Skip to content

Commit

Permalink
Merge pull request #2561 from atlanhq/domainpoliices
Browse files Browse the repository at this point in the history
[master] Domain policy in Persona
  • Loading branch information
mehtaanshul authored Dec 1, 2023
2 parents 0590a7c + 4bf6e5f commit 8411693
Show file tree
Hide file tree
Showing 4 changed files with 289 additions and 5 deletions.
247 changes: 246 additions & 1 deletion addons/static/templates/policy_cache_transformer_persona.json
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,251 @@
]
}
],

"persona-domain-read": [
{
"policyType": "ACCESS",
"policyResourceCategory": "ENTITY",
"resources": [
"entity:{entity}",
"entity:{entity}/*",
"entity-type:DataDomain",
"entity-type:DataProduct",
"entity-classification:*"
],
"actions": ["entity-read"]
}
],
"persona-domain-update": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}",
"entity-type:DataDomain",
"entity-classification:*"
],
"actions": ["entity-update"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink any DataDomain, DataProduct OR DataContract to this Domain",

"resources": [
"relationship-type:*",

"end-one-entity-type:DataDomain",
"end-two-entity-type:DataProduct",
"end-one-entity-classification:*",
"end-one-entity:{entity}",
"end-one-entity:{entity}/*",

"end-two-entity-type:DataDomain",
"end-two-entity-type:DataProduct",
"end-two-entity-classification:*",
"end-two-entity:*"
],
"actions": ["add-relationship", "update-relationship", "remove-relationship"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink any DataDomain, DataProduct OR DataContract to this Domain",
"resources": [
"relationship-type:*",

"end-one-entity-type:DataDomain",
"end-one-entity-type:DataProduct",
"end-one-entity-classification:*",
"end-one-entity:*",

"end-two-entity-type:DataDomain",
"end-two-entity-type:DataProduct",
"end-two-entity-classification:*",
"end-two-entity:{entity}",
"end-two-entity:{entity}/*"
],
"actions": ["add-relationship", "update-relationship", "remove-relationship"]
}
],


"persona-domain-sub-domain-read": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*domain/*",
"entity-type:DataDomain",
"entity-classification:*"
],
"actions": ["entity-read"]
}
],
"persona-domain-sub-domain-create": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*domain/*",
"entity-type:DataDomain",
"entity-classification:*"
],
"actions": ["entity-create"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink this DataProduct to any parent Domain",
"resources": [
"relationship-type:*",

"end-one-entity:{entity}/*",
"end-one-entity:{entity}",
"end-one-entity-type:DataDomain",
"end-one-entity-classification:*",

"end-two-entity:{entity}/*",
"end-one-entity:{entity}",
"end-two-entity-type:DataDomain",
"end-two-entity-classification:*"
],
"actions": ["add-relationship", "update-relationship", "remove-relationship"]
}
],
"persona-domain-sub-domain-update": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*domain/*",
"entity-type:DataDomain",
"entity-classification:*"
],
"actions": ["entity-update"]
}
],
"persona-domain-sub-domain-delete": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*domain/*",
"entity-type:DataDomain",
"entity-classification:*"
],
"actions": ["entity-delete"]
}
],

"persona-domain-product-read": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*product/*",
"entity-type:DataProduct",
"entity-classification:*"
],
"actions": ["entity-read"]
}
],
"persona-domain-product-create": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*product/*",
"entity-type:DataProduct",
"entity-classification:*"
],
"actions": ["entity-create"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink this DataProduct to any parent Domain",
"resources": [
"relationship-type:*",

"end-one-entity:{entity}/*",
"end-one-entity:{entity}",
"end-one-entity-type:DataDomain",
"end-one-entity-classification:*",

"end-two-entity:{entity}/*",
"end-two-entity-type:DataProduct",
"end-two-entity-classification:*"
],
"actions": ["add-relationship", "update-relationship", "remove-relationship"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink any Asset to this DataProduct",

"resources": [
"relationship-type:*",

"end-one-entity-type:Asset",
"end-one-entity-classification:*",
"end-one-entity:*",

"end-two-entity-type:DataProduct",
"end-two-entity-classification:*",
"end-two-entity:{entity}/*product/*"
],

"actions": ["add-relationship", "update-relationship", "remove-relationship"]
}
],
"persona-domain-product-update": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*product/*",
"entity-type:DataProduct",
"entity-classification:*"
],
"actions": ["entity-update"]
},
{
"policyResourceCategory": "RELATIONSHIP",
"policyType": "ACCESS",
"description": "Link/unlink any Asset to this DataProduct",

"resources": [
"relationship-type:*",

"end-one-entity-type:Asset",
"end-one-entity-classification:*",
"end-one-entity:*",

"end-two-entity-type:DataProduct",
"end-two-entity-classification:*",
"end-two-entity:{entity}/*product/*"
],

"actions": ["add-relationship", "update-relationship", "remove-relationship"]
}
],
"persona-domain-product-delete": [
{
"policyResourceCategory": "ENTITY",
"policyType": "ACCESS",
"resources": [
"entity:{entity}/*product/*",
"entity-type:DataProduct",
"entity-classification:*"
],
"actions": ["entity-delete"]
}
],



"select": [
{
"policyType": "ACCESS",
Expand All @@ -384,4 +629,4 @@
"actions": ["select"]
}
]
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,11 @@
import static org.apache.atlas.repository.Constants.QUALIFIED_NAME;
import static org.apache.atlas.repository.Constants.TRAIT_NAMES_PROPERTY_KEY;
import static org.apache.atlas.repository.Constants.VERTEX_INDEX_NAME;
import static org.apache.atlas.repository.util.AccessControlUtils.ACCESS_READ_PERSONA_DOMAIN;
import static org.apache.atlas.repository.util.AccessControlUtils.ACCESS_READ_PERSONA_METADATA;
import static org.apache.atlas.repository.util.AccessControlUtils.ACCESS_READ_PERSONA_GLOSSARY;
import static org.apache.atlas.repository.util.AccessControlUtils.ACCESS_READ_PERSONA_PRODUCT;
import static org.apache.atlas.repository.util.AccessControlUtils.ACCESS_READ_PERSONA_SUB_DOMAIN;
import static org.apache.atlas.repository.util.AccessControlUtils.getConnectionQualifiedNameFromPolicyAssets;
import static org.apache.atlas.repository.util.AccessControlUtils.getESAliasName;
import static org.apache.atlas.repository.util.AccessControlUtils.getIsAllowPolicy;
Expand Down Expand Up @@ -201,6 +204,30 @@ private void personaPolicyToESDslClauses(List<AtlasEntity> policies,
terms.add(glossaryQName);
allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, "*@" + glossaryQName)));
}
} else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_DOMAIN)) {

for (String asset : assets) {
terms.add(asset);
allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*")));
}

} else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_SUB_DOMAIN)) {
for (String asset : assets) {
//terms.add(asset);
List<Map<String, Object>> mustMap = new ArrayList<>();
mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*domain/*")));
mustMap.add(mapOf("term", mapOf("__typeName.keyword", "DataDomain")));
allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
}

} else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_PRODUCT)) {
for (String asset : assets) {
//terms.add(asset);
List<Map<String, Object>> mustMap = new ArrayList<>();
mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*product/*")));
mustMap.add(mapOf("term", mapOf("__typeName.keyword", "DataProduct")));
allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
}
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -120,8 +120,12 @@ private void processCreatePolicy(AtlasStruct entity) throws AtlasBaseException {
AtlasEntityWithExtInfo parent = getAccessControlEntity(policy);
AtlasEntity parentEntity = parent.getEntity();

validator.validate(policy, null, parentEntity, CREATE);
validateConnectionAdmin(policy);
String policySubCategory = getPolicySubCategory(policy);

if (!POLICY_SUB_CATEGORY_DOMAIN.equals(policySubCategory)) {
validator.validate(policy, null, parentEntity, CREATE);
validateConnectionAdmin(policy);
}

policy.setAttribute(QUALIFIED_NAME, String.format("%s/%s", getEntityQualifiedName(parentEntity), getUUID()));

Expand Down Expand Up @@ -174,8 +178,12 @@ private void processUpdatePolicy(AtlasStruct entity, AtlasVertex vertex) throws
AtlasEntityWithExtInfo parent = getAccessControlEntity(policy);
AtlasEntity parentEntity = parent.getEntity();

validator.validate(policy, existingPolicy, parentEntity, UPDATE);
validateConnectionAdmin(policy);
String policySubCategory = getPolicySubCategory(policy);

if (!POLICY_SUB_CATEGORY_DOMAIN.equals(policySubCategory)) {
validator.validate(policy, existingPolicy, parentEntity, UPDATE);
validateConnectionAdmin(policy);
}

String qName = getEntityQualifiedName(existingPolicy);
policy.setAttribute(QUALIFIED_NAME, qName);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@ public final class AccessControlUtils {
public static final String ACCESS_READ_PURPOSE_METADATA = "entity-read";
public static final String ACCESS_READ_PERSONA_METADATA = "persona-asset-read";
public static final String ACCESS_READ_PERSONA_GLOSSARY = "persona-glossary-read";
public static final String ACCESS_READ_PERSONA_DOMAIN = "persona-domain-read";
public static final String ACCESS_READ_PERSONA_SUB_DOMAIN = "persona-domain-sub-domain-read";
public static final String ACCESS_READ_PERSONA_PRODUCT = "persona-domain-product-read";

public static final String POLICY_CATEGORY_PERSONA = "persona";
public static final String POLICY_CATEGORY_PURPOSE = "purpose";
Expand All @@ -108,6 +111,7 @@ public final class AccessControlUtils {

public static final String POLICY_SUB_CATEGORY_METADATA = "metadata";
public static final String POLICY_SUB_CATEGORY_GLOSSARY = "glossary";
public static final String POLICY_SUB_CATEGORY_DOMAIN = "domain";
public static final String POLICY_SUB_CATEGORY_DATA = "data";

public static final String RESOURCES_ENTITY = "entity:";
Expand Down

0 comments on commit 8411693

Please sign in to comment.