.file.filename=users-credentials.properties -atlas.authentication.method.kerberos=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/pom.xml ---------------------------------------------------------------------- diff --git a/authorization/pom.xml b/authorization/pom.xml index f210a2f..92be82e 100644 --- a/authorization/pom.xml +++ b/authorization/pom.xml @@ -36,10 +36,20 @@ </dependency> <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-intg</artifactId> + </dependency> + + <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>${javax.servlet.version}</version> </dependency> + + <dependency> + <groupId>org.springframework.security</groupId> + <artifactId>spring-security-core</artifactId> + </dependency> <dependency> <groupId>com.google.guava</groupId> http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java index 07cb2b0..4ae9510 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java @@ -17,94 +17,57 @@ */ package org.apache.atlas.authorize; -import org.apache.atlas.authorize.simple.AtlasAuthorizationUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.http.HttpServletRequest; import java.util.Date; import java.util.Set; public class AtlasAccessRequest { - private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class); - private static boolean isDebugEnabled = LOG.isDebugEnabled(); - private Set<AtlasResourceTypes> resourceType = null; - private String resource = null; - private AtlasActionTypes action = null; - private String user = null; - private Set<String> userGroups = null; - private Date accessTime = null; - private String clientIPAddress = null; - - public AtlasAccessRequest(HttpServletRequest request, String user, Set<String> userGroups) { - // Spring Security 4 Change => request.getServletPath() -> request.getPathInfo() - this(AtlasAuthorizationUtils.getAtlasResourceType(request.getPathInfo()), "*", AtlasAuthorizationUtils - .getAtlasAction(request.getMethod(),request.getPathInfo()), user, userGroups,AtlasAuthorizationUtils.getRequestIpAddress(request)); - } - public AtlasAccessRequest(Set<AtlasResourceTypes> resourceType, String resource, AtlasActionTypes action, - String user, Set<String> userGroups, String clientIPAddress) { - if (isDebugEnabled) { - LOG.debug("==> AtlasAccessRequestImpl-- Initializing AtlasAccessRequest"); - } - setResource(resource); - setAction(action); - setUser(user); - setUserGroups(userGroups); - setResourceType(resourceType); - - // set remaining fields to default value - setAccessTime(null); - setClientIPAddress(clientIPAddress); - } + private final AtlasPrivilege action; + private final Date accessTime; + private String user = null; + private Set<String> userGroups = null; + private String clientIPAddress = null; - public Set<AtlasResourceTypes> getResourceTypes() { - return resourceType; - } - public void setResourceType(Set<AtlasResourceTypes> resourceType) { - this.resourceType = resourceType; + protected AtlasAccessRequest(AtlasPrivilege action) { + this(action, null, null, new Date(), null); } - public String getResource() { - return resource; + protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups) { + this(action, user, userGroups, new Date(), null); } - public void setResource(String resource) { - this.resource = resource; + protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime, String clientIPAddress) { + this.action = action; + this.user = user; + this.userGroups = userGroups; + this.accessTime = accessTime; + this.clientIPAddress = clientIPAddress; } - public AtlasActionTypes getAction() { + public AtlasPrivilege getAction() { return action; } - public void setAction(AtlasActionTypes action) { - this.action = action; + public Date getAccessTime() { + return accessTime; } public String getUser() { return user; } - public void setUser(String user) { - this.user = user; - } - - public void setUserGroups(Set<String> userGroups) { - this.userGroups = userGroups; - } - public Set<String> getUserGroups() { return userGroups; } - public Date getAccessTime() { - return accessTime; - } - - public void setAccessTime(Date accessTime) { - this.accessTime = accessTime; + public void setUser(String user, Set<String> userGroups) { + this.user = user; + this.userGroups = userGroups; } public String getClientIPAddress() { @@ -117,9 +80,7 @@ public class AtlasAccessRequest { @Override public String toString() { - return "AtlasAccessRequest [resourceType=" + resourceType + ", resource=" + resource + ", action=" + action - + ", user=" + user + ", userGroups=" + userGroups + ", accessTime=" + accessTime + ", clientIPAddress=" - + clientIPAddress + "]"; + return "AtlasAccessRequest[action=" + action + ", accessTime=" + accessTime + ", user=" + user + + ", userGroups=" + userGroups + ", clientIPAddress=" + clientIPAddress + "]"; } - } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java deleted file mode 100644 index c5969db..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasActionTypes.java +++ /dev/null @@ -1,22 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize; - -public enum AtlasActionTypes { - READ, CREATE, UPDATE, DELETE -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java new file mode 100644 index 0000000..1782b32 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java @@ -0,0 +1,38 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize; + + +import java.util.Set; + +public class AtlasAdminAccessRequest extends AtlasAccessRequest { + + public AtlasAdminAccessRequest(AtlasPrivilege action) { + super(action); + } + + public AtlasAdminAccessRequest(AtlasPrivilege action, String userName, Set<String> usergroups) { + super(action, userName, usergroups); + } + + @Override + public String toString() { + return "AtlasAdminAccessRequest[action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() + + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]"; + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java new file mode 100644 index 0000000..8c57946 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java @@ -0,0 +1,161 @@ +/** +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.atlas.authorize; + +import org.apache.atlas.AtlasErrorCode; +import org.apache.atlas.exception.AtlasBaseException; +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.context.SecurityContextHolder; + +import javax.servlet.http.HttpServletRequest; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.HashSet; +import java.util.Set; + + +public class AtlasAuthorizationUtils { + private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class); + + public static void verifyAccess(AtlasAdminAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { + if (! isAccessAllowed(request)) { + String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; + + throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); + } + } + + public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { + if (! isAccessAllowed(request)) { + String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; + + throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); + } + } + + public static void verifyAccess(AtlasEntityAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { + if (! isAccessAllowed(request)) { + String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; + + throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); + } + } + + public static boolean isAccessAllowed(AtlasAdminAccessRequest request) { + boolean ret = false; + String userName = getCurrentUserName(); + + if (StringUtils.isNotEmpty(userName)) { + try { + AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); + + request.setUser(userName, getCurrentUserGroups()); + + ret = authorizer.isAccessAllowed(request); + } catch (AtlasAuthorizationException e) { + LOG.error("Unable to obtain AtlasAuthorizer", e); + } + } else { + ret = true; + } + + return ret; + } + + public static boolean isAccessAllowed(AtlasEntityAccessRequest request) { + boolean ret = false; + String userName = getCurrentUserName(); + + if (StringUtils.isNotEmpty(userName)) { + try { + AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); + + request.setUser(getCurrentUserName(), getCurrentUserGroups()); + + ret = authorizer.isAccessAllowed(request); + } catch (AtlasAuthorizationException e) { + LOG.error("Unable to obtain AtlasAuthorizer", e); + } + } else { + ret = true; + } + + return ret; + } + + public static boolean isAccessAllowed(AtlasTypeAccessRequest request) { + boolean ret = false; + String userName = getCurrentUserName(); + + if (StringUtils.isNotEmpty(userName)) { + try { + AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); + + request.setUser(getCurrentUserName(), getCurrentUserGroups()); + + ret = authorizer.isAccessAllowed(request); + } catch (AtlasAuthorizationException e) { + LOG.error("Unable to obtain AtlasAuthorizer", e); + } + } else { + ret = true; + } + + return ret; + } + + public static String getRequestIpAddress(HttpServletRequest httpServletRequest) { + String ret = ""; + + try { + InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr()); + + ret = inetAddr.getHostAddress(); + } catch (UnknownHostException ex) { + LOG.error("Failed to retrieve client IP address", ex); + } + + return ret; + } + + public static String getCurrentUserName() { + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + + return auth != null ? auth.getName() : ""; + } + + public static Set<String> getCurrentUserGroups() { + Set<String> ret = new HashSet<>(); + + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + + if (auth != null) { + for (GrantedAuthority c : auth.getAuthorities()) { + ret.add(c.getAuthority()); + } + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java index d64c692..285e0f6 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java @@ -20,23 +20,39 @@ package org.apache.atlas.authorize; public interface AtlasAuthorizer { + /** + * initialization of authorizer implementation + */ + void init(); + /** + * cleanup of authorizer implementation + */ + void cleanUp(); /** - * This method will load the policy file and would initialize the required data-structures. + * authorize admin operations + * @param request + * @return + * @throws AtlasAuthorizationException */ - void init(); + boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException; /** - * This method is responsible to perform the actual authorization for every REST API call. It will check if - * user can perform action on resource. + * authorize operations on an entity + * @param request + * @return + * @throws AtlasAuthorizationException */ - boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException; + boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException; + + /** - * This method is responsible to perform the cleanup and release activities. It must be called when you are done - * with the Authorization activity and once it's called a restart would be required. Try to invoke this while - * destroying the context. + * authorize operations on a type + * @param request + * @return + * @throws AtlasAuthorizationException */ - void cleanUp(); + boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException; } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java index 9b7933e..72037ea 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java @@ -20,65 +20,71 @@ package org.apache.atlas.authorize; import org.apache.atlas.ApplicationProperties; import org.apache.atlas.AtlasException; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthorizer; import org.apache.commons.configuration.Configuration; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class AtlasAuthorizerFactory { +public class AtlasAuthorizerFactory { private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class); - private static final String SIMPLE_AUTHORIZER = "org.apache.atlas.authorize.simple.SimpleAtlasAuthorizer"; - private static final String RANGER_AUTHORIZER = - "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer"; + + private static final String NONE_AUTHORIZER = AtlasNoneAuthorizer.class.getName(); + private static final String SIMPLE_AUTHORIZER = AtlasSimpleAuthorizer.class.getName(); + private static final String RANGER_AUTHORIZER = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer"; + private static volatile AtlasAuthorizer INSTANCE = null; - private static boolean isDebugEnabled = LOG.isDebugEnabled(); public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException { - Configuration configuration = null; - try { - configuration = ApplicationProperties.get(); - } catch (AtlasException e) { - if (LOG.isErrorEnabled()) { - LOG.error("Exception while fetching configuration. ", e); - } - } AtlasAuthorizer ret = INSTANCE; if (ret == null) { synchronized (AtlasAuthorizerFactory.class) { if (INSTANCE == null) { - String authorizerClass = - configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE"; + Configuration configuration = null; + + try { + configuration = ApplicationProperties.get(); + } catch (AtlasException e) { + LOG.error("Exception while fetching configuration", e); + } + + String authorizerClass = configuration != null ? configuration.getString("atlas.authorizer.impl") : "SIMPLE"; if (StringUtils.isNotEmpty(authorizerClass)) { if (StringUtils.equalsIgnoreCase(authorizerClass, "SIMPLE")) { authorizerClass = SIMPLE_AUTHORIZER; } else if (StringUtils.equalsIgnoreCase(authorizerClass, "RANGER")) { authorizerClass = RANGER_AUTHORIZER; + } else if (StringUtils.equalsIgnoreCase(authorizerClass, "NONE")) { + authorizerClass = NONE_AUTHORIZER; } } else { authorizerClass = SIMPLE_AUTHORIZER; } - if (isDebugEnabled) { - LOG.debug("Initializing Authorizer :: {}", authorizerClass); - } + LOG.info("Initializing Authorizer {}", authorizerClass); + try { Class authorizerMetaObject = Class.forName(authorizerClass); + if (authorizerMetaObject != null) { INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance(); + + INSTANCE.init(); } } catch (Exception e) { - LOG.error("Error while creating authorizer of type '{}", authorizerClass, e); - throw new AtlasAuthorizationException("Error while creating authorizer of type '" - + authorizerClass + "'", e); + LOG.error("Error while creating authorizer of type {}", authorizerClass, e); + + throw new AtlasAuthorizationException("Error while creating authorizer of type '" + authorizerClass + "'", e); } - ret = INSTANCE; } + + ret = INSTANCE; } } + return ret; } - } http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java new file mode 100644 index 0000000..e79b97c --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java @@ -0,0 +1,146 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize; + +import org.apache.atlas.model.instance.AtlasClassification; +import org.apache.atlas.model.instance.AtlasEntityHeader; +import org.apache.atlas.type.AtlasClassificationType; +import org.apache.atlas.type.AtlasEntityType; +import org.apache.atlas.type.AtlasTypeRegistry; +import org.apache.commons.lang.StringUtils; + +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +public class AtlasEntityAccessRequest extends AtlasAccessRequest { + private final AtlasEntityHeader entity; + private final String entityId; + private final AtlasClassification classification; + private final String attributeName; + private final AtlasTypeRegistry typeRegistry; + private final Set<String> entityClassifications; + + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) { + this(typeRegistry, action, null, null, null, null, null); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity) { + this(typeRegistry, action, entity, null, null, null, null); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification) { + this(typeRegistry, action, entity, classification, null, null, null); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName) { + this(typeRegistry, action, entity, null, attributeName, null, null); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String userName, Set<String> userGroups) { + this(typeRegistry, action, entity, null, null, userName, userGroups); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String userName, Set<String> userGroups) { + this(typeRegistry, action, entity, classification, null, userName, userGroups); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, String attributeName, String userName, Set<String> userGroups) { + this(typeRegistry, action, entity, null, attributeName, userName, userGroups); + } + + public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, AtlasEntityHeader entity, AtlasClassification classification, String attributeName, String userName, Set<String> userGroups) { + super(action, userName, userGroups); + + this.entity = entity; + this.entityId = entity != null ? (String) entity.getAttribute("qualifiedName") : null; + this.classification = classification; + this.attributeName = attributeName; + this.typeRegistry = typeRegistry; + + if (entity == null || entity.getClassifications() == null) { + this.entityClassifications = Collections.emptySet(); + } else { + this.entityClassifications = new HashSet<>(); + + for (AtlasClassification classify : entity.getClassifications()) { + this.entityClassifications.add(classify.getTypeName()); + } + } + } + + public AtlasEntityHeader getEntity() { + return entity; + } + + public String getEntityId() { + return entityId; + } + + public AtlasClassification getClassification() { + return classification; + } + + public String getAttributeName() { + return attributeName; + } + + public String getEntityType() { + return entity == null ? StringUtils.EMPTY : entity.getTypeName(); + } + + public Set<String> getEntityClassifications() { + return entityClassifications; + } + + public Set<String> getEntityTypeAndAllSuperTypes() { + final Set<String> ret; + + if (entity == null) { + ret = Collections.emptySet(); + } else if (typeRegistry == null) { + ret = Collections.singleton(entity.getTypeName()); + } else { + AtlasEntityType entityType = typeRegistry.getEntityTypeByName(entity.getTypeName()); + + ret = entityType != null ? entityType.getTypeAndAllSuperTypes() : Collections.singleton(entity.getTypeName()); + } + + return ret; + } + + public Set<String> getClassificationTypeAndAllSuperTypes(String classificationName) { + if (typeRegistry != null && classificationName != null) { + AtlasClassificationType classificationType = typeRegistry.getClassificationTypeByName(classificationName); + + return classificationType == null ? Collections.emptySet() : classificationType.getTypeAndAllSuperTypes(); + } + + return Collections.emptySet(); + } + + @Override + public String toString() { + return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", attributeName" + attributeName + + ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() + + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]"; + } +} + + http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java new file mode 100644 index 0000000..06ae600 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.atlas.authorize; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +public class AtlasNoneAuthorizer implements AtlasAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(AtlasNoneAuthorizer.class); + + public void init() { + LOG.info("AtlasNoneAuthorizer.init()"); + } + + public void cleanUp() { + LOG.info("AtlasNoneAuthorizer.cleanUp()"); + } + + public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException { + return true; + } + + public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException { + return true; + } + + public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException { + return true; + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java new file mode 100644 index 0000000..3cb7f65 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java @@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize; + +public enum AtlasPrivilege { + TYPE_CREATE("type-create"), + TYPE_UPDATE("type-update"), + TYPE_DELETE("type-delete"), + + ENTITY_READ("entity-read"), + ENTITY_CREATE("entity-create"), + ENTITY_UPDATE("entity-update"), + ENTITY_DELETE("entity-delete"), + ENTITY_READ_CLASSIFICATION("entity-read-classification"), + ENTITY_ADD_CLASSIFICATION("entity-add-classification"), + ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"), + ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"), + + ADMIN_EXPORT("admin-export"), + ADMIN_IMPORT("admin-import"); + + private final String type; + + AtlasPrivilege(String actionType){ + this.type = actionType; + } + + public String getType() { + return type; + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java deleted file mode 100644 index 7e2808c..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasResourceTypes.java +++ /dev/null @@ -1,23 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.atlas.authorize; - -public enum AtlasResourceTypes { - UNKNOWN, ENTITY, TYPE, OPERATION, RELATIONSHIP -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java new file mode 100644 index 0000000..af38425 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java @@ -0,0 +1,49 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize; + +import org.apache.atlas.model.typedef.AtlasBaseTypeDef; + +import java.util.Set; + +public class AtlasTypeAccessRequest extends AtlasAccessRequest { + private final AtlasBaseTypeDef typeDef; + + + public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef) { + super(action); + + this.typeDef = typeDef; + } + + public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef, String userName, Set<String> usergroups) { + super(action, userName, usergroups); + + this.typeDef = typeDef; + } + + public AtlasBaseTypeDef getTypeDef() { + return typeDef; + } + + @Override + public String toString() { + return "AtlasEntityAccessRequest[typeDef=" + typeDef + ", action=" + getAction() + ", accessTime=" + getAccessTime() + + ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]"; + } +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java deleted file mode 100644 index 5bc1941..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasAuthorizationUtils.java +++ /dev/null @@ -1,182 +0,0 @@ -/** -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.atlas.authorize.simple; - -import org.apache.atlas.authorize.AtlasAccessRequest; -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasAuthorizationException; -import org.apache.atlas.authorize.AtlasAuthorizer; -import org.apache.atlas.authorize.AtlasAuthorizerFactory; -import org.apache.atlas.authorize.AtlasResourceTypes; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.servlet.http.HttpServletRequest; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.HashSet; -import java.util.Set; -import java.util.regex.Pattern; - -public class AtlasAuthorizationUtils { - private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class); - private static boolean isDebugEnabled = LOG.isDebugEnabled(); - private static final String BASE_URL = "/api/atlas/"; - - public static String getApi(String contextPath) { - if (isDebugEnabled) { - LOG.debug("==> getApi({})", contextPath); - } - - if(contextPath == null){ - contextPath = ""; - } - - if (contextPath.startsWith(BASE_URL)) { - contextPath = contextPath.substring(BASE_URL.length()); - } else { - // strip of leading '/' - if (contextPath.startsWith("/")) { - contextPath = contextPath.substring(1); - } - } - String[] split = contextPath.split("/", 3); - - String api = split[0]; - if (Pattern.matches("v\\d", api)) { - api = split[1]; - } - - if (isDebugEnabled) { - LOG.debug("<== getApi({}): {}", contextPath, api); - } - - return api; - } - - public static AtlasActionTypes getAtlasAction(String method, String contextPath) { - AtlasActionTypes action = null; - - switch (method.toUpperCase()) { - case "POST": - String api = getApi(contextPath); - if (api != null && api.startsWith("search")) { // exceptional case for basic search api with POST method - action = AtlasActionTypes.READ; - } else { - action = AtlasActionTypes.CREATE; - } - break; - case "GET": - action = AtlasActionTypes.READ; - break; - case "PUT": - action = AtlasActionTypes.UPDATE; - break; - case "DELETE": - action = AtlasActionTypes.DELETE; - break; - default: - if (isDebugEnabled) { - LOG.debug("getAtlasAction(): Invalid HTTP method '{}", method); - } - break; - } - - if (isDebugEnabled) { - LOG.debug("<== AtlasAuthorizationFilter getAtlasAction HTTP Method {} mapped to AtlasAction : {}", - method, action); - } - return action; - } - - /** - * @param contextPath - * @return set of AtlasResourceTypes types api mapped with AtlasResourceTypes.TYPE eg :- /api/atlas/types/* - * - * gremlin discovery,admin,graph apis are mapped with AtlasResourceTypes.OPERATION eg :-/api/atlas/admin/* - * /api/atlas/discovery/search/gremlin /api/atlas/graph/* - * - * entities,lineage and discovery apis are mapped with AtlasResourceTypes.ENTITY eg :- /api/atlas/lineage/hive/table/* - * /api/atlas/entities/{guid}* /api/atlas/discovery/* - * - * unprotected types are mapped with AtlasResourceTypes.UNKNOWN, access to these are allowed. - */ - public static Set<AtlasResourceTypes> getAtlasResourceType(String contextPath) { - Set<AtlasResourceTypes> resourceTypes = new HashSet<>(); - if (isDebugEnabled) { - LOG.debug("==> getAtlasResourceType for {}", contextPath); - } - String api = getApi(contextPath); - if (api.startsWith("types")) { - resourceTypes.add(AtlasResourceTypes.TYPE); - } else if (api.startsWith("admin") && (contextPath.contains("/session") || contextPath.contains("/version"))) { - resourceTypes.add(AtlasResourceTypes.UNKNOWN); - } else if ((api.startsWith("discovery") && contextPath.contains("/gremlin")) || api.startsWith("admin") - || api.startsWith("graph")) { - resourceTypes.add(AtlasResourceTypes.OPERATION); - } else if (api.startsWith("entities") || api.startsWith("lineage") || - api.startsWith("discovery") || api.startsWith("entity") || api.startsWith("search")) { - resourceTypes.add(AtlasResourceTypes.ENTITY); - } else if (api.startsWith("relationship")) { - resourceTypes.add(AtlasResourceTypes.RELATIONSHIP); - } else { - LOG.error("Unable to find Atlas Resource corresponding to : {}\nSetting {}" - , api, AtlasResourceTypes.UNKNOWN.name()); - resourceTypes.add(AtlasResourceTypes.UNKNOWN); - } - - if (isDebugEnabled) { - LOG.debug("<== Returning AtlasResources {} for api {}", resourceTypes, api); - } - return resourceTypes; - } - - public static boolean isAccessAllowed(AtlasResourceTypes resourcetype, AtlasActionTypes actionType, String userName, Set<String> groups, HttpServletRequest request) { - AtlasAuthorizer authorizer = null; - boolean isaccessAllowed = false; - - Set<AtlasResourceTypes> resourceTypes = new HashSet<>(); - resourceTypes.add(resourcetype); - AtlasAccessRequest atlasRequest = new AtlasAccessRequest(resourceTypes, "*", actionType, userName, groups, AtlasAuthorizationUtils.getRequestIpAddress(request)); - try { - authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer(); - if (authorizer != null) { - isaccessAllowed = authorizer.isAccessAllowed(atlasRequest); - } - } catch (AtlasAuthorizationException e) { - LOG.error("Unable to obtain AtlasAuthorizer. ", e); - } - - return isaccessAllowed; - } - - public static String getRequestIpAddress(HttpServletRequest httpServletRequest) { - try { - InetAddress inetAddr = InetAddress.getByName(httpServletRequest.getRemoteAddr()); - - String ip = inetAddr.getHostAddress(); - - return ip; - } catch (UnknownHostException ex) { - LOG.error("Error occured when retrieving IP address", ex); - return ""; - } - } -} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java new file mode 100644 index 0000000..fd58858 --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java @@ -0,0 +1,346 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.atlas.authorize.simple; + +import java.io.IOException; +import java.io.InputStream; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import org.apache.atlas.ApplicationProperties; +import org.apache.atlas.AtlasException; +import org.apache.atlas.authorize.AtlasAdminAccessRequest; +import org.apache.atlas.authorize.AtlasAuthorizer; +import org.apache.atlas.authorize.AtlasAuthorizationException; +import org.apache.atlas.authorize.AtlasEntityAccessRequest; +import org.apache.atlas.authorize.AtlasTypeAccessRequest; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.*; +import org.apache.atlas.utils.AtlasJson; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +public final class AtlasSimpleAuthorizer implements AtlasAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizer.class); + + private final static String WILDCARD_ASTERISK = "*"; + + private AtlasSimpleAuthzPolicy authzPolicy; + + + public AtlasSimpleAuthorizer() { + } + + @Override + public void init() { + LOG.info("==> SimpleAtlasAuthorizer.init()"); + + InputStream inputStream = null; + + try { + inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json"); + + authzPolicy = AtlasJson.fromJson(inputStream, AtlasSimpleAuthzPolicy.class); + } catch (IOException | AtlasException e) { + LOG.error("SimpleAtlasAuthorizer.init(): initialization failed", e); + + throw new RuntimeException(e); + } finally { + if (inputStream != null) { + try { + inputStream.close(); + } catch (IOException excp) { + // ignore + } + } + } + + LOG.info("<== SimpleAtlasAuthorizer.init()"); + } + + @Override + public void cleanUp() { + LOG.info("==> SimpleAtlasAuthorizer.cleanUp()"); + + authzPolicy = null; + + LOG.info("<== SimpleAtlasAuthorizer.cleanUp()"); + } + + @Override + public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + } + + boolean ret = false; + + Set<String> roles = getRoles(request.getUser(), request.getUserGroups()); + + for (String role : roles) { + List<AtlasAdminPermission> permissions = getAdminPermissionsForRole(role); + + if (permissions != null) { + final String action = request.getAction() != null ? request.getAction().getType() : null; + + for (AtlasAdminPermission permission : permissions) { + if (isMatch(action, permission.getPrivileges())) { + ret = true; + + break; + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); + } + + return ret; + } + + @Override + public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + } + + boolean ret = false; + + Set<String> roles = getRoles(request.getUser(), request.getUserGroups()); + + for (String role : roles) { + List<AtlasTypePermission> permissions = getTypePermissionsForRole(role); + + if (permissions != null) { + final String action = request.getAction() != null ? request.getAction().getType() : null; + final String typeCategory = request.getTypeDef() != null ? request.getTypeDef().getCategory().name() : null; + final String typeName = request.getTypeDef() != null ? request.getTypeDef().getName() : null; + + for (AtlasTypePermission permission : permissions) { + if (isMatch(action, permission.getPrivileges()) && + isMatch(typeCategory, permission.getTypeCategories()) && + isMatch(typeName, permission.getTypeNames())) { + ret = true; + + break; + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); + } + + return ret; + } + + @Override + public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + } + + final String action = request.getAction() != null ? request.getAction().getType() : null; + final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes(); + final String entityId = request.getEntityId(); + final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null; + final String attribute = request.getAttributeName(); + final Set<String> entClsToAuthz = new HashSet<>(request.getEntityClassifications()); + final Set<String> roles = getRoles(request.getUser(), request.getUserGroups()); + boolean hasEntityAccess = false; + boolean hasClassificationsAccess = false; + + for (String role : roles) { + List<AtlasEntityPermission> permissions = getEntityPermissionsForRole(role); + + if (permissions != null) { + for (AtlasEntityPermission permission : permissions) { + // match entity-type/entity-id/attribute + if (isMatchAny(entityTypes, permission.getEntityTypes()) && isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes())) { + // match permission/classification + if (!hasEntityAccess) { + if (isMatch(action, permission.getPrivileges()) && isMatch(classification, permission.getClassifications())) { + hasEntityAccess = true; + } + } + + // match entity-classifications + for (Iterator<String> iter = entClsToAuthz.iterator(); iter.hasNext();) { + String entityClassification = iter.next(); + + if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getClassifications())) { + iter.remove(); + } + } + + hasClassificationsAccess = CollectionUtils.isEmpty(entClsToAuthz); + + if (hasEntityAccess && hasClassificationsAccess) { + break; + } + } + } + } + } + + boolean ret = hasEntityAccess && hasClassificationsAccess; + + if (LOG.isDebugEnabled()) { + if (!ret) { + LOG.debug("hasEntityAccess={}; hasClassificationsAccess={}, classificationsWithNoAccess={}", hasEntityAccess, hasClassificationsAccess, entClsToAuthz); + } + + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); + } + + return ret; + } + + + private Set<String> getRoles(String userName, Set<String> userGroups) { + Set<String> ret = new HashSet<>(); + + if (authzPolicy != null) { + if (userName != null && authzPolicy.getUserRoles() != null) { + List<String> userRoles = authzPolicy.getUserRoles().get(userName); + + if (userRoles != null) { + ret.addAll(userRoles); + } + } + + if (userGroups != null && authzPolicy.getGroupRoles() != null) { + for (String groupName : userGroups) { + List<String> groupRoles = authzPolicy.getGroupRoles().get(groupName); + + if (groupRoles != null) { + ret.addAll(groupRoles); + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret); + } + + return ret; + } + + private List<AtlasAdminPermission> getAdminPermissionsForRole(String roleName) { + List<AtlasAdminPermission> ret = null; + + if (authzPolicy != null && roleName != null) { + AtlasAuthzRole role = authzPolicy.getRoles().get(roleName); + + ret = role != null ? role.getAdminPermissions() : null; + } + + return ret; + } + + private List<AtlasTypePermission> getTypePermissionsForRole(String roleName) { + List<AtlasTypePermission> ret = null; + + if (authzPolicy != null && roleName != null) { + AtlasAuthzRole role = authzPolicy.getRoles().get(roleName); + + ret = role != null ? role.getTypePermissions() : null; + } + + return ret; + } + + private List<AtlasEntityPermission> getEntityPermissionsForRole(String roleName) { + List<AtlasEntityPermission> ret = null; + + if (authzPolicy != null && roleName != null) { + AtlasAuthzRole role = authzPolicy.getRoles().get(roleName); + + ret = role != null ? role.getEntityPermissions() : null; + } + + return ret; + } + + private boolean isMatch(String value, List<String> patterns) { + boolean ret = false; + + if (value == null) { + ret = true; + } if (CollectionUtils.isNotEmpty(patterns)) { + for (String pattern : patterns) { + if (isMatch(value, pattern)) { + ret = true; + + break; + } + } + } + + if (!ret && LOG.isDebugEnabled()) { + LOG.debug("<== isMatch({}, {}): {}", value, patterns, ret); + } + + return ret; + } + + private boolean isMatchAny(Set<String> values, List<String> patterns) { + boolean ret = false; + + if (CollectionUtils.isEmpty(values)) { + ret = true; + }if (CollectionUtils.isNotEmpty(patterns)) { + for (String value : values) { + if (isMatch(value, patterns)) { + ret = true; + + break; + } + } + } + + if (!ret && LOG.isDebugEnabled()) { + LOG.debug("<== isMatchAny({}, {}): {}", values, patterns, ret); + } + + return ret; + } + + private boolean isMatch(String value, String pattern) { + boolean ret; + + if (value == null) { + ret = true; + } else { + ret = StringUtils.equalsIgnoreCase(value, pattern) || value.matches(pattern); + } + + return ret; + } +} + + http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java new file mode 100644 index 0000000..e2a8b7f --- /dev/null +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java @@ -0,0 +1,255 @@ +/** Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.authorize.simple; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; +import java.io.Serializable; +import java.util.List; +import java.util.Map; + +import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE; +import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY; + +@JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) +@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) +@JsonIgnoreProperties(ignoreUnknown=true) +@XmlRootElement +@XmlAccessorType(XmlAccessType.PROPERTY) +public class AtlasSimpleAuthzPolicy implements Serializable { + private static final long serialVersionUID = 1L; + + private Map<String, AtlasAuthzRole> roles; + private Map<String, List<String>> userRoles; + private Map<String, List<String>> groupRoles; + + + public Map<String, AtlasAuthzRole> getRoles() { + return roles; + } + + public void setRoles(Map<String, AtlasAuthzRole> roles) { + this.roles = roles; + } + + public Map<String, List<String>> getUserRoles() { + return userRoles; + } + + public void setUserRoles(Map<String, List<String>> userRoles) { + this.userRoles = userRoles; + } + + public Map<String, List<String>> getGroupRoles() { + return groupRoles; + } + + public void setGroupRoles(Map<String, List<String>> groupRoles) { + this.groupRoles = groupRoles; + } + + + @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown=true) + @XmlRootElement + @XmlAccessorType(XmlAccessType.PROPERTY) + public static class AtlasAuthzRole implements Serializable { + private static final long serialVersionUID = 1L; + + private List<AtlasAdminPermission> adminPermissions; + private List<AtlasEntityPermission> entityPermissions; + private List<AtlasTypePermission> typePermissions; + + public AtlasAuthzRole() { + } + + public AtlasAuthzRole(List<AtlasAdminPermission> adminPermissions, List<AtlasEntityPermission> entityPermissions, List<AtlasTypePermission> typePermissions) { + this.adminPermissions = adminPermissions; + this.entityPermissions = entityPermissions; + this.typePermissions = typePermissions; + } + + public List<AtlasAdminPermission> getAdminPermissions() { + return adminPermissions; + } + + public void setAdminPermissions(List<AtlasAdminPermission> adminPermissions) { + this.adminPermissions = adminPermissions; + } + + public List<AtlasEntityPermission> getEntityPermissions() { + return entityPermissions; + } + + public void setEntityPermissions(List<AtlasEntityPermission> entityPermissions) { + this.entityPermissions = entityPermissions; + } + + public List<AtlasTypePermission> getTypePermissions() { + return typePermissions; + } + + public void setTypePermissions(List<AtlasTypePermission> typePermissions) { + this.typePermissions = typePermissions; + } + } + + @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown=true) + @XmlRootElement + @XmlAccessorType(XmlAccessType.PROPERTY) + public static class AtlasAdminPermission implements Serializable { + private static final long serialVersionUID = 1L; + + private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported + + public AtlasAdminPermission() { + } + + public AtlasAdminPermission(List<String> privileges) { + this.privileges = privileges; + } + + public List<String> getPrivileges() { + return privileges; + } + + public void setPrivileges(List<String> privileges) { + this.privileges = privileges; + } + } + + @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown=true) + @XmlRootElement + @XmlAccessorType(XmlAccessType.PROPERTY) + public static class AtlasTypePermission implements Serializable { + private static final long serialVersionUID = 1L; + + private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported + private List<String> typeCategories; // category of the type (entity, classification, struct, enum, relationship), wildcards supported + private List<String> typeNames; // name of type, wildcards supported + + public AtlasTypePermission() { + } + + public AtlasTypePermission(List<String> privileges, List<String> typeCategories, List<String> typeNames) { + this.privileges = privileges; + this.typeCategories = typeCategories; + this.typeNames = typeNames; + } + + public List<String> getPrivileges() { + return privileges; + } + + public void setPrivileges(List<String> privileges) { + this.privileges = privileges; + } + + public List<String> getTypeCategories() { + return typeCategories; + } + + public void setTypeCategories(List<String> typeCategories) { + this.typeCategories = typeCategories; + } + + public List<String> getTypeNames() { + return typeNames; + } + + public void setTypeNames(List<String> typeNames) { + this.typeNames = typeNames; + } + } + + @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown=true) + @XmlRootElement + @XmlAccessorType(XmlAccessType.PROPERTY) + public static class AtlasEntityPermission implements Serializable { + private static final long serialVersionUID = 1L; + + private List<String> privileges; // name of AtlasPrivilege enum, wildcards supported + private List<String> entityTypes; // name of entity-type, wildcards supported + private List<String> entityIds; // value of entity-unique attribute, wildcards supported + private List<String> classifications; // name of classification-type, wildcards supported + private List<String> attributes; // name of entity-attribute, wildcards supported + + public AtlasEntityPermission() { + } + + public AtlasEntityPermission(List<String> privileges, List<String> entityTypes, List<String> entityIds, List<String> classifications, List<String> attributes) { + this.privileges = privileges; + this.entityTypes = entityTypes; + this.entityIds = entityIds; + this.classifications = classifications; + this.attributes = attributes; + } + + public List<String> getPrivileges() { + return privileges; + } + + public void setPrivileges(List<String> privileges) { + this.privileges = privileges; + } + + public List<String> getEntityTypes() { + return entityTypes; + } + + public void setEntityTypes(List<String> entityTypes) { + this.entityTypes = entityTypes; + } + + public List<String> getEntityIds() { + return entityIds; + } + + public void setEntityIds(List<String> entityIds) { + this.entityIds = entityIds; + } + + public List<String> getClassifications() { + return classifications; + } + + public void setClassifications(List<String> classifications) { + this.classifications = classifications; + } + + public List<String> getAttributes() { + return attributes; + } + + public void setAttributes(List<String> attributes) { + this.attributes = attributes; + } + } + +} http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java deleted file mode 100644 index 88bf56b..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/FileReaderUtil.java +++ /dev/null @@ -1,56 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.atlas.authorize.simple; - -import java.io.IOException; -import java.io.InputStream; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.List; -import java.util.regex.Pattern; - -import org.apache.commons.io.IOUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class FileReaderUtil { - private static Logger LOG = LoggerFactory.getLogger(FileReaderUtil.class); - private static boolean isDebugEnabled = LOG.isDebugEnabled(); - - public static List<String> readFile(InputStream policyStoreStream) throws IOException { - if (isDebugEnabled) { - LOG.debug("==> FileReaderUtil readFile()"); - } - List<String> list = new ArrayList<>(); - List<String> fileLines = IOUtils.readLines(policyStoreStream, StandardCharsets.UTF_8); - if (fileLines != null) { - for (String line : fileLines) { - if ((!line.startsWith("#")) && Pattern.matches(".+;;.*;;.*;;.+", line)) - list.add(line); - } - } - - if (isDebugEnabled) { - LOG.debug("<== FileReaderUtil readFile()"); - LOG.debug("Policies read :: " + list); - } - - return list; - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/atlas/blob/afbc6975/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java ---------------------------------------------------------------------- diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java deleted file mode 100644 index 6b2b8b3..0000000 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/PolicyDef.java +++ /dev/null @@ -1,70 +0,0 @@ -/** Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.atlas.authorize.simple; - -import java.util.List; -import java.util.Map; - -import org.apache.atlas.authorize.AtlasActionTypes; -import org.apache.atlas.authorize.AtlasResourceTypes; - -public class PolicyDef { - - private String policyName; - private Map<String, List<AtlasActionTypes>> users; - private Map<String, List<AtlasActionTypes>> groups; - private Map<AtlasResourceTypes, List<String>> resources; - - public String getPolicyName() { - return policyName; - } - - public void setPolicyName(String policyName) { - this.policyName = policyName; - } - - public Map<String, List<AtlasActionTypes>> getUsers() { - return users; - } - - public void setUsers(Map<String, List<AtlasActionTypes>> users) { - this.users = users; - } - - public Map<String, List<AtlasActionTypes>> getGroups() { - return groups; - } - - public void setGroups(Map<String, List<AtlasActionTypes>> groups) { - this.groups = groups; - } - - public Map<AtlasResourceTypes, List<String>> getResources() { - return resources; - } - - public void setResources(Map<AtlasResourceTypes, List<String>> resources) { - this.resources = resources; - } - - @Override - public String toString() { - return "PolicyDef [policyName=" + policyName + ", users=" + users + ", groups=" + groups + ", resources=" - + resources + "]"; - } - -}