Merge pull request #2755 from atlanhq/accesscontrolv2-nb

Access logs support all methods

repository/src/main/java/org/apache/atlas/authorizer/AccessResult.java

@@ -1,11 +1,10 @@
 package org.apache.atlas.authorizer;
 
 import org.apache.atlas.authorize.AtlasAccessRequest;
-import org.apache.atlas.plugin.model.RangerPolicy;
 
 public class AccessResult {
     private boolean isAllowed = false;
-    private RangerPolicy rangerPolicy;
+    private String policyId;
     protected AtlasAccessRequest atlasAccessRequest;
 
     public boolean isAllowed() {
@@ -16,12 +15,12 @@ public void setAllowed(boolean allowed) {
         this.isAllowed = allowed;
     }
 
-    public RangerPolicy getRangerPolicy() {
-        return rangerPolicy;
+    public String getPolicyId() {
+        return policyId;
     }
 
-    public void setRangerPolicy(RangerPolicy rangerPolicy) {
-        this.rangerPolicy = rangerPolicy;
+    public void setPolicyId(String policyId) {
+        this.policyId = policyId;
     }
 
     public AtlasAccessRequest getAtlasAccessRequest() {

repository/src/main/java/org/apache/atlas/authorizer/AuthorizerUtils.java

@@ -55,40 +55,21 @@ public class AuthorizerUtils {
     @Inject
     public AuthorizerUtils(AtlasGraph graph, AtlasTypeRegistry typeRegistry) throws IOException {
         this.typeRegistry = typeRegistry;
-        this.entityRetriever = new EntityGraphRetriever(graph, typeRegistry, true);
-
-        //String path = System.getProperty(ATLAS_CONFIGURATION_DIRECTORY_PROPERTY) + File.separator +  "atlas-atlas-audit.xml";
-        //FileInputStream fis = new FileInputStream(path);
-
-       /* Properties properties = new Properties();
-        //properties.load(fis);
-        properties.put(AUDIT_IS_ENABLED_PROP, true);
-        properties.put(AUDIT_LOG4J_IS_ENABLED_PROP, true);
-        properties.put("xasecure.audit.destination.log4j", true);
-        properties.put("xasecure.audit.destination.log4j.logger", true);
-*/
-
-
-        //AsyncAuditProvider asyncAuditProvider = new AsyncAuditProvider();
+        //this.entityRetriever = new EntityGraphRetriever(graph, typeRegistry, true);
 
         SERVICE_DEF_ATLAS = getResourceAsObject("/service-defs/atlas-servicedef-atlas.json", RangerServiceDef.class);
         //SERVICE_DEF_ATLAS_TAG = getResourceAsObject("/service-defs/atlas-servicedef-atlas_tag.json", RangerServiceDef.class);
     }
 
-    public  <T> T getResourceAsObject(String resourceName, Class<T> clazz) throws IOException {
-        InputStream stream = getClass().getResourceAsStream(resourceName);
-        return AtlasType.fromJson(stream, clazz);
-    }
-
     public static void verifyUpdateEntityAccess(AtlasEntityHeader entityHeader) throws AtlasBaseException {
         if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entityHeader.getTypeName())) {
-            verifyAccess(entityHeader.getGuid(), AtlasPrivilege.ENTITY_UPDATE);
+            verifyAccess(entityHeader, AtlasPrivilege.ENTITY_UPDATE);
         }
     }
 
     public static void verifyDeleteEntityAccess(AtlasEntityHeader entityHeader) throws AtlasBaseException {
         if (!SKIP_DELETE_AUTH_CHECK_TYPES.contains(entityHeader.getTypeName())) {
-            verifyAccess(entityHeader.getGuid(), AtlasPrivilege.ENTITY_DELETE);
+            verifyAccess(entityHeader, AtlasPrivilege.ENTITY_DELETE);
         }
     }
 
@@ -100,45 +81,47 @@ public static void verifyEntityCreateAccess(AtlasEntity entity, AtlasPrivilege a
             return;
         }
 
+        AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, new AtlasEntityHeader(entity));
+        NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);
+
         try {
             if (AtlasPrivilege.ENTITY_CREATE == action) {
-                if (!EntityAuthorizer.isAccessAllowedInMemory(entity, action.getType())){
+                AccessResult result = EntityAuthorizer.isAccessAllowedInMemory(entity, action.getType());
+                result.setAtlasAccessRequest(request);
+                auditHandler.processResult(result);
+
+                if (!result.isAllowed()){
                     String message = action.getType() + ":" + entity.getTypeName() + ":" + entity.getAttributes().get(QUALIFIED_NAME);
                     throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, message);
                 }
             }
         } catch (AtlasBaseException e) {
             throw e;
         } finally {
+            auditHandler.flushAudit();
             RequestContext.get().endMetricRecord(recorder);
         }
     }
 
-    public static void verifyAccess(String guid, AtlasPrivilege action) throws AtlasBaseException {
+    public static void verifyAccess(AtlasEntityHeader entityHeader, AtlasPrivilege action) throws AtlasBaseException {
         AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
         String userName = AuthorizerCommon.getCurrentUserName();
 
         if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
             return;
         }
 
-        AtlasEntityHeader entity = entityRetriever.toAtlasEntityHeader(guid);
-
-        AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, entity);
-
+        AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, entityHeader);
         NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);
 
-
-
         try {
-            AccessResult result = EntityAuthorizer.isAccessAllowed(guid, action.getType());
+            AccessResult result = EntityAuthorizer.isAccessAllowed(entityHeader.getGuid(), action.getType());
             result.setAtlasAccessRequest(request);
+            auditHandler.processResult(result);
 
             if (!result.isAllowed()) {
-                throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + guid);
+                throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + entityHeader.getGuid());
             }
-            auditHandler.processResult(result);
-
         } catch (AtlasBaseException e) {
             throw e;
         } finally {
@@ -147,21 +130,31 @@ public static void verifyAccess(String guid, AtlasPrivilege action) throws Atlas
         }
     }
 
-    public static void verifyAccessForEvaluator(String entityTypeName, String entityQualifiedName, String action) throws AtlasBaseException {
+    public static void verifyAccessForEvaluator(AtlasEntityHeader entityHeader, AtlasPrivilege action) throws AtlasBaseException {
         AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
         String userName = AuthorizerCommon.getCurrentUserName();
 
         if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
             return;
         }
 
+        AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, entityHeader);
+        NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);
+
         try {
-            if (!EntityAuthorizer.isAccessAllowedEvaluator(entityTypeName, entityQualifiedName, action)) {
-                throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + entityTypeName + ":" + entityQualifiedName);
+            String entityQNAme = (String) entityHeader.getAttribute(QUALIFIED_NAME);
+
+            AccessResult result = EntityAuthorizer.isAccessAllowedEvaluator(entityHeader.getTypeName(), entityQNAme, action.getType());
+            result.setAtlasAccessRequest(request);
+            auditHandler.processResult(result);
+
+            if (!result.isAllowed()) {
+                throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + entityHeader.getTypeName() + ":" + entityQNAme);
             }
         } catch (AtlasBaseException e) {
             throw e;
         } finally {
+            auditHandler.flushAudit();
             RequestContext.get().endMetricRecord(recorder);
         }
     }
@@ -174,7 +167,6 @@ public static void verifyRelationshipAccess(AtlasPrivilege action, String relati
             return;
         }
 
-
         AtlasRelationshipAccessRequest request = new AtlasRelationshipAccessRequest(typeRegistry,
                 action,
                 relationShipType,
@@ -186,11 +178,11 @@ public static void verifyRelationshipAccess(AtlasPrivilege action, String relati
         try {
             AccessResult result = RelationshipAuthorizer.isRelationshipAccessAllowed(action.getType(), endOneEntity, endTwoEntity);
             result.setAtlasAccessRequest(request);
+            auditHandler.processResult(result);
 
             if (!result.isAllowed()) {
                 throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, RequestContext.getCurrentUser(), action + "|" + endOneEntity.getGuid() + "|" + endTwoEntity.getGuid());
             }
-            auditHandler.processResult(result);
         } catch (AtlasBaseException e) {
             throw e;
         } finally {
@@ -199,22 +191,34 @@ public static void verifyRelationshipAccess(AtlasPrivilege action, String relati
         }
     }
 
-    public static void verifyRelationshipCreateAccess(String action, String relationshipType, AtlasEntityHeader endOneEntity, AtlasEntityHeader endTwoEntity) throws AtlasBaseException {
+    public static void verifyRelationshipCreateAccess(AtlasPrivilege action, String relationshipType, AtlasEntityHeader endOneEntity, AtlasEntityHeader endTwoEntity) throws AtlasBaseException {
         AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
         String userName = AuthorizerCommon.getCurrentUserName();
 
         if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
             return;
         }
 
+        AtlasRelationshipAccessRequest request = new AtlasRelationshipAccessRequest(typeRegistry,
+                action,
+                relationshipType,
+                endOneEntity,
+                endTwoEntity);
+        NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);
+
         try {
-            if (!RelationshipAuthorizer.isAccessAllowedInMemory(action, relationshipType, endOneEntity, endTwoEntity)) {
+            AccessResult result = RelationshipAuthorizer.isAccessAllowedInMemory(action.getType(), relationshipType, endOneEntity, endTwoEntity);
+            result.setAtlasAccessRequest(request);
+            auditHandler.processResult(result);
+
+            if (!result.isAllowed()) {
                 throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, RequestContext.getCurrentUser(),
                         action + ":" + endOneEntity.getTypeName() + "|" + endTwoEntity.getTypeName());
             }
         } catch (AtlasBaseException e) {
             throw e;
         } finally {
+            auditHandler.flushAudit();
             RequestContext.get().endMetricRecord(recorder);
         }
     }
@@ -232,4 +236,9 @@ public static AtlasAccessorResponse getAccessors(AtlasAccessorRequest request) t
     public static Map<String, Object>  getPreFilterDsl(String persona, String purpose, List<String> actions) {
         return ListAuthorizer.getElasticsearchDSL(persona, purpose, actions);
     }
+
+    private   <T> T getResourceAsObject(String resourceName, Class<T> clazz) throws IOException {
+        InputStream stream = getClass().getResourceAsStream(resourceName);
+        return AtlasType.fromJson(stream, clazz);
+    }
 }

repository/src/main/java/org/apache/atlas/authorizer/NewAtlasAuditHandler.java

@@ -169,7 +169,6 @@ public void processResult(AccessResult result) {
         }
     }
 
-
     public void flushAudit() {
         if (auditEvents != null) {
             for (AuthzAuditEvent auditEvent : auditEvents.values()) {
@@ -228,32 +227,21 @@ public AuthzAuditEvent getAuthzEvents(AccessResult result) {
         AtlasAccessRequest request = result != null ? result.getAtlasAccessRequest() : null;
 
         if(request != null) {
-            //RangerServiceDef     serviceDef   = result.getServiceDef();
-            //RangerAccessResource resource     = request.getResource();
-            //String               resourceType = resource == null ? null : resource.getLeafName();
-
-
             ret = new AuthzAuditEvent();
 
             ret.setRepositoryName("atlas");
-            //ret.setResourceType(resourceType);
-            //ret.setResourcePath(resourceType);
             ret.setEventTime(request.getAccessTime() != null ? request.getAccessTime() : new Date());
-            ret.setUser(request.getUser());
             ret.setAction(request.getAction().getType());
             ret.setAccessResult((short) (result.isAllowed() ? 1 : 0));
             ret.setPolicyId("yet_to_support");
             ret.setAccessType(request.getAction().getType());
             ret.setClientIP(request.getClientIPAddress());
-            //ret.setAclEnforcer(moduleName);
             /*Set<String> tags = getTags(request);
             if (tags != null) {
                 ret.setTags(tags);
             }*/
-
             ret.setAgentHostname(MiscUtil.getHostname());
 
-
             populateDefaults(ret);
 
             //result.setAuditLogId(ret.getEventId());