[jira] [Commented] (ATLAS-1696) Governance Action Framework OMAS
[ https://issues.apache.org/jira/browse/ATLAS-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16094883#comment-16094883 ] Nigel Jones commented on ATLAS-1696: [~davidrad] I will update the swagger as per some of our recent discussions. Tags is the term still used by ranger, whilst classifications are used by atlas (there is of course also a distinction between the classification (type), the classification instance, and that association of a classification definition+instance to an asset (which in ranger is termed a resource). I initially went with tag being in a ranger-mindset, plus it's shorter... BUT To answer your question I will change to classification since this is an Atlas API. On your roles question, I will clarify -- it's still dependent on the definition of roles which we haven't worked through in the model yet. I'll go with all roles atlas knows about for now, and elaborate once the model is refined. The GAF implementation will be neutral. There are references in the swagger doc as I hoped it would form a basis for discussion rather than being the final result. I will update references to ensure if ranger is mentioned it's clear it's an example. Further I am creating some subtasks which will include creating a swagger output off a skeleton implementation as you've done for glossary OMAS. > Governance Action Framework OMAS > > > Key: ATLAS-1696 > URL: https://issues.apache.org/jira/browse/ATLAS-1696 > Project: Atlas > Issue Type: New Feature >Reporter: Nigel Jones >Assignee: Nigel Jones > Labels: VirtualDataConnector > > Governance Action OMAS is one of multiple consumer-centric based interfaces > that will be added to Apache Atlas, & provides the API (REST and messaging) > to support policy enforcement frameworks such as Apache Ranger. Detailed > knowledge of the Atlas data models and structure can then be hidden from > these consumers. > The functionality of gaf includes > - ability to retrieve classifications associated to assets > - restricted to "interesting" classifications > - restricted to interesting assets being managed by the requesting endpoint > - to retrieve a list of interesting roles that relate to enforcement > - to retrieve any template rule definitions/lookup tables that might be used > to construct executable rules > The scoping constructs supported in the API will include > - Only get classifications that are relevant for security enforcement (ie: > only those inheriting from a specified supertype? Verify in ATLAS-1839) > - only get information about assets (resources) in a certain part of the > datalake (Q: HOW. By zone? How to specify? by asset type? By associated > endpoint?) > - pagination > > See ATLAS-1839 for more information on the model and classifications > In the Atlas data model classifications propagate - for example > * An database column DOB has no explicit classification > * It's containing table CDB is classified as "customer personal details" > * The "SPI" classification is attached to this table with the value > "sensitive" > At enforcement time all that an engine such as ranger cares about is that the > column "DOB" is sensitive, how we got there isn't important. In the example > above the propogation occurs > * Along the assigned term relationship > * along the structural containment relationship (table->column) > Therefore gaf omas will "flatten" the structure - so in this case we'll see > table/CDB - SPI:sensitive > column/DOB - SPI:sensitive > There will be cases where multiple classifications (of the same type) can be > navigated to from an asset like DOB. This may not make logical sense, > however, Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS > will pass through multiple classifications > This interface will also support message notifications of changes to managed > resources such as a new role, classification. A single kafka topic will be > used. > > A first pass swagger can be found at > https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ATLAS-1696) Governance Action Framework OMAS
[ https://issues.apache.org/jira/browse/ATLAS-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16094861#comment-16094861 ] Nigel Jones commented on ATLAS-1696: Glossary omas is being defined in https://issues.apache.org/jira/browse/ATLAS-1698 - the discussion includes some general discussion that would apply to all OMAS interfaces. Creating sub-tasks for review and implementation: > Governance Action Framework OMAS > > > Key: ATLAS-1696 > URL: https://issues.apache.org/jira/browse/ATLAS-1696 > Project: Atlas > Issue Type: New Feature >Reporter: Nigel Jones >Assignee: Nigel Jones > Labels: VirtualDataConnector > > Governance Action OMAS is one of multiple consumer-centric based interfaces > that will be added to Apache Atlas, & provides the API (REST and messaging) > to support policy enforcement frameworks such as Apache Ranger. Detailed > knowledge of the Atlas data models and structure can then be hidden from > these consumers. > The functionality of gaf includes > - ability to retrieve classifications associated to assets > - restricted to "interesting" classifications > - restricted to interesting assets being managed by the requesting endpoint > - to retrieve a list of interesting roles that relate to enforcement > - to retrieve any template rule definitions/lookup tables that might be used > to construct executable rules > The scoping constructs supported in the API will include > - Only get classifications that are relevant for security enforcement (ie: > only those inheriting from a specified supertype? Verify in ATLAS-1839) > - only get information about assets (resources) in a certain part of the > datalake (Q: HOW. By zone? How to specify? by asset type? By associated > endpoint?) > - pagination > > See ATLAS-1839 for more information on the model and classifications > In the Atlas data model classifications propagate - for example > * An database column DOB has no explicit classification > * It's containing table CDB is classified as "customer personal details" > * The "SPI" classification is attached to this table with the value > "sensitive" > At enforcement time all that an engine such as ranger cares about is that the > column "DOB" is sensitive, how we got there isn't important. In the example > above the propogation occurs > * Along the assigned term relationship > * along the structural containment relationship (table->column) > Therefore gaf omas will "flatten" the structure - so in this case we'll see > table/CDB - SPI:sensitive > column/DOB - SPI:sensitive > There will be cases where multiple classifications (of the same type) can be > navigated to from an asset like DOB. This may not make logical sense, > however, Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS > will pass through multiple classifications > This interface will also support message notifications of changes to managed > resources such as a new role, classification. A single kafka topic will be > used. > > A first pass swagger can be found at > https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ATLAS-1696) Governance Action Framework OMAS
[ https://issues.apache.org/jira/browse/ATLAS-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16072640#comment-16072640 ] David Radley commented on ATLAS-1696: - [~jonesn] Some comments on the Swagger: comments on the Swagger : - how are we defining tags vs classifications. /v2/gaf/tags is the uri, but the description is "Get all classifications". It is inconsistent. - /v2/gaf/roles - get list of roles assigned to entities. I would think that the endpoint should be assigned roles or return all the roles Atlas knows about. I suggest we do not mention Ranger in the API docs and keep the GAF implementaton neutral. > Governance Action Framework OMAS > > > Key: ATLAS-1696 > URL: https://issues.apache.org/jira/browse/ATLAS-1696 > Project: Atlas > Issue Type: New Feature >Reporter: Nigel Jones >Assignee: Nigel Jones > Labels: VirtualDataConnector > > Governance Action OMAS is one of multiple consumer-centric based interfaces > that will be added to Apache Atlas, & provides the API (REST and messaging) > to support policy enforcement frameworks such as Apache Ranger. Detailed > knowledge of the Atlas data models and structure can then be hidden from > these consumers. > The functionality of gaf includes > - ability to retrieve classifications associated to assets > - restricted to "interesting" classifications > - restricted to interesting assets being managed by the requesting endpoint > - to retrieve a list of interesting roles that relate to enforcement > - to retrieve any template rule definitions/lookup tables that might be used > to construct executable rules > The scoping constructs supported in the API will include > - Only get classifications that are relevant for security enforcement (ie: > only those inheriting from a specified supertype? Verify in ATLAS-1839) > - only get information about assets (resources) in a certain part of the > datalake (Q: HOW. By zone? How to specify? by asset type? By associated > endpoint?) > - pagination > > See ATLAS-1839 for more information on the model and classifications > In the Atlas data model classifications propagate - for example > * An database column DOB has no explicit classification > * It's containing table CDB is classified as "customer personal details" > * The "SPI" classification is attached to this table with the value > "sensitive" > At enforcement time all that an engine such as ranger cares about is that the > column "DOB" is sensitive, how we got there isn't important. In the example > above the propogation occurs > * Along the assigned term relationship > * along the structural containment relationship (table->column) > Therefore gaf omas will "flatten" the structure - so in this case we'll see > table/CDB - SPI:sensitive > column/DOB - SPI:sensitive > There will be cases where multiple classifications (of the same type) can be > navigated to from an asset like DOB. This may not make logical sense, > however, Until precedence is resolved in ATLAS-1839 & related Jiras, OMAS > will pass through multiple classifications > This interface will also support message notifications of changes to managed > resources such as a new role, classification. A single kafka topic will be > used. > > A first pass swagger can be found at > https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
