DG-899: Flag based reduce Glossary READ policies users

addons/override-policies/glossary_policies.json

@@ -0,0 +1,113 @@
+{
+    "entities":
+    [
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 28
+            },
+            "attributes":
+            {
+                "name": "READ_GLOSSARY",
+                "qualifiedName": "READ_GLOSSARY",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossary",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 29
+            },
+            "attributes":
+            {
+                "name": "READ_TERM",
+                "qualifiedName": "READ_TERM",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossaryTerm",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 30
+            },
+            "attributes":
+            {
+                "name": "READ_CATEGORY",
+                "qualifiedName": "READ_CATEGORY",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossaryCategory",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        }
+    ]
+}

distro/src/main/assemblies/atlas-server-package.xml

@@ -161,6 +161,12 @@
             <directory>../addons/policies</directory>
             <outputDirectory>policies</outputDirectory>
         </fileSet>
+
+        <fileSet>
+            <directory>../addons/override-policies</directory>
+            <outputDirectory>override-policies</outputDirectory>
+        </fileSet>
+
     </fileSets>
 
     <files>

distro/src/main/assemblies/standalone-package.xml

@@ -141,6 +141,11 @@
             <outputDirectory>policies</outputDirectory>
         </fileSet>
 
+        <fileSet>
+            <directory>../addons/override-policies</directory>
+            <outputDirectory>override-policies</outputDirectory>
+        </fileSet>
+
         <!-- addons/hive -->
         <fileSet>
             <directory>../addons/hive-bridge/src/bin</directory>

repository/src/main/java/org/apache/atlas/authorizer/AuthorizerUtils.java

@@ -1,30 +1,17 @@
 package org.apache.atlas.authorizer;
 
 import org.apache.atlas.ApplicationProperties;
-import org.apache.atlas.AtlasErrorCode;
 import org.apache.atlas.AtlasException;
-import org.apache.atlas.RequestContext;
-import org.apache.atlas.audit.provider.AuditHandler;
-import org.apache.atlas.authorize.AtlasAccessorRequest;
-import org.apache.atlas.authorize.AtlasAccessorResponse;
 import org.apache.atlas.authorize.AtlasAuthorizationUtils;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
 import org.apache.atlas.authorize.AtlasPrivilege;
 import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
-import org.apache.atlas.authorizer.authorizers.AuthorizerCommon;
-import org.apache.atlas.authorizer.authorizers.EntityAuthorizer;
-import org.apache.atlas.authorizer.authorizers.ListAuthorizer;
-import org.apache.atlas.authorizer.authorizers.RelationshipAuthorizer;
 import org.apache.atlas.exception.AtlasBaseException;
 import org.apache.atlas.model.instance.AtlasClassification;
 import org.apache.atlas.model.instance.AtlasEntity;
 import org.apache.atlas.model.instance.AtlasEntityHeader;
-import org.apache.atlas.plugin.model.RangerServiceDef;
 import org.apache.atlas.repository.graphdb.AtlasGraph;
-import org.apache.atlas.repository.store.graph.v2.EntityGraphRetriever;
-import org.apache.atlas.type.AtlasType;
 import org.apache.atlas.type.AtlasTypeRegistry;
-import org.apache.atlas.utils.AtlasPerfMetrics;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
@@ -33,12 +20,8 @@
 
 import javax.inject.Inject;
 import java.io.IOException;
-import java.io.InputStream;
-import java.util.List;
-import java.util.Map;
 
 import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_CREATE;
-import static org.apache.atlas.repository.Constants.QUALIFIED_NAME;
 import static org.apache.atlas.repository.Constants.SKIP_DELETE_AUTH_CHECK_TYPES;
 import static org.apache.atlas.repository.Constants.SKIP_UPDATE_AUTH_CHECK_TYPES;
 
@@ -48,11 +31,9 @@ public class AuthorizerUtils {
 
     private static AtlasTypeRegistry typeRegistry;
 
-    public static boolean useAbacAuthorizer = false;
+    private static boolean useAbacAuthorizer = false;
 
-    @Inject
-    public AuthorizerUtils(AtlasGraph graph, AtlasTypeRegistry typeRegistry) throws IOException {
-        this.typeRegistry = typeRegistry;
+    static {
         try {
             useAbacAuthorizer = ApplicationProperties.get().getBoolean("atlas.authorizer.enable.abac", false);
 
@@ -64,6 +45,15 @@ public AuthorizerUtils(AtlasGraph graph, AtlasTypeRegistry typeRegistry) throws
         }
     }
 
+    @Inject
+    public AuthorizerUtils(AtlasGraph graph, AtlasTypeRegistry typeRegistry) throws IOException {
+        this.typeRegistry = typeRegistry;
+    }
+
+    public static boolean isUseAbacAuthorizer() {
+        return useAbacAuthorizer;
+    }
+
     public static void verifyUpdateEntityAccess(AtlasEntityHeader entityHeader) throws AtlasBaseException {
         if (!SKIP_UPDATE_AUTH_CHECK_TYPES.contains(entityHeader.getTypeName())) {
             verifyAccess(entityHeader, AtlasPrivilege.ENTITY_UPDATE);

repository/src/main/java/org/apache/atlas/repository/store/bootstrap/AuthPoliciesBootstrapper.java

@@ -21,6 +21,7 @@
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasException;
 import org.apache.atlas.RequestContext;
+import org.apache.atlas.authorizer.AuthorizerUtils;
 import org.apache.atlas.listener.ActiveStateChangeHandler;
 import org.apache.atlas.model.instance.AtlasEntity.AtlasEntitiesWithExtInfo;
 import org.apache.atlas.repository.graphdb.AtlasGraph;
@@ -68,6 +69,12 @@ private void startInternal() {
 
             if ("atlas".equalsIgnoreCase(authorizer)) {
                 loadBootstrapAuthPolicies();
+                if (AuthorizerUtils.isUseAbacAuthorizer()) {
+                    boolean overridePolicies = ApplicationProperties.get().getBoolean("atlas.authorizer.policy.override", false);
+                    if (overridePolicies) {
+                        overrideBootstrapAuthPolicies();
+                    }
+                }
             } else {
                 LOG.info("AuthPoliciesBootstrapper: startInternal: Skipping as not needed");
             }
@@ -96,6 +103,20 @@ private void loadBootstrapAuthPolicies() {
         LOG.info("<== AuthPoliciesBootstrapper.loadBootstrapAuthPolicies()");
     }
 
+    private void overrideBootstrapAuthPolicies() {
+        LOG.info("==> AuthPoliciesBootstrapper.overrideBootstrapAuthPolicies()");
+        RequestContext.get().setSkipAuthorizationCheck(true);
+        try {
+            String atlasHomeDir  = System.getProperty("atlas.home");
+            String policiesDirName = (StringUtils.isEmpty(atlasHomeDir) ? "." : atlasHomeDir) + File.separator + "override-policies";
+            File topPoliciesDir  = new File(policiesDirName);
+            loadPoliciesInFolder(topPoliciesDir);
+        } finally {
+            RequestContext.get().setSkipAuthorizationCheck(false);
+        }
+        LOG.info("<== AuthPoliciesBootstrapper.overrideBootstrapAuthPolicies()");
+    }
+
     private void loadPoliciesInFolder (File folder) {
         LOG.info("==> AuthPoliciesBootstrapper.loadPoliciesInFolder({})", folder);
 

repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java

@@ -104,7 +104,7 @@
 
 import static java.lang.Boolean.FALSE;
 import static org.apache.atlas.AtlasConfiguration.STORE_DIFFERENTIAL_AUDITS;
-import static org.apache.atlas.authorizer.AuthorizerUtils.useAbacAuthorizer;
+import static org.apache.atlas.authorizer.AuthorizerUtils.isUseAbacAuthorizer;
 import static org.apache.atlas.bulkimport.BulkImportResponse.ImportStatus.FAILED;
 import static org.apache.atlas.model.instance.AtlasEntity.Status.ACTIVE;
 import static org.apache.atlas.model.instance.EntityMutations.EntityOperation.*;
@@ -2188,7 +2188,7 @@ public List<AtlasAccessorResponse> getAccessors(List<AtlasAccessorRequest> atlas
                     case ENTITY_CREATE:
                     case ENTITY_UPDATE:
                     case ENTITY_DELETE:
-                        if (!useAbacAuthorizer) {
+                        if (!isUseAbacAuthorizer()) {
                             AtlasEntityAccessRequestBuilder entityAccessRequestBuilder = getEntityAccessRequest(accessorRequest, action);
                             result = AtlasAuthorizationUtils.getAccessors(entityAccessRequestBuilder.build());
                         } else {
@@ -2200,7 +2200,7 @@ public List<AtlasAccessorResponse> getAccessors(List<AtlasAccessorRequest> atlas
                     case ENTITY_ADD_CLASSIFICATION:
                     case ENTITY_UPDATE_CLASSIFICATION:
                     case ENTITY_REMOVE_CLASSIFICATION:
-                        if (!useAbacAuthorizer) {
+                        if (!isUseAbacAuthorizer()) {
                             AtlasEntityAccessRequestBuilder entityAccessRequestBuilder = getEntityAccessRequest(accessorRequest, action);
                             entityAccessRequestBuilder.setClassification(new AtlasClassification(accessorRequest.getClassification()));
                             result = AtlasAuthorizationUtils.getAccessors(entityAccessRequestBuilder.build());
@@ -2211,7 +2211,7 @@ public List<AtlasAccessorResponse> getAccessors(List<AtlasAccessorRequest> atlas
 
                     case ENTITY_ADD_LABEL:
                     case ENTITY_REMOVE_LABEL:
-                        if (!useAbacAuthorizer) {
+                        if (!isUseAbacAuthorizer()) {
                             AtlasEntityAccessRequestBuilder entityAccessRequestBuilder = getEntityAccessRequest(accessorRequest, action);
                             entityAccessRequestBuilder.setLabel(accessorRequest.getLabel());
                             result = AtlasAuthorizationUtils.getAccessors(entityAccessRequestBuilder.build());
@@ -2221,7 +2221,7 @@ public List<AtlasAccessorResponse> getAccessors(List<AtlasAccessorRequest> atlas
                         break;
 
                     case ENTITY_UPDATE_BUSINESS_METADATA:
-                        if (!useAbacAuthorizer) {
+                        if (!isUseAbacAuthorizer()) {
                             AtlasEntityAccessRequestBuilder entityAccessRequestBuilder = getEntityAccessRequest(accessorRequest, action);
                             entityAccessRequestBuilder.setBusinessMetadata(accessorRequest.getBusinessMetadata());
                             result = AtlasAuthorizationUtils.getAccessors(entityAccessRequestBuilder.build());
@@ -2237,7 +2237,7 @@ public List<AtlasAccessorResponse> getAccessors(List<AtlasAccessorRequest> atlas
                         AtlasEntityHeader end1EntityHeader = extractEntityHeader(accessorRequest.getEntityGuidEnd1(), accessorRequest.getEntityQualifiedNameEnd1(), accessorRequest.getEntityTypeEnd1());
                         AtlasEntityHeader end2EntityHeader = extractEntityHeader(accessorRequest.getEntityGuidEnd2(), accessorRequest.getEntityQualifiedNameEnd2(), accessorRequest.getEntityTypeEnd2());
 
-                        if (!useAbacAuthorizer) {
+                        if (!isUseAbacAuthorizer()) {
                             AtlasRelationshipAccessRequest relAccessRequest = new AtlasRelationshipAccessRequest(typeRegistry,
                                     action, accessorRequest.getRelationshipTypeName(), end1EntityHeader, end2EntityHeader);