Skip to content

Commit

Permalink
Use new authz based on chart variable
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikhilbonte21
nikhilbonte21 committed Jan 29, 2024
1 parent 91f50ed commit 3517c3f
Show file tree
Hide file tree
Showing 15 changed files with 328 additions and 234 deletions.
4 changes: 2 additions & 2 deletions authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorM
}
}

public static void verifyUpdateEntityAccess(AtlasTypeRegistry typeRegistry, AtlasEntityHeader entityHeader, String message) throws AtlasBaseException {
/* public static void verifyUpdateEntityAccess(AtlasTypeRegistry typeRegistry, AtlasEntityHeader entityHeader, String message) throws AtlasBaseException {
if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entityHeader.getTypeName())) {
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, entityHeader);
verifyAccess(request, message);
Expand All @@ -71,7 +71,7 @@ public static void verifyDeleteEntityAccess(AtlasTypeRegistry typeRegistry, Atla
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_DELETE, entityHeader);
verifyAccess(request, message);
}
}
}*/

public static void verifyAccess(AtlasEntityAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
if (! isAccessAllowed(request)) {
Expand Down
211 changes: 46 additions & 165 deletions repository/src/main/java/org/apache/atlas/authorizer/AuthorizerUtils.java
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
package org.apache.atlas.authorizer;

import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasErrorCode;
import org.apache.atlas.AtlasException;
import org.apache.atlas.RequestContext;
import org.apache.atlas.audit.provider.AuditHandler;
import org.apache.atlas.authorize.AtlasAccessorRequest;
import org.apache.atlas.authorize.AtlasAccessorResponse;
import org.apache.atlas.authorize.AtlasAuthorizationUtils;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
import org.apache.atlas.authorize.AtlasPrivilege;
import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
Expand All @@ -13,6 +16,7 @@
import org.apache.atlas.authorizer.authorizers.ListAuthorizer;
import org.apache.atlas.authorizer.authorizers.RelationshipAuthorizer;
import org.apache.atlas.exception.AtlasBaseException;
import org.apache.atlas.model.instance.AtlasClassification;
import org.apache.atlas.model.instance.AtlasEntity;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.apache.atlas.plugin.model.RangerServiceDef;
Expand All @@ -21,7 +25,7 @@
import org.apache.atlas.type.AtlasType;
import org.apache.atlas.type.AtlasTypeRegistry;
import org.apache.atlas.utils.AtlasPerfMetrics;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
Expand All @@ -32,6 +36,7 @@
import java.util.List;
import java.util.Map;

import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_CREATE;
import static org.apache.atlas.repository.Constants.QUALIFIED_NAME;
import static org.apache.atlas.repository.Constants.SKIP_DELETE_AUTH_CHECK_TYPES;
import static org.apache.atlas.repository.Constants.SKIP_UPDATE_AUTH_CHECK_TYPES;
Expand All @@ -40,28 +45,23 @@
public class AuthorizerUtils {
private static final Logger LOG = LoggerFactory.getLogger(AuthorizerUtils.class);

public static final String POLICY_TYPE_ALLOW = "allow";
public static final String POLICY_TYPE_DENY = "deny";
public static final int MAX_CLAUSE_LIMIT = 1024;

public static final String DENY_POLICY_NAME_SUFFIX = "_deny";

private static AtlasTypeRegistry typeRegistry;
private static EntityGraphRetriever entityRetriever;
private static AuditHandler auditProvider;


private static RangerServiceDef SERVICE_DEF_ATLAS = null;
//private static RangerServiceDef SERVICE_DEF_ATLAS_TAG = null;

public static boolean useAbacAuthorizer = false;

@Inject
public AuthorizerUtils(AtlasGraph graph, AtlasTypeRegistry typeRegistry) throws IOException {
this.typeRegistry = typeRegistry;
//this.entityRetriever = new EntityGraphRetriever(graph, typeRegistry, true);
try {
String authzr = ApplicationProperties.get().getString("atlas.authorizer.impl");
useAbacAuthorizer = authzr.equals("abac");

SERVICE_DEF_ATLAS = getResourceAsObject("/service-defs/atlas-servicedef-atlas.json", RangerServiceDef.class);
//SERVICE_DEF_ATLAS_TAG = getResourceAsObject("/service-defs/atlas-servicedef-atlas_tag.json", RangerServiceDef.class);
if (useAbacAuthorizer) {
LOG.info("Using abac authorizer");
}
} catch (AtlasException e) {
LOG.warn("Failed to read conf `atlas.authorizer.impl`, falling back to use Atlas authorizer instead of abac");
}
}

public static void verifyUpdateEntityAccess(AtlasEntityHeader entityHeader) throws AtlasBaseException {
Expand All @@ -76,167 +76,48 @@ public static void verifyDeleteEntityAccess(AtlasEntityHeader entityHeader) thro
}
}

public static void verifyEntityCreateAccess(AtlasEntity entity, AtlasPrivilege action) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyEntityCreateAccess");
String userName = AuthorizerCommon.getCurrentUserName();

if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
return;
}

AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, new AtlasEntityHeader(entity));
NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);

try {
if (AtlasPrivilege.ENTITY_CREATE == action) {
AccessResult result = EntityAuthorizer.isAccessAllowedInMemory(entity, action.getType());
auditHandler.processResult(result, request);

if (!result.isAllowed()){
String message = action.getType() + ":" + entity.getTypeName() + ":" + entity.getAttributes().get(QUALIFIED_NAME);
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, message);
}
}
} catch (AtlasBaseException e) {
throw e;
} finally {
auditHandler.flushAudit();
RequestContext.get().endMetricRecord(recorder);
}
}

public static void verifyAccess(AtlasEntityHeader entityHeader, AtlasPrivilege action) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
String userName = AuthorizerCommon.getCurrentUserName();

if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
return;
}

AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, entityHeader);
NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);

try {
AccessResult result = EntityAuthorizer.isAccessAllowed(entityHeader.getGuid(), action.getType());
auditHandler.processResult(result, request);

if (!result.isAllowed()) {
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + entityHeader.getGuid());
if (!useAbacAuthorizer) {
AtlasEntityAccessRequest.AtlasEntityAccessRequestBuilder requestBuilder = new AtlasEntityAccessRequest.AtlasEntityAccessRequestBuilder(typeRegistry, action, entityHeader);
AtlasEntityAccessRequest entityAccessRequest = requestBuilder.build();
AtlasAuthorizationUtils.verifyAccess(entityAccessRequest, action + "guid=" + entityHeader.getGuid());

} else {
if (action == ENTITY_CREATE) {
NewAuthorizerUtils.verifyEntityCreateAccess(new AtlasEntity(entityHeader), ENTITY_CREATE);
} else {
NewAuthorizerUtils.verifyAccess(entityHeader, action);
}
} catch (AtlasBaseException e) {
throw e;
} finally {
auditHandler.flushAudit();
RequestContext.get().endMetricRecord(recorder);
}
}

public static void verifyAccessForEvaluator(AtlasEntityHeader entityHeader, AtlasPrivilege action) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
String userName = AuthorizerCommon.getCurrentUserName();

if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
return;
}

AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, action, entityHeader);
NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);

try {
String entityQNAme = (String) entityHeader.getAttribute(QUALIFIED_NAME);

AccessResult result = EntityAuthorizer.isAccessAllowedEvaluator(entityHeader.getTypeName(), entityQNAme, action.getType());
auditHandler.processResult(result, request);

if (!result.isAllowed()) {
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, userName, action + ":" + entityHeader.getTypeName() + ":" + entityQNAme);
if (!useAbacAuthorizer) {
AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, action, entityHeader, new AtlasClassification(entityHeader.getClassifications().get(0))));
} else {
if (StringUtils.isNotEmpty(entityHeader.getGuid())) {
NewAuthorizerUtils.verifyAccess(entityHeader, action);
} else {
NewAuthorizerUtils.verifyAccessForEvaluator(entityHeader, action);
}
} catch (AtlasBaseException e) {
throw e;
} finally {
auditHandler.flushAudit();
RequestContext.get().endMetricRecord(recorder);
}
}

public static void verifyRelationshipAccess(AtlasPrivilege action, String relationShipType, AtlasEntityHeader endOneEntity, AtlasEntityHeader endTwoEntity) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
String userName = AuthorizerCommon.getCurrentUserName();

if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
return;
}

AtlasRelationshipAccessRequest request = new AtlasRelationshipAccessRequest(typeRegistry,
action,
relationShipType,
endOneEntity,
endTwoEntity);

NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);

try {
AccessResult result = RelationshipAuthorizer.isRelationshipAccessAllowed(action.getType(), endOneEntity, endTwoEntity);
auditHandler.processResult(result, request);

if (!result.isAllowed()) {
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, RequestContext.getCurrentUser(), action + "|" + endOneEntity.getGuid() + "|" + endTwoEntity.getGuid());
}
} catch (AtlasBaseException e) {
throw e;
} finally {
auditHandler.flushAudit();
RequestContext.get().endMetricRecord(recorder);
}
}

public static void verifyRelationshipCreateAccess(AtlasPrivilege action, String relationshipType, AtlasEntityHeader endOneEntity, AtlasEntityHeader endTwoEntity) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("verifyAccess");
String userName = AuthorizerCommon.getCurrentUserName();

if (StringUtils.isEmpty(userName) || RequestContext.get().isImportInProgress()) {
return;
}

AtlasRelationshipAccessRequest request = new AtlasRelationshipAccessRequest(typeRegistry,
action,
relationshipType,
endOneEntity,
endTwoEntity);
NewAtlasAuditHandler auditHandler = new NewAtlasAuditHandler(request, SERVICE_DEF_ATLAS);

try {
AccessResult result = RelationshipAuthorizer.isAccessAllowedInMemory(action.getType(), relationshipType, endOneEntity, endTwoEntity);
auditHandler.processResult(result, request);

if (!result.isAllowed()) {
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, RequestContext.getCurrentUser(),
action + ":" + endOneEntity.getTypeName() + "|" + endTwoEntity.getTypeName());
if (!useAbacAuthorizer) {
AtlasAuthorizationUtils.verifyAccess(new AtlasRelationshipAccessRequest(typeRegistry, action, relationShipType, endOneEntity, endTwoEntity));
} else {
if (action == AtlasPrivilege.RELATIONSHIP_ADD) {
NewAuthorizerUtils.verifyRelationshipCreateAccess(AtlasPrivilege.RELATIONSHIP_ADD,
relationShipType,
endOneEntity,
endTwoEntity);
} else {
NewAuthorizerUtils.verifyRelationshipAccess(action,
relationShipType,
endOneEntity,
endTwoEntity);
}
} catch (AtlasBaseException e) {
throw e;
} finally {
auditHandler.flushAudit();
RequestContext.get().endMetricRecord(recorder);
}
}

public static AtlasAccessorResponse getAccessors(AtlasAccessorRequest request) throws AtlasBaseException {
AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("AuthorizerUtils.getAccessors");

try {
return AccessorsExtractor.getAccessors(request);
} finally {
RequestContext.get().endMetricRecord(recorder);
}
}

public static Map<String, Object> getPreFilterDsl(String persona, String purpose, List<String> actions) {
return ListAuthorizer.getElasticsearchDSL(persona, purpose, actions);
}

private <T> T getResourceAsObject(String resourceName, Class<T> clazz) throws IOException {
InputStream stream = getClass().getResourceAsStream(resourceName);
return AtlasType.fromJson(stream, clazz);
}
}
Loading

0 comments on commit 3517c3f

Please sign in to comment.