[
https://issues.apache.org/jira/browse/ATLAS-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nigel Jones updated ATLAS-1696:
-------------------------------
Description:
Governance Engine OMAS is one of multiple consumer-centric based interfaces
that will be added to Apache Atlas, & provides the API (REST and messaging) to
support policy enforcement frameworks such as Apache Ranger. Detailed knowledge
of the Atlas data models and structure can then be hidden from these consumers.
The functionality of gaf includes
- ability to retrieve classifications associated to assets
- restricted to "interesting" classifications
- restricted to interesting assets being managed by the requesting endpoint
- to retrieve a list of interesting roles that relate to enforcement
- to retrieve any template rule definitions/lookup tables that might be used
to construct executable rules
The scoping constructs supported in the API will include
- Only get classifications that are relevant for security enforcement (ie:
only those inheriting from a specified supertype? Verify in ATLAS-1839)
- only get information about assets (resources) in a certain part of the
datalake (Q: HOW. By zone? How to specify? by asset type? By associated
endpoint?)
- pagination
See ATLAS-1839 for more information on the model and classifications
In the Atlas data model classifications propagate - for example
* An database column DOB has no explicit classification
* It's containing table CDB is classified as "customer personal details"
* The "SPI" classification is attached to this table with the value "sensitive"
At enforcement time all that an engine such as ranger cares about is that the
column "DOB" is sensitive, how we got there isn't important. In the example
above the propogation occurs
* Along the assigned term relationship
* along the structural containment relationship (table->column)
Therefore gaf omas will "flatten" the structure - so in this case we'll see
table/CDB - SPI:sensitive
column/DOB - SPI:sensitive
There will be cases where multiple classifications (of the same type) can be
navigated to from an asset like DOB. This may not make logical sense, however,
Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS will pass
through multiple classifications
This interface will also support message notifications of changes to managed
resources such as a new role, classification. A single kafka topic will be
used.
<tbd>
A first pass swagger can be found at
https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1
NOTE: Updated 23 Aug with new name of GOVERNANCE ENGINE OMAS
was:
Governance Action OMAS is one of multiple consumer-centric based interfaces
that will be added to Apache Atlas, & provides the API (REST and messaging) to
support policy enforcement frameworks such as Apache Ranger. Detailed knowledge
of the Atlas data models and structure can then be hidden from these consumers.
The functionality of gaf includes
- ability to retrieve classifications associated to assets
- restricted to "interesting" classifications
- restricted to interesting assets being managed by the requesting endpoint
- to retrieve a list of interesting roles that relate to enforcement
- to retrieve any template rule definitions/lookup tables that might be used
to construct executable rules
The scoping constructs supported in the API will include
- Only get classifications that are relevant for security enforcement (ie:
only those inheriting from a specified supertype? Verify in ATLAS-1839)
- only get information about assets (resources) in a certain part of the
datalake (Q: HOW. By zone? How to specify? by asset type? By associated
endpoint?)
- pagination
See ATLAS-1839 for more information on the model and classifications
In the Atlas data model classifications propagate - for example
* An database column DOB has no explicit classification
* It's containing table CDB is classified as "customer personal details"
* The "SPI" classification is attached to this table with the value "sensitive"
At enforcement time all that an engine such as ranger cares about is that the
column "DOB" is sensitive, how we got there isn't important. In the example
above the propogation occurs
* Along the assigned term relationship
* along the structural containment relationship (table->column)
Therefore gaf omas will "flatten" the structure - so in this case we'll see
table/CDB - SPI:sensitive
column/DOB - SPI:sensitive
There will be cases where multiple classifications (of the same type) can be
navigated to from an asset like DOB. This may not make logical sense, however,
Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS will pass
through multiple classifications
This interface will also support message notifications of changes to managed
resources such as a new role, classification. A single kafka topic will be
used.
<tbd>
A first pass swagger can be found at
https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1
Summary: Governance Engine OMAS (was: Governance Action Framework OMAS)
> Governance Engine OMAS
> ----------------------
>
> Key: ATLAS-1696
> URL: https://issues.apache.org/jira/browse/ATLAS-1696
> Project: Atlas
> Issue Type: New Feature
> Reporter: Nigel Jones
> Assignee: Nigel Jones
> Labels: VirtualDataConnector
>
> Governance Engine OMAS is one of multiple consumer-centric based interfaces
> that will be added to Apache Atlas, & provides the API (REST and messaging)
> to support policy enforcement frameworks such as Apache Ranger. Detailed
> knowledge of the Atlas data models and structure can then be hidden from
> these consumers.
> The functionality of gaf includes
> - ability to retrieve classifications associated to assets
> - restricted to "interesting" classifications
> - restricted to interesting assets being managed by the requesting endpoint
> - to retrieve a list of interesting roles that relate to enforcement
> - to retrieve any template rule definitions/lookup tables that might be used
> to construct executable rules
> The scoping constructs supported in the API will include
> - Only get classifications that are relevant for security enforcement (ie:
> only those inheriting from a specified supertype? Verify in ATLAS-1839)
> - only get information about assets (resources) in a certain part of the
> datalake (Q: HOW. By zone? How to specify? by asset type? By associated
> endpoint?)
> - pagination
>
> See ATLAS-1839 for more information on the model and classifications
> In the Atlas data model classifications propagate - for example
> * An database column DOB has no explicit classification
> * It's containing table CDB is classified as "customer personal details"
> * The "SPI" classification is attached to this table with the value
> "sensitive"
> At enforcement time all that an engine such as ranger cares about is that the
> column "DOB" is sensitive, how we got there isn't important. In the example
> above the propogation occurs
> * Along the assigned term relationship
> * along the structural containment relationship (table->column)
> Therefore gaf omas will "flatten" the structure - so in this case we'll see
> table/CDB - SPI:sensitive
> column/DOB - SPI:sensitive
> There will be cases where multiple classifications (of the same type) can be
> navigated to from an asset like DOB. This may not make logical sense,
> however, Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS
> will pass through multiple classifications
> This interface will also support message notifications of changes to managed
> resources such as a new role, classification. A single kafka topic will be
> used.
> <tbd>
> A first pass swagger can be found at
> https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1
> NOTE: Updated 23 Aug with new name of GOVERNANCE ENGINE OMAS
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
