Merge branch 'DQ-651' into beta

atlanhq · Feb 27, 2025 · 6c17266 · 6c17266
2 parents 11b4ae5 + 0095f13
commit 6c17266
Show file tree

Hide file tree

Showing 9 changed files with 337 additions and 9 deletions.
diff --git a/addons/policies/bootstrap_entity_policies.json b/addons/policies/bootstrap_entity_policies.json
@@ -3803,6 +3803,35 @@
                     "entity-delete"
                 ]
             }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "attributes": {
+                "name": "READ_DQ_RULE_TEMPLATE" ,
+                "qualifiedName": "READ_DQ_RULE_TEMPLATE",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 0,
+                "policyUsers": [],
+                "policyGroups": [],
+                "policyRoles": [
+                    "$admin",
+                    "$guest",
+                    "$member",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources": [
+                    "entity-type:alpha_DQRuleTemplate",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions": [
+                    "entity-read"
+                ]
+            }
         }
     ]
 }
diff --git a/addons/static/templates/policy_cache_transformer_persona.json b/addons/static/templates/policy_cache_transformer_persona.json
@@ -9,7 +9,15 @@
         "entity-type:{entity-type}",
         "entity-classification:*"
       ],
-      "actions": ["entity-read"]
+      "actions": ["entity-read"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "entity-read"
+          ]
+        }
+      ]
     }
   ],
   "persona-asset-update": [
@@ -22,7 +30,15 @@
         "entity-type:{entity-type}",
         "entity-classification:*"
       ],
-      "actions": ["entity-update"]
+      "actions": ["entity-update"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "entity-update"
+          ]
+        }
+      ]
     },
     {
       "policyType": "ACCESS",
@@ -43,7 +59,15 @@
         "end-two-entity-classification:*",
         "end-two-entity:*"
       ],
-      "actions": ["add-relationship", "remove-relationship"]
+      "actions": ["add-relationship", "remove-relationship"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "add-relationship", "remove-relationship"
+          ]
+        }
+      ]
     },
     {
       "policyType": "ACCESS",
@@ -64,7 +88,15 @@
         "end-two-entity:{entity}",
         "end-two-entity:{entity}/*"
       ],
-      "actions": ["add-relationship", "remove-relationship"]
+      "actions": ["add-relationship", "remove-relationship"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "add-relationship", "remove-relationship"
+          ]
+        }
+      ]
     }
   ],
   "persona-api-create": [
@@ -77,7 +109,15 @@
         "entity-type:{entity-type}",
         "entity-classification:*"
       ],
-      "actions": ["entity-create"]
+      "actions": ["entity-create"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "entity-create"
+          ]
+        }
+      ]
     }
   ],
   "persona-api-delete": [
@@ -90,7 +130,15 @@
         "entity-type:{entity-type}",
         "entity-classification:*"
       ],
-      "actions": ["entity-delete"]
+      "actions": ["entity-delete"],
+      "policyConditions": [
+        {
+          "policyConditionType": "excludeDQRules",
+          "policyConditionValues": [
+            "entity-delete"
+          ]
+        }
+      ]
     }
   ],
   "persona-business-update-metadata": [
@@ -874,5 +922,123 @@
       ],
       "actions": ["select"]
     }
+  ],
+
+  "persona-dq-read": [
+    {
+      "policyType": "ACCESS",
+      "policyResourceCategory": "ENTITY",
+      "resources": [
+        "entity:{entity}/*/rule/*",
+        "entity-type:alpha_DQRule",
+        "entity-classification:*"
+      ],
+      "actions": ["entity-read"]
+    }
+  ],
+  "persona-dq-create": [
+    {
+      "policyResourceCategory": "ENTITY",
+      "policyType": "ACCESS",
+      "resources": [
+        "entity:{entity}/*/rule/*",
+        "entity-type:alpha_DQRule",
+        "entity-classification:*"
+      ],
+      "actions": ["entity-create"]
+    },
+    {
+      "policyResourceCategory": "RELATIONSHIP",
+      "policyType": "ACCESS",
+      "description": "Link/unlink this DQRule to any Asset",
+      "resources": [
+        "relationship-type:*",
+
+        "end-one-entity:{entity}/*/rule/*",
+        "end-one-entity-type:alpha_DQRule",
+        "end-one-entity-classification:*",
+
+        "end-two-entity:*",
+        "end-two-entity-type:Asset",
+        "end-two-entity-classification:*"
+
+      ],
+      "actions": ["add-relationship", "remove-relationship", "update-relationship"]
+    },
+    {
+      "policyResourceCategory": "RELATIONSHIP",
+      "policyType": "ACCESS",
+      "description": "Link/unlink any Asset to this DQRule",
+
+      "resources": [
+        "relationship-type:*",
+
+        "end-one-entity:*",
+        "end-one-entity-type:Asset",
+        "end-one-entity-classification:*",
+
+        "end-two-entity:{entity}/*/rule/*",
+        "end-two-entity-type:alpha_DQRule",
+        "end-two-entity-classification:*"
+      ],
+
+      "actions": ["add-relationship", "remove-relationship", "update-relationship"]
+    }
+  ],
+  "persona-dq-update": [
+    {
+      "policyType": "ACCESS",
+      "policyResourceCategory": "ENTITY",
+      "resources": [
+        "entity:{entity}/*/rule/*",
+        "entity-type:alpha_DQRule",
+        "entity-classification:*"
+      ],
+      "actions": ["entity-update"]
+    },
+    {
+      "policyType": "ACCESS",
+      "policyResourceCategory": "RELATIONSHIP",
+      "resources": [
+        "relationship-type:*",
+
+        "end-one-entity:{entity}/*/rule/*",
+        "end-one-entity-type:alpha_DQRule",
+        "end-one-entity-classification:*",
+
+        "end-two-entity:*",
+        "end-two-entity-type:Asset",
+        "end-two-entity-classification:*"
+      ],
+      "actions": ["add-relationship", "remove-relationship", "update-relationship"]
+    },
+    {
+      "policyType": "ACCESS",
+      "policyResourceCategory": "RELATIONSHIP",
+      "resources": [
+        "relationship-type:*",
+
+        "end-one-entity:*",
+        "end-one-entity-type:Asset",
+        "end-one-entity-classification:*",
+
+        "end-two-entity:{entity}/*/rule/*",
+        "end-two-entity-type:alpha_DQRule",
+        "end-two-entity-classification:*"
+      ],
+      "actions": ["add-relationship", "remove-relationship", "update-relationship"]
+    }
+  ],
+  "persona-dq-delete": [
+    {
+      "policyResourceCategory": "ENTITY",
+      "policyType": "ACCESS",
+      "resources": [
+        "entity:{entity}/*/rule/*",
+        "entity-type:alpha_DQRule",
+        "entity-classification:*"
+      ],
+      "actions": ["entity-delete"]
+    }
   ]
 }
diff --git a/.../main/java/org/apache/atlas/plugin/conditionevaluator/AtlanDQAllowExceptionCondition.java b/.../main/java/org/apache/atlas/plugin/conditionevaluator/AtlanDQAllowExceptionCondition.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.atlas.plugin.conditionevaluator;
+
+import org.apache.atlas.plugin.policyengine.RangerAccessRequest;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import java.util.*;
+
+
+public class AtlanDQAllowExceptionCondition extends RangerAbstractConditionEvaluator {
+    private static final Log LOG = LogFactory.getLog(AtlanHasAnyRole.class);
+    protected Set<String> excludedActions = new HashSet<>();
+    public static final String RESOURCE_ENTITY_TYPE                   = "entity-type";
+    public static final String RESOURCE_ENTITY_CLASSIFICATION         = "entity-classification";
+    public static final String RESOURCE_CLASSIFICATION                = "classification";
+    public static final String RESOURCE_ENTITY_ID                     = "entity";
+    public static final String RESOURCE_ENTITY_LABEL                  = "entity-label";
+    public static final String RESOURCE_ENTITY_BUSINESS_METADATA      = "entity-business-metadata";
+    public static final String RESOURCE_ENTITY_OWNER                  = "owner";
+    public static final String RESOURCE_RELATIONSHIP_TYPE             = "relationship-type";
+    public static final String RESOURCE_END_ONE_ENTITY_TYPE           = "end-one-entity-type";
+    public static final String RESOURCE_END_ONE_ENTITY_CLASSIFICATION = "end-one-entity-classification";
+    public static final String RESOURCE_END_ONE_ENTITY_ID             = "end-one-entity";
+    public static final String RESOURCE_END_TWO_ENTITY_TYPE           =  "end-two-entity-type";
+
+
+    @Override
+    public void init() {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> AtlanDQAllowExceptionCondition.init(" + condition + ")");
+        }
+
+        super.init();
+
+        if (condition != null ) {
+            for (String value : condition.getValues()) {
+                excludedActions.add(value.trim());
+            }
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== AtlanDQAllowExceptionCondition.init(" + condition + ")");
+        }
+    }
+
+    @Override
+    public boolean isMatched(RangerAccessRequest request) {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> AtlanDQAllowExceptionCondition.isMatched(" + condition + ")");
+        }
+
+        boolean ret = true;
+        RangerAccessRequest	readOnlyRequest = request.getReadOnlyCopy();
+
+        Object[] entityTypeObjects = {
+                readOnlyRequest.getResource().getValue(RESOURCE_ENTITY_TYPE),
+                readOnlyRequest.getResource().getValue(RESOURCE_END_ONE_ENTITY_TYPE),
+                readOnlyRequest.getResource().getValue(RESOURCE_END_TWO_ENTITY_TYPE)
+        };
+
+        List<?> entityTypes = Arrays.stream(entityTypeObjects)
+                .filter(Objects::nonNull)
+                .map(this::convertToList)
+                .findFirst()
+                .orElseGet(ArrayList::new);
+
+        if (entityTypes.isEmpty() || !entityTypes.contains("alpha_DQRule")) {
+            return ret;
+        }
+        else {
+            return !excludedActions.contains(readOnlyRequest.getAction());
+        }
+
+    }
+
+    private List<?> convertToList(Object obj) {
+        if (obj instanceof Object[]) {
+            return Arrays.asList((Object[]) obj);
+        } else if (obj instanceof Collection) {
+            return new ArrayList<>((Collection<?>) obj);
+        }
+        return Collections.emptyList();
+    }
+
+}
diff --git a/...s-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java b/...s-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java
@@ -547,7 +547,7 @@ private void setPolicyItems(RangerPolicy rangerPolicy, AtlasEntityHeader atlasPo
     private List<RangerPolicyItemCondition> getPolicyConditions(AtlasEntityHeader atlasPolicy) {
         List<RangerPolicyItemCondition> ret = new ArrayList<>();
 
-        if (!atlasPolicy.hasAttribute("policyConditions")) {
+        if (!atlasPolicy.hasAttribute("policyConditions") || atlasPolicy.getAttribute("policyConditions") == null) {
             return null;
         }
 

diff --git a/...ommon/src/main/java/org/apache/atlas/policytransformer/PersonaCachePolicyTransformer.java b/...ommon/src/main/java/org/apache/atlas/policytransformer/PersonaCachePolicyTransformer.java
@@ -40,6 +40,7 @@
 import static org.apache.atlas.repository.util.AccessControlUtils.POLICY_SUB_CATEGORY_METADATA;
 import static org.apache.atlas.repository.util.AccessControlUtils.RESOURCES_ENTITY;
 import static org.apache.atlas.repository.util.AccessControlUtils.RESOURCES_ENTITY_TYPE;
+import static org.apache.atlas.repository.util.AccessControlUtils.ATTR_POLICY_CONDITIONS;
 import static org.apache.atlas.repository.util.AccessControlUtils.getEntityByQualifiedName;
 import static org.apache.atlas.repository.util.AccessControlUtils.getFilteredPolicyResources;
 import static org.apache.atlas.repository.util.AccessControlUtils.getIsPolicyEnabled;
@@ -123,6 +124,7 @@ public List<AtlasEntityHeader> transform(AtlasEntityHeader atlasPolicy) {
                 header.setAttribute(ATTR_POLICY_RESOURCES, finalResources);
 
                 header.setAttribute(ATTR_NAME, "transformed_policy_persona");
+                header.setAttribute(ATTR_POLICY_CONDITIONS, templatePolicy.getPolicyConditions());
 
                 ret.add(header);
             }