diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index c76a8715b7..0f3f8d4dc7 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,8 +24,6 @@
import org.apache.atlas.type.AtlasStructType.AtlasAttribute;
import org.apache.atlas.type.AtlasTypeRegistry;
import org.apache.commons.collections.MapUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import java.util.Collections;
import java.util.Date;
@@ -35,19 +33,16 @@
import java.util.Set;
public class AtlasAccessRequest {
- private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class);
-
private static final String DEFAULT_ENTITY_ID_ATTRIBUTE = "qualifiedName";
private final AtlasPrivilege action;
private final Date accessTime;
- private String user = null;
- private Set userGroups = null;
- private String clientIPAddress = null;
+ private String user;
+ private Set userGroups;
+ private String clientIPAddress;
private List forwardedAddresses;
private String remoteIPAddress;
-
protected AtlasAccessRequest(AtlasPrivilege action) {
this(action, null, null, new Date(), null);
}
@@ -56,11 +51,11 @@ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set use
this(action, user, userGroups, new Date(), null, null, null);
}
- protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime,
- String clientIPAddress, List forwardedAddresses, String remoteIPAddress) {
+ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime, String clientIPAddress, List forwardedAddresses, String remoteIPAddress) {
this(action, user, userGroups, accessTime, clientIPAddress);
- this.forwardedAddresses = forwardedAddresses;
- this.remoteIPAddress = remoteIPAddress;
+
+ this.forwardedAddresses = forwardedAddresses;
+ this.remoteIPAddress = remoteIPAddress;
}
protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime, String clientIPAddress) {
@@ -96,22 +91,22 @@ public List getForwardedAddresses() {
return forwardedAddresses;
}
- public String getRemoteIPAddress() {
- return remoteIPAddress;
- }
-
- public String getClientIPAddress() {
- return clientIPAddress;
- }
-
public void setForwardedAddresses(List forwardedAddresses) {
this.forwardedAddresses = forwardedAddresses;
}
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
public void setRemoteIPAddress(String remoteIPAddress) {
this.remoteIPAddress = remoteIPAddress;
}
+ public String getClientIPAddress() {
+ return clientIPAddress;
+ }
+
public void setClientIPAddress(String clientIPAddress) {
this.clientIPAddress = clientIPAddress;
}
@@ -169,7 +164,6 @@ public String getEntityId(AtlasEntityHeader entity, AtlasTypeRegistry typeRegist
break;
}
}
-
}
}
@@ -194,10 +188,9 @@ public Set getClassificationNames(AtlasEntityHeader entity) {
@Override
public String toString() {
- return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime +", user='" + user + '\'' +
+ return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime + ", user='" + user + '\'' +
", userGroups=" + userGroups + ", clientIPAddress='" + clientIPAddress + '\'' +
", forwardedAddresses=" + forwardedAddresses + ", remoteIPAddress='" + remoteIPAddress + '\'' +
']';
-
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
index 5f571fb648..e6e34dbc7f 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,11 +17,9 @@
*/
package org.apache.atlas.authorize;
-
import java.util.Set;
public class AtlasAdminAccessRequest extends AtlasAccessRequest {
-
public AtlasAdminAccessRequest(AtlasPrivilege action) {
super(action);
}
@@ -33,7 +31,7 @@ public AtlasAdminAccessRequest(AtlasPrivilege action, String userName, Set
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -29,8 +29,7 @@ public AtlasAuthorizationException(String message, Throwable exception) {
super(message, exception);
}
- public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression,
- boolean writableStackTrace) {
+ public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression, boolean writableStackTrace) {
super(message, exception, enableSuppression, writableStackTrace);
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
index b1a3eb5fb2..581c6235f7 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -1,5 +1,5 @@
/**
-/**
+ * /**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -7,9 +7,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -31,18 +31,23 @@
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.http.HttpServletRequest;
+
import java.net.InetAddress;
import java.net.UnknownHostException;
+import java.util.Arrays;
import java.util.HashSet;
-import java.util.Set;
import java.util.List;
-import java.util.Arrays;
+import java.util.Set;
public class AtlasAuthorizationUtils {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
+ private AtlasAuthorizationUtils() {
+ // to block instantiation
+ }
+
public static void verifyAccess(AtlasAdminAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
@@ -50,7 +55,7 @@ public static void verifyAccess(AtlasAdminAccessRequest request, Object... error
}
public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
@@ -58,7 +63,7 @@ public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorM
}
public static void verifyAccess(AtlasEntityAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
- if (! isAccessAllowed(request)) {
+ if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
@@ -68,11 +73,12 @@ public static void verifyAccess(AtlasEntityAccessRequest request, Object... erro
public static void verifyAccess(AtlasRelationshipAccessRequest request, Object... errorMsgParams) throws AtlasBaseException {
if (!isAccessAllowed(request)) {
String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : "";
+
throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message);
}
}
- public static void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasBaseException {
+ public static void scrubSearchResults(AtlasSearchResultScrubRequest request) {
String userName = getCurrentUserName();
if (StringUtils.isNotEmpty(userName)) {
@@ -105,6 +111,7 @@ public static boolean isAccessAllowed(AtlasAdminAccessRequest request) {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -132,6 +139,7 @@ public static boolean isAccessAllowed(AtlasEntityAccessRequest request) {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -159,6 +167,7 @@ public static boolean isAccessAllowed(AtlasTypeAccessRequest request) {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -186,6 +195,7 @@ public static boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
+
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -200,8 +210,8 @@ public static boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
}
public static void filterTypesDef(AtlasTypesDefFilterRequest request) {
- MetricRecorder metric = RequestContext.get().startMetricRecord("filterTypesDef");
- String userName = getCurrentUserName();
+ MetricRecorder metric = RequestContext.get().startMetricRecord("filterTypesDef");
+ String userName = getCurrentUserName();
if (StringUtils.isNotEmpty(userName) && !RequestContext.get().isImportInProgress()) {
try {
@@ -221,13 +231,14 @@ public static void filterTypesDef(AtlasTypesDefFilterRequest request) {
RequestContext.get().endMetricRecord(metric);
}
- public static List getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){
- String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
- String[] forwardedAddresses = null ;
+ public static List getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest) {
+ String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
+ String[] forwardedAddresses = null;
- if(!StringUtils.isEmpty(ipAddress)){
+ if (!StringUtils.isEmpty(ipAddress)) {
forwardedAddresses = ipAddress.split(",");
}
+
return forwardedAddresses != null ? Arrays.asList(forwardedAddresses) : null;
}
@@ -245,8 +256,6 @@ public static String getRequestIpAddress(HttpServletRequest httpServletRequest)
return ret;
}
-
-
public static String getCurrentUserName() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
index 21b8cf905d..845b05f9a6 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,7 +18,6 @@
package org.apache.atlas.authorize;
-
import org.apache.atlas.model.instance.AtlasEntityHeader;
public interface AtlasAuthorizer {
@@ -62,8 +61,7 @@ public interface AtlasAuthorizer {
* @return
* @throws AtlasAuthorizationException
*/
- default
- boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException {
+ default boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException {
return true;
}
@@ -73,36 +71,33 @@ boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuth
* @return
* @throws AtlasAuthorizationException
*/
- default
- void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ default void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
}
- default
- void scrubEntityHeader(AtlasEntityHeader entity) {
+ default void scrubEntityHeader(AtlasEntityHeader entity) {
entity.setGuid("-1");
- if(entity.getAttributes() != null) {
+ if (entity.getAttributes() != null) {
entity.getAttributes().clear();
}
- if(entity.getClassifications() != null) {
+ if (entity.getClassifications() != null) {
entity.getClassifications().clear();
}
- if(entity.getClassificationNames() != null) {
+ if (entity.getClassificationNames() != null) {
entity.getClassificationNames().clear();
}
- if(entity.getMeanings() != null) {
+ if (entity.getMeanings() != null) {
entity.getMeanings().clear();
}
- if(entity.getMeaningNames() != null) {
+ if (entity.getMeaningNames() != null) {
entity.getMeaningNames().clear();
}
}
- default
- void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException {
+ default void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException {
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
index 72037eabbe..d72fdda748 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java
@@ -26,7 +26,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
public class AtlasAuthorizerFactory {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class);
@@ -34,14 +33,20 @@ public class AtlasAuthorizerFactory {
private static final String SIMPLE_AUTHORIZER = AtlasSimpleAuthorizer.class.getName();
private static final String RANGER_AUTHORIZER = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer";
- private static volatile AtlasAuthorizer INSTANCE = null;
+ private static volatile AtlasAuthorizer instance;
+
+ private AtlasAuthorizerFactory() {
+ // to block instantiation
+ }
public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException {
- AtlasAuthorizer ret = INSTANCE;
+ AtlasAuthorizer ret = AtlasAuthorizerFactory.instance;
if (ret == null) {
synchronized (AtlasAuthorizerFactory.class) {
- if (INSTANCE == null) {
+ ret = AtlasAuthorizerFactory.instance;
+
+ if (ret == null) {
Configuration configuration = null;
try {
@@ -67,21 +72,19 @@ public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationExce
LOG.info("Initializing Authorizer {}", authorizerClass);
try {
- Class authorizerMetaObject = Class.forName(authorizerClass);
+ Class authorizerMetaObject = Class.forName(authorizerClass);
- if (authorizerMetaObject != null) {
- INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance();
+ ret = (AtlasAuthorizer) authorizerMetaObject.newInstance();
- INSTANCE.init();
- }
+ ret.init();
+
+ AtlasAuthorizerFactory.instance = ret;
} catch (Exception e) {
LOG.error("Error while creating authorizer of type {}", authorizerClass, e);
throw new AtlasAuthorizationException("Error while creating authorizer of type '" + authorizerClass + "'", e);
}
}
-
- ret = INSTANCE;
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
index 6d49d54b11..10b8d47929 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -34,7 +34,6 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
private final Set entityClassifications;
-
public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) {
this(typeRegistry, action, null, null, null, null, null, null, null);
}
@@ -197,5 +196,3 @@ public AtlasEntityAccessRequest build() {
}
}
}
-
-
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
index a371049441..86909d9249 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java
@@ -21,7 +21,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
public class AtlasNoneAuthorizer implements AtlasAuthorizer {
private static final Logger LOG = LoggerFactory.getLogger(AtlasNoneAuthorizer.class);
@@ -33,24 +32,24 @@ public void cleanUp() {
LOG.info("AtlasNoneAuthorizer.cleanUp()");
}
- public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) {
return true;
}
- public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) {
return true;
}
- public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) {
return true;
}
@Override
- public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
return true;
}
- public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
-
+ @Override
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) {
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
index f270844c5b..68402fd507 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,45 +18,45 @@
package org.apache.atlas.authorize;
public enum AtlasPrivilege {
- TYPE_CREATE("type-create"),
- TYPE_UPDATE("type-update"),
- TYPE_DELETE("type-delete"),
+ TYPE_CREATE("type-create"),
+ TYPE_UPDATE("type-update"),
+ TYPE_DELETE("type-delete"),
- ENTITY_READ("entity-read"),
- ENTITY_CREATE("entity-create"),
- ENTITY_UPDATE("entity-update"),
- ENTITY_DELETE("entity-delete"),
- ENTITY_READ_CLASSIFICATION("entity-read-classification"),
- ENTITY_ADD_CLASSIFICATION("entity-add-classification"),
- ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"),
- ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"),
+ ENTITY_READ("entity-read"),
+ ENTITY_CREATE("entity-create"),
+ ENTITY_UPDATE("entity-update"),
+ ENTITY_DELETE("entity-delete"),
+ ENTITY_READ_CLASSIFICATION("entity-read-classification"),
+ ENTITY_ADD_CLASSIFICATION("entity-add-classification"),
+ ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"),
+ ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"),
- ADMIN_EXPORT("admin-export"),
- ADMIN_IMPORT("admin-import"),
+ ADMIN_EXPORT("admin-export"),
+ ADMIN_IMPORT("admin-import"),
- RELATIONSHIP_ADD("add-relationship"),
- RELATIONSHIP_UPDATE("update-relationship"),
- RELATIONSHIP_REMOVE("remove-relationship"),
+ RELATIONSHIP_ADD("add-relationship"),
+ RELATIONSHIP_UPDATE("update-relationship"),
+ RELATIONSHIP_REMOVE("remove-relationship"),
- ADMIN_PURGE("admin-purge"),
+ ADMIN_PURGE("admin-purge"),
- ENTITY_ADD_LABEL("entity-add-label"),
- ENTITY_REMOVE_LABEL("entity-remove-label"),
- ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"),
+ ENTITY_ADD_LABEL("entity-add-label"),
+ ENTITY_REMOVE_LABEL("entity-remove-label"),
+ ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"),
- TYPE_READ("type-read"),
+ TYPE_READ("type-read"),
- ADMIN_AUDITS("admin-audits"),
+ ADMIN_AUDITS("admin-audits"),
- SERVICE_NOTIFICATION_POST("service-notification-post");
+ SERVICE_NOTIFICATION_POST("service-notification-post");
- private final String type;
+ private final String type;
- AtlasPrivilege(String actionType){
- this.type = actionType;
- }
+ AtlasPrivilege(String actionType) {
+ this.type = actionType;
+ }
- public String getType() {
- return type;
- }
+ public String getType() {
+ return type;
+ }
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
index b530c01dd4..de43897973 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -25,11 +25,10 @@
public class AtlasRelationshipAccessRequest extends AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
- private final String relationshipType ;
+ private final String relationshipType;
private final AtlasEntityHeader end1Entity;
private final AtlasEntityHeader end2Entity;
-
public AtlasRelationshipAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, String relationshipType, AtlasEntityHeader end1Entity, AtlasEntityHeader end2Entity) {
this(typeRegistry, action, relationshipType, end1Entity, end2Entity, null, null);
}
@@ -55,7 +54,6 @@ public String getRelationshipType() {
return relationshipType;
}
-
public Set getEnd1EntityTypeAndAllSuperTypes() {
return super.getEntityTypeAndAllSuperTypes(end1Entity == null ? null : end1Entity.getTypeName(), typeRegistry);
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
index 63468a7a38..52849dea44 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -26,7 +26,6 @@ public class AtlasSearchResultScrubRequest extends AtlasAccessRequest {
private final AtlasTypeRegistry typeRegistry;
private final AtlasSearchResult searchResult;
-
public AtlasSearchResultScrubRequest(AtlasTypeRegistry typeRegistry, AtlasSearchResult searchResult) {
this(typeRegistry, searchResult, null, null);
}
@@ -38,7 +37,9 @@ public AtlasSearchResultScrubRequest(AtlasTypeRegistry typeRegistry, AtlasSearch
this.searchResult = searchResult;
}
- public AtlasTypeRegistry getTypeRegistry() { return typeRegistry; }
+ public AtlasTypeRegistry getTypeRegistry() {
+ return typeRegistry;
+ }
public AtlasSearchResult getSearchResult() {
return searchResult;
@@ -51,5 +52,3 @@ public String toString() {
", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
-
-
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
index 510be35222..e645e3087b 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,7 +24,6 @@
public class AtlasTypeAccessRequest extends AtlasAccessRequest {
private final AtlasBaseTypeDef typeDef;
-
public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef) {
super(action);
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
index a2dc11f8fc..ed40a5c688 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,7 +24,6 @@
public class AtlasTypesDefFilterRequest extends AtlasAccessRequest {
private final AtlasTypesDef typesDef;
-
public AtlasTypesDefFilterRequest(AtlasTypesDef typesDef) {
super(AtlasPrivilege.TYPE_READ);
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
index d80cab4bc0..e5687249df 100755
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,18 +18,22 @@
package org.apache.atlas.authorize.simple;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Set;
-
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
-import org.apache.atlas.authorize.*;
-import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.*;
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAdminAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasPrivilege;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
+import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasTypeAccessRequest;
+import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAdminPermission;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasEntityPermission;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasTypePermission;
import org.apache.atlas.model.discovery.AtlasSearchResult;
import org.apache.atlas.model.discovery.AtlasSearchResult.AtlasFullTextResult;
import org.apache.atlas.model.instance.AtlasEntityHeader;
@@ -42,6 +46,13 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashSet;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Set;
+
import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_ADD_CLASSIFICATION;
import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION;
import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION;
@@ -50,22 +61,15 @@
import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_READ;
import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_UPDATE;
-
public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizer.class);
- private final static String WILDCARD_ASTERISK = "*";
-
- private final static Set CLASSIFICATION_PRIVILEGES = new HashSet() {{
- add(ENTITY_ADD_CLASSIFICATION);
- add(ENTITY_REMOVE_CLASSIFICATION);
- add(ENTITY_UPDATE_CLASSIFICATION);
- }};
+ private static final Set CLASSIFICATION_PRIVILEGES = new HashSet<>();
+ private static final String REGEX_MATCHALL = ".*";
+ private static final String WILDCARD_ASTERISK = "*";
private AtlasSimpleAuthzPolicy authzPolicy;
- private final static String REGEX_MATCHALL = ".*";
-
public AtlasSimpleAuthorizer() {
}
@@ -73,11 +77,7 @@ public AtlasSimpleAuthorizer() {
public void init() {
LOG.info("==> SimpleAtlasAuthorizer.init()");
- InputStream inputStream = null;
-
- try {
- inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json");
-
+ try (InputStream inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json")) {
authzPolicy = AtlasJson.fromJson(inputStream, AtlasSimpleAuthzPolicy.class);
addImpliedTypeReadPrivilege(authzPolicy);
@@ -85,14 +85,6 @@ public void init() {
LOG.error("SimpleAtlasAuthorizer.init(): initialization failed", e);
throw new RuntimeException(e);
- } finally {
- if (inputStream != null) {
- try {
- inputStream.close();
- } catch (IOException excp) {
- // ignore
- }
- }
}
LOG.info("<== SimpleAtlasAuthorizer.init()");
@@ -108,13 +100,10 @@ public void cleanUp() {
}
@Override
- public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
- }
-
- boolean ret = false;
+ public boolean isAccessAllowed(AtlasAdminAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ boolean ret = false;
Set roles = getRoles(request.getUser(), request.getUserGroups());
for (String role : roles) {
@@ -133,19 +122,60 @@ public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuth
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
return ret;
}
@Override
- public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+ public boolean isAccessAllowed(AtlasEntityAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+
+ boolean ret = false;
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+ final Set entityTypes = request.getEntityTypeAndAllSuperTypes();
+ final String entityId = request.getEntityId();
+ final String attribute = request.getAttributeName();
+ final Set entClsToAuthz = new HashSet<>(request.getEntityClassifications());
+ final Set roles = getRoles(request.getUser(), request.getUserGroups());
+
+ for (String role : roles) {
+ List permissions = getEntityPermissionsForRole(role);
+
+ if (permissions != null) {
+ for (AtlasEntityPermission permission : permissions) {
+ if (isMatch(action, permission.getPrivileges()) && isMatchAny(entityTypes, permission.getEntityTypes()) &&
+ isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes()) &&
+ isLabelMatch(request, permission) && isBusinessMetadataMatch(request, permission) && isClassificationMatch(request, permission)) {
+ // 1. entity could have multiple classifications
+ // 2. access for these classifications could be granted by multiple AtlasEntityPermission entries
+ // 3. classifications allowed by the current permission will be removed from entClsToAuthz
+ // 4. request will be allowed once entClsToAuthz is empty i.e. user has permission for all classifications
+ entClsToAuthz.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEntityClassifications()));
+
+ ret = CollectionUtils.isEmpty(entClsToAuthz);
+
+ if (ret) {
+ break;
+ }
+ }
+ }
+ }
}
+ if (!ret) {
+ LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz);
+ }
+
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
+
+ return ret;
+ }
+
+ @Override
+ public boolean isAccessAllowed(AtlasTypeAccessRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
+
boolean ret = false;
Set roles = getRoles(request.getUser(), request.getUserGroups());
@@ -160,8 +190,8 @@ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAutho
for (AtlasTypePermission permission : permissions) {
if (isMatch(action, permission.getPrivileges()) &&
- isMatch(typeCategory, permission.getTypeCategories()) &&
- isMatch(typeName, permission.getTypeNames())) {
+ isMatch(typeCategory, permission.getTypeCategories()) &&
+ isMatch(typeName, permission.getTypeNames())) {
ret = true;
break;
@@ -170,15 +200,13 @@ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAutho
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
return ret;
}
@Override
- public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException {
+ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) {
final Set roles = getRoles(request.getUser(), request.getUserGroups());
final String relationShipType = request.getRelationshipType();
final Set end1EntityTypeAndSuperTypes = request.getEnd1EntityTypeAndAllSuperTypes();
@@ -203,29 +231,17 @@ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws At
if (isMatch(relationShipType, permission.getRelationshipTypes()) && isMatch(action, permission.getPrivileges())) {
//End1 permission check
if (!hasEnd1EntityAccess) {
- if (isMatchAny(end1EntityTypeAndSuperTypes, permission.getEnd1EntityType()) && isMatch(end1EntityId, permission.getEnd1EntityId())) {
- for (Iterator iter = end1Classifications.iterator(); iter.hasNext();) {
- String entityClassification = iter.next();
+ if (isMatchAny(end1EntityTypeAndSuperTypes, permission.getEnd1EntityType()) && isMatch(end1EntityId, permission.getEnd1EntityId())) {
+ end1Classifications.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd1EntityClassification()));
- if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd1EntityClassification())) {
- iter.remove();
- }
- }
-
- hasEnd1EntityAccess = CollectionUtils.isEmpty(end1Classifications);
+ hasEnd1EntityAccess = CollectionUtils.isEmpty(end1Classifications);
}
}
//End2 permission chech
if (!hasEnd2EntityAccess) {
if (isMatchAny(end2EntityTypeAndSuperTypes, permission.getEnd2EntityType()) && isMatch(end2EntityId, permission.getEnd2EntityId())) {
- for (Iterator iter = end2Classifications.iterator(); iter.hasNext();) {
- String entityClassification = iter.next();
-
- if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd2EntityClassification())) {
- iter.remove();
- }
- }
+ end2Classifications.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd2EntityClassification()));
hasEnd2EntityAccess = CollectionUtils.isEmpty(end2Classifications);
}
@@ -238,66 +254,8 @@ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws At
}
@Override
- public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request);
- }
-
- boolean ret = false;
- final String action = request.getAction() != null ? request.getAction().getType() : null;
- final Set entityTypes = request.getEntityTypeAndAllSuperTypes();
- final String entityId = request.getEntityId();
- final String attribute = request.getAttributeName();
- final Set entClsToAuthz = new HashSet<>(request.getEntityClassifications());
- final Set roles = getRoles(request.getUser(), request.getUserGroups());
-
- for (String role : roles) {
- List permissions = getEntityPermissionsForRole(role);
-
- if (permissions != null) {
- for (AtlasEntityPermission permission : permissions) {
- if (isMatch(action, permission.getPrivileges()) && isMatchAny(entityTypes, permission.getEntityTypes()) &&
- isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes()) &&
- isLabelMatch(request, permission) && isBusinessMetadataMatch(request, permission) && isClassificationMatch(request, permission)) {
-
- // 1. entity could have multiple classifications
- // 2. access for these classifications could be granted by multiple AtlasEntityPermission entries
- // 3. classifications allowed by the current permission will be removed from entClsToAuthz
- // 4. request will be allowed once entClsToAuthz is empty i.e. user has permission for all classifications
- for (Iterator iter = entClsToAuthz.iterator(); iter.hasNext(); ) {
- String entityClassification = iter.next();
-
- if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEntityClassifications())) {
- iter.remove();
- }
- }
-
- ret = CollectionUtils.isEmpty(entClsToAuthz);
-
- if (ret) {
- break;
- }
- }
- }
- }
- }
-
- if (LOG.isDebugEnabled()) {
- if (!ret) {
- LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz);
- }
-
- LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret);
- }
-
- return ret;
- }
-
- @Override
- public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", request);
- }
+ public void scrubSearchResults(AtlasSearchResultScrubRequest request) {
+ LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", request);
final AtlasSearchResult result = request.getSearchResult();
@@ -321,13 +279,11 @@ public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws Atl
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}", request, result);
- }
+ LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}", request, result);
}
@Override
- public void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException {
+ public void filterTypesDef(AtlasTypesDefFilterRequest request) {
AtlasTypesDef typesDef = request.getTypesDef();
filterTypes(request, typesDef.getEnumDefs());
@@ -361,9 +317,7 @@ private Set getRoles(String userName, Set userGroups) {
}
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret);
- }
+ LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret);
return ret;
}
@@ -404,7 +358,6 @@ private List getEntityPermissionsForRole(String roleName)
return ret;
}
-
private List getRelationshipPermissionsForRole(String roleName) {
List ret = null;
@@ -418,11 +371,9 @@ private List getRelationshipPermissionsForRole(Stri
}
private boolean isMatch(String value, List patterns) {
- boolean ret = false;
+ boolean ret = value == null;
- if (value == null) {
- ret = true;
- } if (CollectionUtils.isNotEmpty(patterns)) {
+ if (CollectionUtils.isNotEmpty(patterns)) {
for (String pattern : patterns) {
if (isMatch(value, pattern)) {
ret = true;
@@ -432,7 +383,7 @@ private boolean isMatch(String value, List patterns) {
}
}
- if (!ret && LOG.isDebugEnabled()) {
+ if (!ret) {
LOG.debug("<== isMatch({}, {}): {}", value, patterns, ret);
}
@@ -440,11 +391,9 @@ private boolean isMatch(String value, List patterns) {
}
private boolean isMatchAny(Set values, List patterns) {
- boolean ret = false;
+ boolean ret = CollectionUtils.isEmpty(values);
- if (CollectionUtils.isEmpty(values)) {
- ret = true;
- }if (CollectionUtils.isNotEmpty(patterns)) {
+ if (CollectionUtils.isNotEmpty(patterns)) {
for (String value : values) {
if (isMatch(value, patterns)) {
ret = true;
@@ -454,7 +403,7 @@ private boolean isMatchAny(Set values, List patterns) {
}
}
- if (!ret && LOG.isDebugEnabled()) {
+ if (!ret) {
LOG.debug("<== isMatchAny({}, {}): {}", values, patterns, ret);
}
@@ -473,7 +422,7 @@ private boolean isMatch(String value, String pattern) {
return ret;
}
- private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException {
+ private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) {
if (entity != null && request != null) {
final AtlasEntityAccessRequest entityAccessRequest = new AtlasEntityAccessRequest(request.getTypeRegistry(), AtlasPrivilege.ENTITY_READ, entity, request.getUser(), request.getUserGroups());
@@ -486,20 +435,20 @@ private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScru
}
private boolean isLabelMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) {
- return (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) ? isMatch(request.getLabel(), permission.getLabels()) : true;
+ return !AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) && !AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction()) || isMatch(request.getLabel(), permission.getLabels());
}
private boolean isBusinessMetadataMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) {
- return AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) ? isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata()) : true;
+ return !AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) || isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata());
}
private boolean isClassificationMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) {
- return (CLASSIFICATION_PRIVILEGES.contains(request.getAction()) && request.getClassification() != null) ? isMatch(request.getClassification().getTypeName(), permission.getClassifications()) : true;
+ return !CLASSIFICATION_PRIVILEGES.contains(request.getAction()) || request.getClassification() == null || isMatch(request.getClassification().getTypeName(), permission.getClassifications());
}
- private void filterTypes(AtlasAccessRequest request, List typeDefs)throws AtlasAuthorizationException {
+ private void filterTypes(AtlasAccessRequest request, List typeDefs) {
if (typeDefs != null) {
- for (ListIterator iter = typeDefs.listIterator(); iter.hasNext();) {
+ for (ListIterator iter = typeDefs.listIterator(); iter.hasNext(); ) {
AtlasBaseTypeDef typeDef = iter.next();
AtlasTypeAccessRequest typeRequest = new AtlasTypeAccessRequest(request.getAction(), typeDef, request.getUser(), request.getUserGroups());
@@ -536,6 +485,10 @@ private void addImpliedTypeReadPrivilege(AtlasSimpleAuthzPolicy policy) {
}
}
}
-}
-
+ static {
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_ADD_CLASSIFICATION);
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_REMOVE_CLASSIFICATION);
+ CLASSIFICATION_PRIVILEGES.add(ENTITY_UPDATE_CLASSIFICATION);
+ }
+}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
index ee13233efd..b4899a8bdf 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java
@@ -1,13 +1,14 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,11 +19,12 @@
import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.annotation.JsonInclude;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
+
import java.io.Serializable;
import java.util.List;
import java.util.Map;
@@ -30,9 +32,9 @@
import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE;
import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY;
-@JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
-@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
-@JsonIgnoreProperties(ignoreUnknown=true)
+@JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public class AtlasSimpleAuthzPolicy implements Serializable {
@@ -42,7 +44,6 @@ public class AtlasSimpleAuthzPolicy implements Serializable {
private Map> userRoles;
private Map> groupRoles;
-
public Map getRoles() {
return roles;
}
@@ -67,10 +68,9 @@ public void setGroupRoles(Map> groupRoles) {
this.groupRoles = groupRoles;
}
-
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasAuthzRole implements Serializable {
@@ -122,12 +122,11 @@ public List getRelationshipPermissions() {
public void setRelationshipPermissions(List relationshipPermissions) {
this.relationshipPermissions = relationshipPermissions;
}
-
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasAdminPermission implements Serializable {
@@ -151,9 +150,9 @@ public void setPrivileges(List privileges) {
}
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasTypePermission implements Serializable {
@@ -197,9 +196,9 @@ public void setTypeNames(List typeNames) {
}
}
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasEntityPermission implements Serializable {
@@ -297,10 +296,9 @@ public void setClassifications(List classifications) {
}
}
-
- @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE)
- @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
- @JsonIgnoreProperties(ignoreUnknown=true)
+ @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE)
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ @JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
@XmlAccessorType(XmlAccessType.PROPERTY)
public static class AtlasRelationshipPermission implements Serializable {
@@ -315,7 +313,6 @@ public static class AtlasRelationshipPermission implements Serializable {
private List end2EntityId; // value of end2 entity-unique attribute, wildcards supported
private List end2EntityClassification; // name of end2 classification-type, wildcards supported
-
public AtlasRelationshipPermission() {
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
index fddde986be..83f3786a82 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java
@@ -1,13 +1,14 @@
-/** Licensed to the Apache Software Foundation (ASF) under one
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,52 +18,46 @@
package org.apache.atlas.authorize.simple;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole;
+import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission;
import java.io.File;
+import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
-
import java.util.ArrayList;
+import java.util.Collections;
import java.util.List;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.*;
-import com.fasterxml.jackson.databind.SerializationFeature;
-
public class AtlasSimpleAuthzUpdateTool {
-
+ private AtlasSimpleAuthzUpdateTool() {
+ // to block instantiation
+ }
public static void main(String[] args) {
-
- if (args != null & args.length > 0) {
+ if (args != null && args.length > 0) {
updateSimpleAuthzJsonWithRelationshipPermissions(args[0]);
} else {
System.out.println("Provide Atlas conf path");
}
-
}
-
public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonConfPath) {
-
- List wildCard = new ArrayList();
- wildCard.add(".*");
+ List wildCard = new ArrayList<>(Collections.singletonList(".*"));
try {
-
- ObjectMapper mapper = new ObjectMapper();
- AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new File(jsonConfPath + "/atlas-simple-authz-policy.json"), AtlasSimpleAuthzPolicy.class);
-
-
- AtlasSimpleAuthzPolicy.AtlasAuthzRole dataAdmin = authzPolicy.getRoles().get("ROLE_ADMIN");
- boolean permissionUpdated = false;
-
+ ObjectMapper mapper = new ObjectMapper();
+ AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new File(jsonConfPath + "/atlas-simple-authz-policy.json"), AtlasSimpleAuthzPolicy.class);
+ AtlasAuthzRole dataAdmin = authzPolicy.getRoles().get("ROLE_ADMIN");
+ boolean permissionUpdated = false;
if (dataAdmin != null && dataAdmin.getRelationshipPermissions() == null) {
- AtlasSimpleAuthzPolicy.AtlasRelationshipPermission relationshipPermissions = new AtlasSimpleAuthzPolicy.AtlasRelationshipPermission();
- relationshipPermissions.setPrivileges(wildCard);
+ AtlasRelationshipPermission relationshipPermissions = new AtlasRelationshipPermission();
+ relationshipPermissions.setPrivileges(wildCard);
relationshipPermissions.setRelationshipTypes(wildCard);
relationshipPermissions.setEnd1EntityClassification(wildCard);
@@ -73,25 +68,23 @@ public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonC
relationshipPermissions.setEnd2EntityId(wildCard);
relationshipPermissions.setEnd2EntityType(wildCard);
- List relationshipPermissionsList = new ArrayList();
-
-
- relationshipPermissionsList.add(relationshipPermissions);
+ List relationshipPermissionsList = new ArrayList<>(Collections.singletonList(relationshipPermissions));
dataAdmin.setRelationshipPermissions(relationshipPermissionsList);
+
permissionUpdated = true;
}
-
- AtlasSimpleAuthzPolicy.AtlasAuthzRole dataSteward = authzPolicy.getRoles().get("DATA_STEWARD");
- List permissiondataSteward = new ArrayList();
+ AtlasAuthzRole dataSteward = authzPolicy.getRoles().get("DATA_STEWARD");
+ List permissiondataSteward = new ArrayList<>();
permissiondataSteward.add("add-relationship");
permissiondataSteward.add("update-relationship");
permissiondataSteward.add("remove-relationship");
if (dataSteward != null && dataSteward.getRelationshipPermissions() == null) {
- AtlasSimpleAuthzPolicy.AtlasRelationshipPermission relationshipPermissions = new AtlasSimpleAuthzPolicy.AtlasRelationshipPermission();
+ AtlasRelationshipPermission relationshipPermissions = new AtlasRelationshipPermission();
+
relationshipPermissions.setPrivileges(permissiondataSteward);
relationshipPermissions.setRelationshipTypes(wildCard);
@@ -103,29 +96,26 @@ public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonC
relationshipPermissions.setEnd2EntityId(wildCard);
relationshipPermissions.setEnd2EntityType(wildCard);
+ List relationshipPermissionsList = new ArrayList<>(Collections.singletonList(relationshipPermissions));
- List relationshipPermissionsList = new ArrayList();
- relationshipPermissionsList.add(relationshipPermissions);
dataSteward.setRelationshipPermissions(relationshipPermissionsList);
+
permissionUpdated = true;
}
- if(permissionUpdated) {
+ if (permissionUpdated) {
writeUsingFiles(jsonConfPath + "/atlas-simple-authz-policy.json", toJson(authzPolicy, mapper));
}
-
-
} catch (Exception e) {
System.err.println(" Error while updating JSON " + e.getMessage());
}
-
}
-
public static String toJson(Object obj, ObjectMapper mapper) {
mapper.enable(SerializationFeature.INDENT_OUTPUT); // to beautify json
String ret;
+
try {
if (obj instanceof JsonNode && ((JsonNode) obj).isTextual()) {
ret = ((JsonNode) obj).textValue();
@@ -133,18 +123,17 @@ public static String toJson(Object obj, ObjectMapper mapper) {
ret = mapper.writeValueAsString(obj);
}
} catch (IOException e) {
-
ret = null;
}
+
return ret;
}
-
private static void writeUsingFiles(String file, String data) {
try {
- Files.write(Paths.get( file ), data.getBytes());
+ Files.write(Paths.get(file), data.getBytes());
} catch (IOException e) {
System.err.println(" Error while writeUsingFiles JSON " + e.getMessage());
}
}
-}
\ No newline at end of file
+}
diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
index 8d38ebe8cb..406af0f7f4 100644
--- a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
+++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java
@@ -16,16 +16,22 @@
*/
package org.apache.atlas.authorize.simple;
-import org.apache.atlas.authorize.*;
+import org.apache.atlas.authorize.AtlasAccessRequest;
+import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.atlas.authorize.AtlasAuthorizerFactory;
+import org.apache.atlas.authorize.AtlasEntityAccessRequest;
+import org.apache.atlas.authorize.AtlasPrivilege;
import org.apache.atlas.model.instance.AtlasClassification;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.testng.AssertJUnit;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
-import org.testng.AssertJUnit;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -34,7 +40,7 @@
import java.util.Set;
public class AtlasSimpleAuthorizerTest {
- private static Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class);
private static final String USER_ADMIN = "admin";
private static final String USER_DATA_SCIENTIST = "dataScientist";
@@ -45,29 +51,9 @@ public class AtlasSimpleAuthorizerTest {
private static final String USER_IN_ADMIN_GROUP = "admin-group-user";
private static final String USER_IN_UNKNOWN_GROUP = "unknown-group-user";
- private static final Map> USER_GROUPS = new HashMap>() {{
- put(USER_ADMIN, Collections.singleton("ROLE_ADMIN"));
- put(USER_DATA_STEWARD, Collections.emptySet());
- put(USER_DATA_SCIENTIST, Collections.emptySet());
- put(USER_DATA_STEWARD_EX, Collections.singleton("DATA_STEWARD_EX"));
- put(USER_FINANCE, Collections.singleton("FINANCE"));
- put(USER_FINANCE_PII, Collections.singleton("FINANCE_PII"));
- put(USER_IN_ADMIN_GROUP, Collections.singleton("ROLE_ADMIN"));
- put(USER_IN_UNKNOWN_GROUP, Collections.singleton("UNKNOWN_GROUP"));
- }};
-
- private static final List ENTITY_PRIVILEGES = Arrays.asList(AtlasPrivilege.ENTITY_CREATE,
- AtlasPrivilege.ENTITY_UPDATE,
- AtlasPrivilege.ENTITY_READ,
- AtlasPrivilege.ENTITY_ADD_CLASSIFICATION,
- AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION,
- AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION,
- AtlasPrivilege.ENTITY_READ_CLASSIFICATION,
- AtlasPrivilege.ENTITY_ADD_LABEL,
- AtlasPrivilege.ENTITY_REMOVE_LABEL,
- AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
-
- private static final List LABEL_PRIVILEGES = Arrays.asList(AtlasPrivilege.ENTITY_ADD_LABEL, AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ private static final Map> USER_GROUPS = new HashMap<>();
+ private static final List ENTITY_PRIVILEGES = new ArrayList<>();
+ private static final List LABEL_PRIVILEGES = new ArrayList<>();
private String originalConf;
private AtlasAuthorizer authorizer;
@@ -94,7 +80,7 @@ public void tearDown() throws Exception {
authorizer = null;
}
- @Test(enabled = true)
+ @Test
public void testAllAllowedForAdminUser() {
try {
for (AtlasPrivilege privilege : AtlasPrivilege.values()) {
@@ -104,7 +90,7 @@ public void testAllAllowedForAdminUser() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals(privilege.name() + " should have been allowed for user " + USER_DATA_SCIENTIST, true, isAccessAllowed);
+ AssertJUnit.assertTrue(privilege.name() + " should have been allowed for user " + USER_DATA_SCIENTIST, isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -113,16 +99,16 @@ public void testAllAllowedForAdminUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testAddPIIForStewardExUser() {
try {
- AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII"));
+ AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII"));
setUser(request, USER_DATA_STEWARD_EX);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -130,11 +116,11 @@ public void testAddPIIForStewardExUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testAddClassificationOnEntityWithClassificationForStewardExUser() {
try {
-
AtlasEntityHeader entityHeader = new AtlasEntityHeader();
+
entityHeader.setClassifications(Arrays.asList(new AtlasClassification("PII_1"), new AtlasClassification("PII_2")));
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, entityHeader, new AtlasClassification("PII"));
@@ -143,7 +129,7 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUser() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -151,11 +137,11 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testAddClassificationOnEntityWithClassificationForStewardExUserShouldFail() {
try {
-
AtlasEntityHeader entityHeader = new AtlasEntityHeader();
+
entityHeader.setClassifications(Arrays.asList(new AtlasClassification("TAG1"), new AtlasClassification("TAG2")));
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, entityHeader, new AtlasClassification("PII"));
@@ -164,7 +150,7 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUserShoul
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have not been allowed to add PII on entity with TAG1,TAG2 classification ", false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_DATA_STEWARD_EX + " should have not been allowed to add PII on entity with TAG1,TAG2 classification ", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -172,16 +158,16 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUserShoul
}
}
- @Test(enabled = true)
+ @Test
public void testAddPIIForStewardUser() {
try {
- AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII"));
+ AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII"));
setUser(request, USER_DATA_STEWARD);
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should not have been allowed to add PII", false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_DATA_STEWARD + " should not have been allowed to add PII", isAccessAllowed);
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -189,12 +175,12 @@ public void testAddPIIForStewardUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testFinancePIIEntityAccessForFinancePIIUser() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
- setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII")));
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege, entity, new AtlasClassification("PII"));
@@ -203,7 +189,7 @@ public void testFinancePIIEntityAccessForFinancePIIUser() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_FINANCE_PII + " should have been allowed " + privilege + " on entity with FINANCE & PII", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_FINANCE_PII + " should have been allowed " + privilege + " on entity with FINANCE & PII", isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -212,12 +198,12 @@ public void testFinancePIIEntityAccessForFinancePIIUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testFinancePIIEntityAccessForFinanceUser() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
- setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII")));
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege, entity, new AtlasClassification("PII"));
@@ -226,7 +212,7 @@ public void testFinancePIIEntityAccessForFinanceUser() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_FINANCE + " should not have been allowed " + privilege + " on entity with FINANCE & PII", false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_FINANCE + " should not have been allowed " + privilege + " on entity with FINANCE & PII", isAccessAllowed);
}
} catch (Exception e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -235,12 +221,12 @@ public void testFinancePIIEntityAccessForFinanceUser() {
}
}
- @Test(enabled = true)
+ @Test
public void testFinanceEntityAccess() {
try {
- AtlasEntityHeader entity = new AtlasEntityHeader() {{
- setClassifications(Arrays.asList(new AtlasClassification("FINANCE")));
- }};
+ AtlasEntityHeader entity = new AtlasEntityHeader();
+
+ entity.setClassifications(Collections.singletonList(new AtlasClassification("FINANCE")));
for (String userName : Arrays.asList(USER_FINANCE_PII, USER_FINANCE)) {
for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) {
@@ -250,7 +236,7 @@ public void testFinanceEntityAccess() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should have been allowed " + privilege + " on entity with FINANCE", true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + userName + " should have been allowed " + privilege + " on entity with FINANCE", isAccessAllowed);
}
}
} catch (Exception e) {
@@ -260,7 +246,7 @@ public void testFinanceEntityAccess() {
}
}
- @Test(enabled = true)
+ @Test
public void testAccessForUserInAdminGroup() {
try {
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
@@ -269,7 +255,7 @@ public void testAccessForUserInAdminGroup() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_IN_ADMIN_GROUP + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE, true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_IN_ADMIN_GROUP + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -277,7 +263,7 @@ public void testAccessForUserInAdminGroup() {
}
}
- @Test(enabled = true)
+ @Test
public void testAccessForUserInUnknownGroup() {
try {
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE);
@@ -286,7 +272,7 @@ public void testAccessForUserInUnknownGroup() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_IN_UNKNOWN_GROUP + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + USER_IN_UNKNOWN_GROUP + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -294,7 +280,7 @@ public void testAccessForUserInUnknownGroup() {
}
}
- @Test(enabled = true)
+ @Test
public void testLabels() {
try {
for (AtlasPrivilege privilege : LABEL_PRIVILEGES) {
@@ -305,7 +291,7 @@ public void testLabels() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should not have been allowed " + privilege, false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + userName + " should not have been allowed " + privilege, isAccessAllowed);
}
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege);
@@ -314,7 +300,7 @@ public void testLabels() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed " + privilege, true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed " + privilege, isAccessAllowed);
}
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -323,7 +309,7 @@ public void testLabels() {
}
}
- @Test(enabled = true)
+ @Test
public void testBusinessMetadata() {
try {
for (String userName : Arrays.asList(USER_DATA_SCIENTIST, USER_DATA_STEWARD)) {
@@ -333,7 +319,7 @@ public void testBusinessMetadata() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + userName + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, false, isAccessAllowed);
+ AssertJUnit.assertFalse("user " + userName + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, isAccessAllowed);
}
AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
@@ -342,7 +328,7 @@ public void testBusinessMetadata() {
boolean isAccessAllowed = authorizer.isAccessAllowed(request);
- AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, true, isAccessAllowed);
+ AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, isAccessAllowed);
} catch (AtlasAuthorizationException e) {
LOG.error("Exception in AtlasSimpleAuthorizerTest", e);
@@ -355,4 +341,29 @@ private void setUser(AtlasAccessRequest request, String userName) {
request.setUser(userName, userGroups != null ? userGroups : Collections.emptySet());
}
+
+ static {
+ USER_GROUPS.put(USER_ADMIN, Collections.singleton("ROLE_ADMIN"));
+ USER_GROUPS.put(USER_DATA_STEWARD, Collections.emptySet());
+ USER_GROUPS.put(USER_DATA_SCIENTIST, Collections.emptySet());
+ USER_GROUPS.put(USER_DATA_STEWARD_EX, Collections.singleton("DATA_STEWARD_EX"));
+ USER_GROUPS.put(USER_FINANCE, Collections.singleton("FINANCE"));
+ USER_GROUPS.put(USER_FINANCE_PII, Collections.singleton("FINANCE_PII"));
+ USER_GROUPS.put(USER_IN_ADMIN_GROUP, Collections.singleton("ROLE_ADMIN"));
+ USER_GROUPS.put(USER_IN_UNKNOWN_GROUP, Collections.singleton("UNKNOWN_GROUP"));
+
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_CREATE);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ_CLASSIFICATION);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA);
+
+ LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL);
+ LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL);
+ }
}