From 25f7c05aba250b269e279844e4549c1f8f362907 Mon Sep 17 00:00:00 2001 From: Nikhil P Bonte Date: Mon, 4 Dec 2023 13:31:29 +0530 Subject: [PATCH] ES auth Create permission --- .../atlas/discovery/AtlasAuthorization.java | 14 ++++++++++++++ .../store/graph/v2/AtlasEntityStoreV2.java | 19 +++++++++++++------ .../AbstractGlossaryPreProcessor.java | 8 +++++--- .../glossary/CategoryPreProcessor.java | 3 ++- .../glossary/TermPreProcessor.java | 3 ++- 5 files changed, 36 insertions(+), 11 deletions(-) diff --git a/repository/src/main/java/org/apache/atlas/discovery/AtlasAuthorization.java b/repository/src/main/java/org/apache/atlas/discovery/AtlasAuthorization.java index fe49e760f4..0a92f6cd52 100644 --- a/repository/src/main/java/org/apache/atlas/discovery/AtlasAuthorization.java +++ b/repository/src/main/java/org/apache/atlas/discovery/AtlasAuthorization.java @@ -6,6 +6,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.atlas.AtlasErrorCode; import org.apache.atlas.RequestContext; +import org.apache.atlas.authorize.AtlasPrivilege; import org.apache.atlas.exception.AtlasBaseException; //import org.apache.atlas.model.audit.AuditSearchParams; //import org.apache.atlas.model.audit.EntityAuditSearchResult; @@ -112,6 +113,18 @@ public static void verifyAccess(String guid, String action) throws AtlasBaseExce } } + public static void verifyAccess(AtlasEntity entity, AtlasPrivilege action, String message) throws AtlasBaseException { + try { + if (AtlasPrivilege.ENTITY_CREATE == action) { + if (!isCreateAccessAllowed(entity, AtlasPrivilege.ENTITY_CREATE.getType())){ + throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, message); + } + } + } catch (AtlasBaseException e) { + throw e; + } + } + private static boolean isAccessAllowed(String guid, String action) throws AtlasBaseException { if (guid == null) { return false; @@ -438,6 +451,7 @@ private static List getRelevantPolicies(String persona, String pur } String user = RequestContext.getCurrentUser(); + LOG.info("Getting relevant policies for user: {}", user); RangerUserStore userStore = usersGroupsRolesStore.getUserStore(); List groups = getGroupsForUser(user, userStore); diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java index c9fb59ae08..149f249e31 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java @@ -519,7 +519,10 @@ public EntityMutationResponse updateByUniqueAttributes(AtlasEntityType entityTyp entity.setGuid(guid); - AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, new AtlasEntityHeader(entity), "update entity ByUniqueAttributes"); + //AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, new AtlasEntityHeader(entity), "update entity ByUniqueAttributes"); + if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entity.getTypeName())) { + verifyAccess(entity.getGuid(), AtlasPrivilege.ENTITY_UPDATE.getType()); + } return createOrUpdate(new AtlasEntityStream(updatedEntityInfo), true, false, false, false); } @@ -536,7 +539,10 @@ public EntityMutationResponse updateEntityAttributeByGuid(String guid, String at AtlasEntityType entityType = (AtlasEntityType) typeRegistry.getType(entity.getTypeName()); AtlasAttribute attr = entityType.getAttribute(attrName); - AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entity, "update entity ByUniqueAttributes : guid=" + guid); + //AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entity, "update entity ByUniqueAttributes : guid=" + guid); + if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entity.getTypeName())) { + verifyAccess(entity.getGuid(), AtlasPrivilege.ENTITY_UPDATE.getType()); + } if (attr == null) { attr = entityType.getRelationshipAttribute(attrName, AtlasEntityUtil.getRelationshipType(attrValue)); @@ -1489,9 +1495,7 @@ private EntityMutationResponse createOrUpdate(EntityStream entityStream, boolean /*AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, new AtlasEntityHeader(entity)), "create entity: type=", entity.getTypeName());*/ - if (!isCreateAccessAllowed(entity, AtlasPrivilege.ENTITY_CREATE.getType())){ - throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, "nikhil", "create entity:"); - } + verifyAccess(entity, AtlasPrivilege.ENTITY_CREATE, "create entity: type=" + entity.getTypeName()); } } } @@ -1557,7 +1561,10 @@ private EntityMutationResponse createOrUpdate(EntityStream entityStream, boolean if (skipAuthBaseConditions && (skipAuthMeaningsUpdate || skipAuthStarredDetailsUpdate)) { //do nothing, only diff is relationshipAttributes.meanings or starred, allow update } else { - AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entityHeader,"update entity: type=" + entity.getTypeName()); + //AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entityHeader,"update entity: type=" + entity.getTypeName()); + if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entity.getTypeName())) { + verifyAccess(entity.getGuid(), AtlasPrivilege.ENTITY_UPDATE.getType()); + } } } } diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/AbstractGlossaryPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/AbstractGlossaryPreProcessor.java index 051df728e4..68b0b35a78 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/AbstractGlossaryPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/AbstractGlossaryPreProcessor.java @@ -229,7 +229,7 @@ protected void isAuthorized(AtlasEntityHeader sourceGlossary, AtlasEntityHeader // source -> CREATE + UPDATE + DELETE // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, sourceGlossary), -// "create on source Glossary: ", sourceGlossary.getAttribute(NAME)); +// ); // // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, sourceGlossary), // "update on source Glossary: ", sourceGlossary.getAttribute(NAME)); @@ -237,7 +237,8 @@ protected void isAuthorized(AtlasEntityHeader sourceGlossary, AtlasEntityHeader // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_DELETE, sourceGlossary), // "delete on source Glossary: ", sourceGlossary.getAttribute(NAME)); - verifyAccess(sourceGlossary.getGuid(), AtlasPrivilege.ENTITY_CREATE.getType()); + verifyAccess(new AtlasEntity(sourceGlossary), AtlasPrivilege.ENTITY_CREATE, + "create on source Glossary: " + sourceGlossary.getAttribute(NAME)); verifyAccess(sourceGlossary.getGuid(), AtlasPrivilege.ENTITY_UPDATE.getType()); verifyAccess(sourceGlossary.getGuid(), AtlasPrivilege.ENTITY_DELETE.getType()); @@ -252,7 +253,8 @@ protected void isAuthorized(AtlasEntityHeader sourceGlossary, AtlasEntityHeader // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_DELETE, targetGlossary), // "delete on source Glossary: ", targetGlossary.getAttribute(NAME)); - verifyAccess(targetGlossary.getGuid(), AtlasPrivilege.ENTITY_CREATE.getType()); + verifyAccess(new AtlasEntity(targetGlossary), AtlasPrivilege.ENTITY_CREATE, + "create on source Glossary: " + targetGlossary.getAttribute(NAME)); verifyAccess(targetGlossary.getGuid(), AtlasPrivilege.ENTITY_UPDATE.getType()); verifyAccess(targetGlossary.getGuid(), AtlasPrivilege.ENTITY_DELETE.getType()); } diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/CategoryPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/CategoryPreProcessor.java index ca686663bf..db3818b08e 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/CategoryPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/CategoryPreProcessor.java @@ -130,7 +130,8 @@ private void processCreateCategory(AtlasEntity entity, AtlasVertex vertex) throw entity.setAttribute(QUALIFIED_NAME, createQualifiedName(vertex)); // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, new AtlasEntityHeader(entity)), // "create entity: type=", entity.getTypeName()); - verifyAccess(entity.getTypeName(), (String) entity.getAttribute(QUALIFIED_NAME), AtlasPrivilege.ENTITY_CREATE.getType()); + //verifyAccess(entity.getTypeName(), (String) entity.getAttribute(QUALIFIED_NAME), AtlasPrivilege.ENTITY_CREATE.getType()); + verifyAccess(entity, AtlasPrivilege.ENTITY_CREATE, "create entity: type=" + entity.getTypeName()); validateChildren(entity, null); diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/TermPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/TermPreProcessor.java index cea2db53ac..b726c1e12f 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/TermPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/glossary/TermPreProcessor.java @@ -101,7 +101,8 @@ private void processCreateTerm(AtlasEntity entity, AtlasVertex vertex) throws At entity.setAttribute(QUALIFIED_NAME, createQualifiedName()); // AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, new AtlasEntityHeader(entity)), // "create entity: type=", entity.getTypeName()); - verifyAccess(entity.getTypeName(), (String) entity.getAttribute(QUALIFIED_NAME), AtlasPrivilege.ENTITY_CREATE.getType()); + //verifyAccess(entity.getTypeName(), (String) entity.getAttribute(QUALIFIED_NAME), AtlasPrivilege.ENTITY_CREATE.getType()); + verifyAccess(entity, AtlasPrivilege.ENTITY_CREATE, "create entity: type=" + entity.getTypeName()); RequestContext.get().endMetricRecord(metricRecorder); }