Skip to content

Commit

Permalink
Merge pull request #2902 from atlanhq/dg-980
Browse files Browse the repository at this point in the history
[Master]- Dg-980: Data Product Visibility
  • Loading branch information
nikhilbonte21 authored Apr 1, 2024
2 parents 339ec18 + f42ed95 commit dfd02f3
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
Expand All @@ -71,6 +72,7 @@
import static org.apache.atlas.repository.util.AccessControlUtils.ATTR_POLICY_PRIORITY;
import static org.apache.atlas.repository.util.AccessControlUtils.ATTR_POLICY_SERVICE_NAME;
import static org.apache.atlas.repository.util.AccessControlUtils.ATTR_POLICY_SUB_CATEGORY;
import static org.apache.atlas.repository.util.AccessControlUtils.POLICY_CATEGORY_DATAMESH;
import static org.apache.atlas.repository.util.AccessControlUtils.POLICY_CATEGORY_PERSONA;
import static org.apache.atlas.repository.util.AccessControlUtils.POLICY_CATEGORY_PURPOSE;
import static org.apache.atlas.repository.util.AccessControlUtils.getIsPolicyEnabled;
Expand Down Expand Up @@ -239,6 +241,18 @@ private List<RangerPolicy> transformAtlasPoliciesToRangerPolicies(List<AtlasEnti
rangerPolicies.add(toRangerPolicy(transformedPolicy, serviceType));
}

}
else if (POLICY_CATEGORY_DATAMESH.equals(policyCategory)) {
RangerPolicy rangerPolicy = getRangerPolicy(atlasPolicy, serviceType);

//GET policy Item
setPolicyItems(rangerPolicy, atlasPolicy);

//GET policy Resources
setPolicyResourcesForDatameshPolicies(rangerPolicy, atlasPolicy);

rangerPolicies.add(rangerPolicy);

} else {
rangerPolicies.add(toRangerPolicy(atlasPolicy, serviceType));
}
Expand All @@ -264,6 +278,26 @@ private RangerPolicy toRangerPolicy(AtlasEntityHeader atlasPolicy, String servic
}

private void setPolicyResources(RangerPolicy rangerPolicy, AtlasEntityHeader atlasPolicy) throws IOException {
rangerPolicy.setResources(getFinalResources(atlasPolicy));
}

private void setPolicyResourcesForDatameshPolicies(RangerPolicy rangerPolicy, AtlasEntityHeader atlasPolicy) {
Map<String, RangerPolicyResource> resources = getFinalResources(atlasPolicy);

if (!resources.containsKey("entity-classification")) {
RangerPolicyResource resource = new RangerPolicyResource(Arrays.asList("*"), false, false);
resources.put("entity-classification", resource);
}

if (!resources.containsKey("entity-type")) {
RangerPolicyResource resource = new RangerPolicyResource(Arrays.asList("*"), false, false);
resources.put("entity-type", resource);
}

rangerPolicy.setResources(resources);
}

private Map<String, RangerPolicyResource> getFinalResources(AtlasEntityHeader atlasPolicy) {
List<String> atlasResources = (List<String>) atlasPolicy.getAttribute("policyResources");

Map<String, List<String>> resourceValuesMap = new HashMap<>();
Expand All @@ -285,7 +319,7 @@ private void setPolicyResources(RangerPolicy rangerPolicy, AtlasEntityHeader atl
resources.put(key, resource);
}

rangerPolicy.setResources(resources);
return resources;
}

private <T> T getResourceAsObject(String resourceName, Class<T> clazz) throws IOException {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,9 @@ private void processUpdatePolicy(AtlasStruct entity, AtlasVertex vertex) throws

//create ES alias
parent.addReferredEntity(policy);

} else if (POLICY_CATEGORY_DATAMESH.equals(policyCategory)) {
validator.validate(policy, existingPolicy, null, UPDATE);
} else {
validator.validate(policy, null, null, UPDATE);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ public class AuthPolicyValidator {
add(POLICY_SUB_CATEGORY_DATA);
}};

private static final Set<String> DATAMESH_POLICY_VALID_SUB_CATEGORIES = new HashSet<String>(){{
add(POLICY_SUB_CATEGORY_PRODUCT);
}};

private static final Set<String> PERSONA_METADATA_POLICY_ACTIONS = new HashSet<String>(){{
add("persona-asset-read");
add("persona-asset-update");
Expand Down Expand Up @@ -105,6 +109,14 @@ public class AuthPolicyValidator {
put(POLICY_SUB_CATEGORY_DATA, DATA_POLICY_ACTIONS);
}};

private static final Set<String> DATAMESH_POLICY_ACTIONS = new HashSet<String>(){{
add(ENTITY_READ.getType());
}};

private static final Map<String, Set<String>> DATAMESH_POLICY_VALID_ACTIONS = new HashMap<String, Set<String>>(){{
put(POLICY_SUB_CATEGORY_PRODUCT, DATAMESH_POLICY_ACTIONS);
}};

private static final Set<String> PERSONA_POLICY_VALID_RESOURCE_KEYS = new HashSet<String>() {{
add("entity");
add("entity-type");
Expand All @@ -120,7 +132,7 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,
policyCategory = getPolicyCategory(existingPolicy);
}

if (POLICY_CATEGORY_PERSONA.equals(policyCategory) || POLICY_CATEGORY_PURPOSE.equals(policyCategory)) {
if (POLICY_CATEGORY_PERSONA.equals(policyCategory) || POLICY_CATEGORY_PURPOSE.equals(policyCategory) || POLICY_CATEGORY_DATAMESH.equals(policyCategory)) {

if (operation == CREATE) {
String policySubCategory = getPolicySubCategory(policy);
Expand All @@ -132,9 +144,10 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,

validateParam(CollectionUtils.isEmpty(policyActions), "Please provide attribute " + ATTR_POLICY_ACTIONS);

validateOperation (!AtlasEntity.Status.ACTIVE.equals(accessControl.getStatus()), accessControl.getTypeName() + " is not Active");

if (POLICY_CATEGORY_PERSONA.equals(policyCategory)) {
validateOperation (!AtlasEntity.Status.ACTIVE.equals(accessControl.getStatus()), accessControl.getTypeName() + " is not Active");

validateParam (!PERSONA_ENTITY_TYPE.equals(accessControl.getTypeName()), "Please provide Persona as accesscontrol");

validateParam (!PERSONA_POLICY_VALID_SUB_CATEGORIES.contains(policySubCategory),
Expand Down Expand Up @@ -173,6 +186,8 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,
}

if (POLICY_CATEGORY_PURPOSE.equals(policyCategory)) {
validateOperation (!AtlasEntity.Status.ACTIVE.equals(accessControl.getStatus()), accessControl.getTypeName() + " is not Active");

validateParam (!PURPOSE_ENTITY_TYPE.equals(accessControl.getTypeName()), "Please provide Purpose as accesscontrol");

validateParam (!PURPOSE_POLICY_VALID_SUB_CATEGORIES.contains(policySubCategory),
Expand All @@ -190,6 +205,18 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,
"Please provide valid values for attribute " + ATTR_POLICY_ACTIONS + ": Invalid actions "+ copyOfActions);
}

if (POLICY_CATEGORY_DATAMESH.equals(policyCategory)) {
validateParam (!DATAMESH_POLICY_VALID_SUB_CATEGORIES.contains(policySubCategory),
"Please provide valid value for attribute " + ATTR_POLICY_SUB_CATEGORY + ":"+ DATAMESH_POLICY_VALID_SUB_CATEGORIES);

//validate datamesh policy actions
Set<String> validActions = DATAMESH_POLICY_VALID_ACTIONS.get(policySubCategory);
List<String> copyOfActions = new ArrayList<>(policyActions);
copyOfActions.removeAll(validActions);
validateParam (CollectionUtils.isNotEmpty(copyOfActions),
"Please provide valid values for attribute " + ATTR_POLICY_ACTIONS + ": Invalid actions "+ copyOfActions);
}

} else {

validateOperation (StringUtils.isNotEmpty(policyCategory) && !policyCategory.equals(getPolicyCategory(existingPolicy)),
Expand Down Expand Up @@ -261,14 +288,27 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,

validateParentUpdate(policy, existingPolicy);
}

if (POLICY_CATEGORY_DATAMESH.equals(policyCategory)) {
validateParam (!DATAMESH_POLICY_VALID_SUB_CATEGORIES.contains(policySubCategory),
"Please provide valid value for attribute " + ATTR_POLICY_SUB_CATEGORY + ":"+ DATAMESH_POLICY_VALID_SUB_CATEGORIES);

//validate datamesh policy actions
Set<String> validActions = DATAMESH_POLICY_VALID_ACTIONS.get(policySubCategory);
List<String> copyOfActions = new ArrayList<>(policyActions);
copyOfActions.removeAll(validActions);
validateParam (CollectionUtils.isNotEmpty(copyOfActions),
"Please provide valid values for attribute " + ATTR_POLICY_ACTIONS + ": Invalid actions "+ copyOfActions);

}
}

} else {
//only allow argo & backend
if (!RequestContext.get().isSkipAuthorizationCheck()) {
String userName = RequestContext.getCurrentUser();
validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && !BACKEND_SERVICE_USER_NAME.equals(userName),
"Create/Update AuthPolicy with policyCategory other than persona & purpose");
"Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh");
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ public final class AccessControlUtils {

public static final String POLICY_CATEGORY_PERSONA = "persona";
public static final String POLICY_CATEGORY_PURPOSE = "purpose";
public static final String POLICY_CATEGORY_DATAMESH = "datamesh";
public static final String POLICY_CATEGORY_BOOTSTRAP = "bootstrap";

public static final String POLICY_SUB_CATEGORY_COLLECTION = "collection";
Expand All @@ -113,6 +114,7 @@ public final class AccessControlUtils {
public static final String POLICY_SUB_CATEGORY_GLOSSARY = "glossary";
public static final String POLICY_SUB_CATEGORY_DOMAIN = "domain";
public static final String POLICY_SUB_CATEGORY_DATA = "data";
public static final String POLICY_SUB_CATEGORY_PRODUCT = "dataProduct";

public static final String RESOURCES_ENTITY = "entity:";
public static final String RESOURCES_ENTITY_TYPE = "entity-type:";
Expand Down

0 comments on commit dfd02f3

Please sign in to comment.