Merge pull request #2772 from atlanhq/accesscontrolv2-nb

Deny support for relationship with access logs
atlanhq · Jan 19, 2024 · cc99036 · cc99036
2 parents aa9ad98 + d6239fb
commit cc99036
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 134 deletions.
diff --git a/repository/src/main/java/org/apache/atlas/authorizer/authorizers/RelationshipAuthorizer.java b/repository/src/main/java/org/apache/atlas/authorizer/authorizers/RelationshipAuthorizer.java
@@ -24,10 +24,10 @@
 import java.util.*;
 import java.util.stream.Collectors;
 
+import static org.apache.atlas.authorizer.AuthorizerUtils.DENY_POLICY_NAME_SUFFIX;
 import static org.apache.atlas.authorizer.AuthorizerUtils.MAX_CLAUSE_LIMIT;
 import static org.apache.atlas.authorizer.AuthorizerUtils.POLICY_TYPE_ALLOW;
 import static org.apache.atlas.authorizer.AuthorizerUtils.POLICY_TYPE_DENY;
-import static org.apache.atlas.authorizer.authorizers.AuthorizerCommon.arrayListContains;
 import static org.apache.atlas.authorizer.authorizers.AuthorizerCommon.getMap;
 import static org.apache.atlas.authorizer.authorizers.EntityAuthorizer.validateFilterCriteriaWithEntity;
 import static org.apache.atlas.authorizer.authorizers.ListAuthorizer.getDSLForResources;
@@ -265,125 +265,6 @@ public static boolean evaluateRangerPolicyInMemory(RangerPolicy rangerPolicy, St
 
         return false;
     }
-    /*public static boolean validateFilterCriteriaWithEntity(JsonNode data, AtlasEntity entity) {
-        AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("RelationshipAuthorizer.validateFilterCriteriaWithEntity");
-
-        String condition = data.get("condition").asText();
-        JsonNode criterion = data.get("criterion");
-
-        Set<String> assetTypes = AuthorizerCommon.getTypeAndSupertypesList(entity.getTypeName());
-
-        boolean result = true;
-        boolean evaluation;
-
-        if (criterion.size() == 0) {
-            return false;
-        }
-
-        for (JsonNode crit : criterion) {
-
-            evaluation = false;
-
-            if (crit.has("condition")) {
-                evaluation = validateFilterCriteriaWithEntity(crit, entity);
-
-            } else {
-                String operator = crit.get("operator").asText();
-                String attributeName = crit.get("attributeName").asText();
-                String attributeValue = crit.get("attributeValue").asText();
-
-//                List<String> attributeValues = new ArrayList<>();
-//                if (operator.equals("IN") || operator.equals("NOT_IN")) {
-//                    for (JsonNode valueNode : crit.get("attributeValue")) {
-//                        ObjectMapper mapper = new ObjectMapper();
-//                        String value = null;
-//                        try {
-//                            value = mapper.treeToValue(valueNode, String.class);
-//                        } catch (JsonProcessingException e) {
-//                            e.printStackTrace();
-//                        }
-//                        attributeValues.add(value);
-//                    }
-//                }
-
-
-                if (attributeName.endsWith(".text")) {
-                    attributeName = attributeName.replace(".text", "");
-                } else if (attributeName.endsWith(".keyword")) {
-                    attributeName = attributeName.replace(".keyword", "");
-                }
-
-                List<String> entityAttributeValues = new ArrayList<>();
-
-                if (attributeName.equals("__superTypeNames")) {
-                    entityAttributeValues.addAll(assetTypes);
-
-                } if (attributeName.equals("__typeName")) {
-                    entityAttributeValues.add(entity.getTypeName());
-
-                } if (attributeName.equals("__guid")) {
-                    entityAttributeValues.add(entity.getGuid());
-
-                } else if (attributeName.equals("__traitNames")) {
-                    List<AtlasClassification> atlasClassifications = entity.getClassifications();
-                    if (atlasClassifications != null && !atlasClassifications.isEmpty()) {
-                        for (AtlasClassification atlasClassification : atlasClassifications) {
-                            entityAttributeValues.add(atlasClassification.getTypeName());
-                        }
-                    }
-                } else if (attributeName.equals("__meaningNames")) {
-                    List<AtlasTermAssignmentHeader> atlasMeanings = entity.getMeanings();
-                    for (AtlasTermAssignmentHeader atlasMeaning : atlasMeanings) {
-                        entityAttributeValues.add(atlasMeaning.getDisplayText());
-                    }
-                } else {
-                    String typeName = entity.getTypeName();
-                    boolean isArrayOfPrimitiveType = false;
-                    boolean isArrayOfEnum = false;
-                    AtlasEntityType entityType = AuthorizerCommon.getEntityTypeByName(typeName);
-                    AtlasStructType.AtlasAttribute atlasAttribute = entityType.getAttribute(attributeName);
-                    if (atlasAttribute.getAttributeType().getTypeCategory().equals(ARRAY)) {
-                        AtlasArrayType attributeType = (AtlasArrayType) atlasAttribute.getAttributeType();
-                        AtlasType elementType = attributeType.getElementType();
-                        isArrayOfPrimitiveType = elementType.getTypeCategory().equals(TypeCategory.PRIMITIVE);
-                        isArrayOfEnum = elementType.getTypeCategory().equals(TypeCategory.ENUM);
-                    }
-
-                    if (entity.getAttribute(attributeName) != null) {
-                        if (isArrayOfEnum || isArrayOfPrimitiveType) {
-                            entityAttributeValues.addAll((Collection<? extends String>) entity.getAttribute(attributeName));
-                        } else {
-                            entityAttributeValues.add((String) entity.getAttribute(attributeName));
-                        }
-                    }
-                }
-
-                if (operator.equals("EQUALS") && entityAttributeValues.contains(attributeValue)) {
-                    evaluation = true;
-                }
-                if ((operator.equals("STARTS_WITH") && AuthorizerCommon.listStartsWith(attributeValue, entityAttributeValues))) {
-                    evaluation = true;
-                }
-                if ((operator.equals("ENDS_WITH") && AuthorizerCommon.listEndsWith(attributeValue, entityAttributeValues))) {
-                    evaluation = true;
-                }
-                if ((operator.equals("NOT_EQUALS") && !entityAttributeValues.contains(attributeValue))) {
-                    evaluation = true;
-                }
-            }
-
-
-
-            if (condition.equals("AND")) {
-                result = result && evaluation;
-            } else {
-                result = result || evaluation;
-            }
-        }
-
-        RequestContext.get().endMetricRecord(recorder);
-        return result;
-    }*/
 
     public static AccessResult isRelationshipAccessAllowed(String action, AtlasEntityHeader endOneEntity, AtlasEntityHeader endTwoEntity) throws AtlasBaseException {
         AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("RelationshipAuthorizer.isRelationshipAccessAllowed");
@@ -400,9 +281,8 @@ public static AccessResult isRelationshipAccessAllowed(String action, AtlasEntit
             String dslString = mapper.writeValueAsString(dsl);
             RestClient restClient = getLowLevelClient();
             AtlasElasticsearchQuery elasticsearchQuery = new AtlasElasticsearchQuery("janusgraph_vertex_index", restClient);
-            Map<String, Object> elasticsearchResult = null;
+            Map<String, Object> elasticsearchResult = elasticsearchQuery.runQueryWithLowLevelClient(dslString);
             LOG.info(dslString);
-            elasticsearchResult = elasticsearchQuery.runQueryWithLowLevelClient(dslString);
             Integer count = null;
             if (elasticsearchResult!=null) {
                 count = (Integer) elasticsearchResult.get("total");
@@ -437,9 +317,14 @@ public static AccessResult isRelationshipAccessAllowed(String action, AtlasEntit
                 }
                 List<String> common = (List<String>) CollectionUtils.intersection(matchedClausesEndOne, matchedClausesEndTwo);
                 if (!common.isEmpty()) {
-                    result.setAllowed(true);
-                    result.setPolicyId(common.get(0));
-                    return result;
+                    Optional<String> denied = common.stream().filter(x -> x.endsWith(DENY_POLICY_NAME_SUFFIX)).findFirst();
+
+                    if (denied.isPresent()) {
+                        result.setPolicyId(denied.get().split("_")[0]);
+                    } else {
+                        result.setAllowed(true);
+                        result.setPolicyId(common.get(0));
+                    }
                 }
 
                 /*if (arrayListContains(matchedClausesEndOne, matchedClausesEndTwo)) {
@@ -466,7 +351,7 @@ public static Map<String, Object> getElasticsearchDSLForRelationshipActions(List
         List<RangerPolicy> tagPolicies = PoliciesStore.getRelevantPolicies(null, null, "atlas_tag", actions, POLICY_TYPE_ALLOW);
         List<Map<String, Object>> tagPoliciesClauses = getDSLForRelationshipTagPolicies(tagPolicies);
 
-        List<RangerPolicy> abacPolicies = PoliciesStore.getRelevantPolicies(null, null, "atlas_abac", actions, POLICY_TYPE_ALLOW);
+        List<RangerPolicy> abacPolicies = PoliciesStore.getRelevantPolicies(null, null, "atlas_abac", actions, null);
         List<Map<String, Object>> abacPoliciesClauses = getDSLForRelationshipAbacPolicies(abacPolicies);
 
         policiesClauses.addAll(resourcePoliciesClauses);
@@ -581,6 +466,7 @@ private static List<Map<String, Object>> getDSLForRelationshipTagPolicies(List<R
     private static List<Map<String, Object>> getDSLForRelationshipAbacPolicies(List<RangerPolicy> policies) throws JsonProcessingException {
         List<Map<String, Object>> shouldClauses = new ArrayList<>();
         for (RangerPolicy policy : policies) {
+            boolean deny = CollectionUtils.isNotEmpty(policy.getDenyPolicyItems());
             if ("RELATIONSHIP".equals(policy.getPolicyResourceCategory())) {
                 String filterCriteria = policy.getPolicyFilterCriteria();
                 ObjectMapper mapper = new ObjectMapper();
@@ -596,7 +482,7 @@ private static List<Map<String, Object>> getDSLForRelationshipAbacPolicies(List<
                     String DslBase64 = Base64.getEncoder().encodeToString(Dsl.toString().getBytes());
                     String clauseName = relationshipEnd + "-" + policy.getGuid();
                     Map<String, Object> boolMap = new HashMap<>();
-                    boolMap.put("_name", clauseName);
+                    boolMap.put("_name", (deny) ? clauseName + DENY_POLICY_NAME_SUFFIX : clauseName);
                     boolMap.put("filter", getMap("wrapper", getMap("query", DslBase64)));
 
                     shouldClauses.add(getMap("bool", boolMap));

diff --git a/repository/src/main/java/org/apache/atlas/authorizer/store/PoliciesStore.java b/repository/src/main/java/org/apache/atlas/authorizer/store/PoliciesStore.java
@@ -13,6 +13,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.stream.Collectors;
 
 import static org.apache.atlas.authorizer.AuthorizerUtils.POLICY_TYPE_ALLOW;
 import static org.apache.atlas.authorizer.AuthorizerUtils.POLICY_TYPE_DENY;
@@ -147,9 +148,7 @@ private static List<RangerPolicy> getFilteredPoliciesForActions(List<RangerPolic
             if (policyItem != null) {
                 List<String> policyActions = new ArrayList<>();
                 if (!policyItem.getAccesses().isEmpty()) {
-                    for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
-                        policyActions.add(access.getType());
-                    }
+                    policyActions = policyItem.getAccesses().stream().map(x -> x.getType()).collect(Collectors.toList());
                 }
                 if (AuthorizerCommon.arrayListContains(policyActions, actions)) {
                     filteredPolicies.add(policy);
@@ -167,11 +166,21 @@ private static List<RangerPolicy> getFilteredPoliciesForUser(List<RangerPolicy>
         List<RangerPolicy> filterPolicies = new ArrayList<>();
         for(RangerPolicy policy : policies) {
             RangerPolicy.RangerPolicyItem policyItem = null;
-            if (POLICY_TYPE_ALLOW.equals(type) && !policy.getPolicyItems().isEmpty()) {
-                policyItem = policy.getPolicyItems().get(0);
-            } else if (POLICY_TYPE_DENY.equals(type) && !policy.getDenyPolicyItems().isEmpty()) {
-                policyItem = policy.getDenyPolicyItems().get(0);
+
+            if (StringUtils.isNotEmpty(type)) {
+                if (POLICY_TYPE_ALLOW.equals(type) && !policy.getPolicyItems().isEmpty()) {
+                    policyItem = policy.getPolicyItems().get(0);
+                } else if (POLICY_TYPE_DENY.equals(type) && !policy.getDenyPolicyItems().isEmpty()) {
+                    policyItem = policy.getDenyPolicyItems().get(0);
+                }
+            } else {
+                if (!policy.getPolicyItems().isEmpty()) {
+                    policyItem = policy.getPolicyItems().get(0);
+                } else if (!policy.getDenyPolicyItems().isEmpty()) {
+                    policyItem = policy.getDenyPolicyItems().get(0);
+                }
             }
+
             if (policyItem != null) {
                 List<String> policyUsers = policyItem.getUsers();
                 List<String> policyGroups = policyItem.getGroups();