From 7058cb9ef178197758d8178d27ceb59f37da564c Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Wed, 12 Feb 2025 18:49:04 -0800 Subject: [PATCH] ATLAS-4961: checkstyle compliance updates - atlas-authorization module (#286) --- authorization/pom.xml | 5 + .../atlas/authorize/AtlasAccessRequest.java | 45 ++- .../authorize/AtlasAdminAccessRequest.java | 10 +- .../AtlasAuthorizationException.java | 9 +- .../authorize/AtlasAuthorizationUtils.java | 45 +-- .../atlas/authorize/AtlasAuthorizer.java | 29 +- .../authorize/AtlasAuthorizerFactory.java | 25 +- .../authorize/AtlasEntityAccessRequest.java | 9 +- .../atlas/authorize/AtlasNoneAuthorizer.java | 13 +- .../atlas/authorize/AtlasPrivilege.java | 66 ++--- .../AtlasRelationshipAccessRequest.java | 10 +- .../AtlasSearchResultScrubRequest.java | 13 +- .../authorize/AtlasTypeAccessRequest.java | 7 +- .../authorize/AtlasTypesDefFilterRequest.java | 7 +- .../simple/AtlasSimpleAuthorizer.java | 265 +++++++----------- .../simple/AtlasSimpleAuthzPolicy.java | 53 ++-- .../simple/AtlasSimpleAuthzUpdateTool.java | 83 +++--- .../simple/AtlasSimpleAuthorizerTest.java | 141 +++++----- 18 files changed, 389 insertions(+), 446 deletions(-) diff --git a/authorization/pom.xml b/authorization/pom.xml index 0e7d75a465..af95d5f01e 100644 --- a/authorization/pom.xml +++ b/authorization/pom.xml @@ -30,6 +30,11 @@ Apache Atlas Authorization + + true + false + + diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java index c76a8715b7..0f3f8d4dc7 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -24,8 +24,6 @@ import org.apache.atlas.type.AtlasStructType.AtlasAttribute; import org.apache.atlas.type.AtlasTypeRegistry; import org.apache.commons.collections.MapUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.util.Collections; import java.util.Date; @@ -35,19 +33,16 @@ import java.util.Set; public class AtlasAccessRequest { - private static Logger LOG = LoggerFactory.getLogger(AtlasAccessRequest.class); - private static final String DEFAULT_ENTITY_ID_ATTRIBUTE = "qualifiedName"; private final AtlasPrivilege action; private final Date accessTime; - private String user = null; - private Set userGroups = null; - private String clientIPAddress = null; + private String user; + private Set userGroups; + private String clientIPAddress; private List forwardedAddresses; private String remoteIPAddress; - protected AtlasAccessRequest(AtlasPrivilege action) { this(action, null, null, new Date(), null); } @@ -56,11 +51,11 @@ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set use this(action, user, userGroups, new Date(), null, null, null); } - protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime, - String clientIPAddress, List forwardedAddresses, String remoteIPAddress) { + protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime, String clientIPAddress, List forwardedAddresses, String remoteIPAddress) { this(action, user, userGroups, accessTime, clientIPAddress); - this.forwardedAddresses = forwardedAddresses; - this.remoteIPAddress = remoteIPAddress; + + this.forwardedAddresses = forwardedAddresses; + this.remoteIPAddress = remoteIPAddress; } protected AtlasAccessRequest(AtlasPrivilege action, String user, Set userGroups, Date accessTime, String clientIPAddress) { @@ -96,22 +91,22 @@ public List getForwardedAddresses() { return forwardedAddresses; } - public String getRemoteIPAddress() { - return remoteIPAddress; - } - - public String getClientIPAddress() { - return clientIPAddress; - } - public void setForwardedAddresses(List forwardedAddresses) { this.forwardedAddresses = forwardedAddresses; } + public String getRemoteIPAddress() { + return remoteIPAddress; + } + public void setRemoteIPAddress(String remoteIPAddress) { this.remoteIPAddress = remoteIPAddress; } + public String getClientIPAddress() { + return clientIPAddress; + } + public void setClientIPAddress(String clientIPAddress) { this.clientIPAddress = clientIPAddress; } @@ -169,7 +164,6 @@ public String getEntityId(AtlasEntityHeader entity, AtlasTypeRegistry typeRegist break; } } - } } @@ -194,10 +188,9 @@ public Set getClassificationNames(AtlasEntityHeader entity) { @Override public String toString() { - return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime +", user='" + user + '\'' + + return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime + ", user='" + user + '\'' + ", userGroups=" + userGroups + ", clientIPAddress='" + clientIPAddress + '\'' + ", forwardedAddresses=" + forwardedAddresses + ", remoteIPAddress='" + remoteIPAddress + '\'' + ']'; - } } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java index 5f571fb648..e6e34dbc7f 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -17,11 +17,9 @@ */ package org.apache.atlas.authorize; - import java.util.Set; public class AtlasAdminAccessRequest extends AtlasAccessRequest { - public AtlasAdminAccessRequest(AtlasPrivilege action) { super(action); } @@ -33,7 +31,7 @@ public AtlasAdminAccessRequest(AtlasPrivilege action, String userName, Set + * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -29,8 +29,7 @@ public AtlasAuthorizationException(String message, Throwable exception) { super(message, exception); } - public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression, - boolean writableStackTrace) { + public AtlasAuthorizationException(String message, Throwable exception, boolean enableSuppression, boolean writableStackTrace) { super(message, exception, enableSuppression, writableStackTrace); } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java index b1a3eb5fb2..581c6235f7 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java @@ -1,5 +1,5 @@ /** -/** + * /** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -7,9 +7,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -31,18 +31,23 @@ import org.springframework.security.core.context.SecurityContextHolder; import javax.servlet.http.HttpServletRequest; + import java.net.InetAddress; import java.net.UnknownHostException; +import java.util.Arrays; import java.util.HashSet; -import java.util.Set; import java.util.List; -import java.util.Arrays; +import java.util.Set; public class AtlasAuthorizationUtils { private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class); + private AtlasAuthorizationUtils() { + // to block instantiation + } + public static void verifyAccess(AtlasAdminAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { - if (! isAccessAllowed(request)) { + if (!isAccessAllowed(request)) { String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); @@ -50,7 +55,7 @@ public static void verifyAccess(AtlasAdminAccessRequest request, Object... error } public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { - if (! isAccessAllowed(request)) { + if (!isAccessAllowed(request)) { String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); @@ -58,7 +63,7 @@ public static void verifyAccess(AtlasTypeAccessRequest request, Object... errorM } public static void verifyAccess(AtlasEntityAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { - if (! isAccessAllowed(request)) { + if (!isAccessAllowed(request)) { String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); @@ -68,11 +73,12 @@ public static void verifyAccess(AtlasEntityAccessRequest request, Object... erro public static void verifyAccess(AtlasRelationshipAccessRequest request, Object... errorMsgParams) throws AtlasBaseException { if (!isAccessAllowed(request)) { String message = (errorMsgParams != null && errorMsgParams.length > 0) ? StringUtils.join(errorMsgParams) : ""; + throw new AtlasBaseException(AtlasErrorCode.UNAUTHORIZED_ACCESS, request.getUser(), message); } } - public static void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasBaseException { + public static void scrubSearchResults(AtlasSearchResultScrubRequest request) { String userName = getCurrentUserName(); if (StringUtils.isNotEmpty(userName)) { @@ -105,6 +111,7 @@ public static boolean isAccessAllowed(AtlasAdminAccessRequest request) { request.setClientIPAddress(RequestContext.get().getClientIPAddress()); request.setForwardedAddresses(RequestContext.get().getForwardedAddresses()); request.setRemoteIPAddress(RequestContext.get().getClientIPAddress()); + ret = authorizer.isAccessAllowed(request); } catch (AtlasAuthorizationException e) { LOG.error("Unable to obtain AtlasAuthorizer", e); @@ -132,6 +139,7 @@ public static boolean isAccessAllowed(AtlasEntityAccessRequest request) { request.setClientIPAddress(RequestContext.get().getClientIPAddress()); request.setForwardedAddresses(RequestContext.get().getForwardedAddresses()); request.setRemoteIPAddress(RequestContext.get().getClientIPAddress()); + ret = authorizer.isAccessAllowed(request); } catch (AtlasAuthorizationException e) { LOG.error("Unable to obtain AtlasAuthorizer", e); @@ -159,6 +167,7 @@ public static boolean isAccessAllowed(AtlasTypeAccessRequest request) { request.setClientIPAddress(RequestContext.get().getClientIPAddress()); request.setForwardedAddresses(RequestContext.get().getForwardedAddresses()); request.setRemoteIPAddress(RequestContext.get().getClientIPAddress()); + ret = authorizer.isAccessAllowed(request); } catch (AtlasAuthorizationException e) { LOG.error("Unable to obtain AtlasAuthorizer", e); @@ -186,6 +195,7 @@ public static boolean isAccessAllowed(AtlasRelationshipAccessRequest request) { request.setClientIPAddress(RequestContext.get().getClientIPAddress()); request.setForwardedAddresses(RequestContext.get().getForwardedAddresses()); request.setRemoteIPAddress(RequestContext.get().getClientIPAddress()); + ret = authorizer.isAccessAllowed(request); } catch (AtlasAuthorizationException e) { LOG.error("Unable to obtain AtlasAuthorizer", e); @@ -200,8 +210,8 @@ public static boolean isAccessAllowed(AtlasRelationshipAccessRequest request) { } public static void filterTypesDef(AtlasTypesDefFilterRequest request) { - MetricRecorder metric = RequestContext.get().startMetricRecord("filterTypesDef"); - String userName = getCurrentUserName(); + MetricRecorder metric = RequestContext.get().startMetricRecord("filterTypesDef"); + String userName = getCurrentUserName(); if (StringUtils.isNotEmpty(userName) && !RequestContext.get().isImportInProgress()) { try { @@ -221,13 +231,14 @@ public static void filterTypesDef(AtlasTypesDefFilterRequest request) { RequestContext.get().endMetricRecord(metric); } - public static List getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){ - String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR"); - String[] forwardedAddresses = null ; + public static List getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest) { + String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR"); + String[] forwardedAddresses = null; - if(!StringUtils.isEmpty(ipAddress)){ + if (!StringUtils.isEmpty(ipAddress)) { forwardedAddresses = ipAddress.split(","); } + return forwardedAddresses != null ? Arrays.asList(forwardedAddresses) : null; } @@ -245,8 +256,6 @@ public static String getRequestIpAddress(HttpServletRequest httpServletRequest) return ret; } - - public static String getCurrentUserName() { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java index 21b8cf905d..845b05f9a6 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizer.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,7 +18,6 @@ package org.apache.atlas.authorize; - import org.apache.atlas.model.instance.AtlasEntityHeader; public interface AtlasAuthorizer { @@ -62,8 +61,7 @@ public interface AtlasAuthorizer { * @return * @throws AtlasAuthorizationException */ - default - boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { + default boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { return true; } @@ -73,36 +71,33 @@ boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuth * @return * @throws AtlasAuthorizationException */ - default - void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { + default void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { } - default - void scrubEntityHeader(AtlasEntityHeader entity) { + default void scrubEntityHeader(AtlasEntityHeader entity) { entity.setGuid("-1"); - if(entity.getAttributes() != null) { + if (entity.getAttributes() != null) { entity.getAttributes().clear(); } - if(entity.getClassifications() != null) { + if (entity.getClassifications() != null) { entity.getClassifications().clear(); } - if(entity.getClassificationNames() != null) { + if (entity.getClassificationNames() != null) { entity.getClassificationNames().clear(); } - if(entity.getMeanings() != null) { + if (entity.getMeanings() != null) { entity.getMeanings().clear(); } - if(entity.getMeaningNames() != null) { + if (entity.getMeaningNames() != null) { entity.getMeaningNames().clear(); } } - default - void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException { + default void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException { } } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java index 72037eabbe..d72fdda748 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizerFactory.java @@ -26,7 +26,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; - public class AtlasAuthorizerFactory { private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizerFactory.class); @@ -34,14 +33,20 @@ public class AtlasAuthorizerFactory { private static final String SIMPLE_AUTHORIZER = AtlasSimpleAuthorizer.class.getName(); private static final String RANGER_AUTHORIZER = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer"; - private static volatile AtlasAuthorizer INSTANCE = null; + private static volatile AtlasAuthorizer instance; + + private AtlasAuthorizerFactory() { + // to block instantiation + } public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationException { - AtlasAuthorizer ret = INSTANCE; + AtlasAuthorizer ret = AtlasAuthorizerFactory.instance; if (ret == null) { synchronized (AtlasAuthorizerFactory.class) { - if (INSTANCE == null) { + ret = AtlasAuthorizerFactory.instance; + + if (ret == null) { Configuration configuration = null; try { @@ -67,21 +72,19 @@ public static AtlasAuthorizer getAtlasAuthorizer() throws AtlasAuthorizationExce LOG.info("Initializing Authorizer {}", authorizerClass); try { - Class authorizerMetaObject = Class.forName(authorizerClass); + Class authorizerMetaObject = Class.forName(authorizerClass); - if (authorizerMetaObject != null) { - INSTANCE = (AtlasAuthorizer) authorizerMetaObject.newInstance(); + ret = (AtlasAuthorizer) authorizerMetaObject.newInstance(); - INSTANCE.init(); - } + ret.init(); + + AtlasAuthorizerFactory.instance = ret; } catch (Exception e) { LOG.error("Error while creating authorizer of type {}", authorizerClass, e); throw new AtlasAuthorizationException("Error while creating authorizer of type '" + authorizerClass + "'", e); } } - - ret = INSTANCE; } } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java index 6d49d54b11..10b8d47929 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -34,7 +34,6 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest { private final AtlasTypeRegistry typeRegistry; private final Set entityClassifications; - public AtlasEntityAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action) { this(typeRegistry, action, null, null, null, null, null, null, null); } @@ -197,5 +196,3 @@ public AtlasEntityAccessRequest build() { } } } - - diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java index a371049441..86909d9249 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasNoneAuthorizer.java @@ -21,7 +21,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; - public class AtlasNoneAuthorizer implements AtlasAuthorizer { private static final Logger LOG = LoggerFactory.getLogger(AtlasNoneAuthorizer.class); @@ -33,24 +32,24 @@ public void cleanUp() { LOG.info("AtlasNoneAuthorizer.cleanUp()"); } - public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException { + public boolean isAccessAllowed(AtlasAdminAccessRequest request) { return true; } - public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException { + public boolean isAccessAllowed(AtlasEntityAccessRequest request) { return true; } - public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException { + public boolean isAccessAllowed(AtlasTypeAccessRequest request) { return true; } @Override - public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { + public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) { return true; } - public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { - + @Override + public void scrubSearchResults(AtlasSearchResultScrubRequest request) { } } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java index f270844c5b..68402fd507 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,45 +18,45 @@ package org.apache.atlas.authorize; public enum AtlasPrivilege { - TYPE_CREATE("type-create"), - TYPE_UPDATE("type-update"), - TYPE_DELETE("type-delete"), + TYPE_CREATE("type-create"), + TYPE_UPDATE("type-update"), + TYPE_DELETE("type-delete"), - ENTITY_READ("entity-read"), - ENTITY_CREATE("entity-create"), - ENTITY_UPDATE("entity-update"), - ENTITY_DELETE("entity-delete"), - ENTITY_READ_CLASSIFICATION("entity-read-classification"), - ENTITY_ADD_CLASSIFICATION("entity-add-classification"), - ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"), - ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"), + ENTITY_READ("entity-read"), + ENTITY_CREATE("entity-create"), + ENTITY_UPDATE("entity-update"), + ENTITY_DELETE("entity-delete"), + ENTITY_READ_CLASSIFICATION("entity-read-classification"), + ENTITY_ADD_CLASSIFICATION("entity-add-classification"), + ENTITY_UPDATE_CLASSIFICATION("entity-update-classification"), + ENTITY_REMOVE_CLASSIFICATION("entity-remove-classification"), - ADMIN_EXPORT("admin-export"), - ADMIN_IMPORT("admin-import"), + ADMIN_EXPORT("admin-export"), + ADMIN_IMPORT("admin-import"), - RELATIONSHIP_ADD("add-relationship"), - RELATIONSHIP_UPDATE("update-relationship"), - RELATIONSHIP_REMOVE("remove-relationship"), + RELATIONSHIP_ADD("add-relationship"), + RELATIONSHIP_UPDATE("update-relationship"), + RELATIONSHIP_REMOVE("remove-relationship"), - ADMIN_PURGE("admin-purge"), + ADMIN_PURGE("admin-purge"), - ENTITY_ADD_LABEL("entity-add-label"), - ENTITY_REMOVE_LABEL("entity-remove-label"), - ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"), + ENTITY_ADD_LABEL("entity-add-label"), + ENTITY_REMOVE_LABEL("entity-remove-label"), + ENTITY_UPDATE_BUSINESS_METADATA("entity-update-business-metadata"), - TYPE_READ("type-read"), + TYPE_READ("type-read"), - ADMIN_AUDITS("admin-audits"), + ADMIN_AUDITS("admin-audits"), - SERVICE_NOTIFICATION_POST("service-notification-post"); + SERVICE_NOTIFICATION_POST("service-notification-post"); - private final String type; + private final String type; - AtlasPrivilege(String actionType){ - this.type = actionType; - } + AtlasPrivilege(String actionType) { + this.type = actionType; + } - public String getType() { - return type; - } + public String getType() { + return type; + } } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java index b530c01dd4..de43897973 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -25,11 +25,10 @@ public class AtlasRelationshipAccessRequest extends AtlasAccessRequest { private final AtlasTypeRegistry typeRegistry; - private final String relationshipType ; + private final String relationshipType; private final AtlasEntityHeader end1Entity; private final AtlasEntityHeader end2Entity; - public AtlasRelationshipAccessRequest(AtlasTypeRegistry typeRegistry, AtlasPrivilege action, String relationshipType, AtlasEntityHeader end1Entity, AtlasEntityHeader end2Entity) { this(typeRegistry, action, relationshipType, end1Entity, end2Entity, null, null); } @@ -55,7 +54,6 @@ public String getRelationshipType() { return relationshipType; } - public Set getEnd1EntityTypeAndAllSuperTypes() { return super.getEntityTypeAndAllSuperTypes(end1Entity == null ? null : end1Entity.getTypeName(), typeRegistry); } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java index 63468a7a38..52849dea44 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -26,7 +26,6 @@ public class AtlasSearchResultScrubRequest extends AtlasAccessRequest { private final AtlasTypeRegistry typeRegistry; private final AtlasSearchResult searchResult; - public AtlasSearchResultScrubRequest(AtlasTypeRegistry typeRegistry, AtlasSearchResult searchResult) { this(typeRegistry, searchResult, null, null); } @@ -38,7 +37,9 @@ public AtlasSearchResultScrubRequest(AtlasTypeRegistry typeRegistry, AtlasSearch this.searchResult = searchResult; } - public AtlasTypeRegistry getTypeRegistry() { return typeRegistry; } + public AtlasTypeRegistry getTypeRegistry() { + return typeRegistry; + } public AtlasSearchResult getSearchResult() { return searchResult; @@ -51,5 +52,3 @@ public String toString() { ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]"; } } - - diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java index 510be35222..e645e3087b 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -24,7 +24,6 @@ public class AtlasTypeAccessRequest extends AtlasAccessRequest { private final AtlasBaseTypeDef typeDef; - public AtlasTypeAccessRequest(AtlasPrivilege action, AtlasBaseTypeDef typeDef) { super(action); diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java index a2dc11f8fc..ed40a5c688 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypesDefFilterRequest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -24,7 +24,6 @@ public class AtlasTypesDefFilterRequest extends AtlasAccessRequest { private final AtlasTypesDef typesDef; - public AtlasTypesDefFilterRequest(AtlasTypesDef typesDef) { super(AtlasPrivilege.TYPE_READ); diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java index d80cab4bc0..e5687249df 100755 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,18 +18,22 @@ package org.apache.atlas.authorize.simple; -import java.io.IOException; -import java.io.InputStream; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.ListIterator; -import java.util.Set; - import org.apache.atlas.ApplicationProperties; import org.apache.atlas.AtlasException; -import org.apache.atlas.authorize.*; -import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.*; +import org.apache.atlas.authorize.AtlasAccessRequest; +import org.apache.atlas.authorize.AtlasAdminAccessRequest; +import org.apache.atlas.authorize.AtlasAuthorizer; +import org.apache.atlas.authorize.AtlasEntityAccessRequest; +import org.apache.atlas.authorize.AtlasPrivilege; +import org.apache.atlas.authorize.AtlasRelationshipAccessRequest; +import org.apache.atlas.authorize.AtlasSearchResultScrubRequest; +import org.apache.atlas.authorize.AtlasTypeAccessRequest; +import org.apache.atlas.authorize.AtlasTypesDefFilterRequest; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAdminPermission; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasEntityPermission; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasTypePermission; import org.apache.atlas.model.discovery.AtlasSearchResult; import org.apache.atlas.model.discovery.AtlasSearchResult.AtlasFullTextResult; import org.apache.atlas.model.instance.AtlasEntityHeader; @@ -42,6 +46,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.IOException; +import java.io.InputStream; +import java.util.HashSet; +import java.util.List; +import java.util.ListIterator; +import java.util.Set; + import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_ADD_CLASSIFICATION; import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION; import static org.apache.atlas.authorize.AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION; @@ -50,22 +61,15 @@ import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_READ; import static org.apache.atlas.authorize.AtlasPrivilege.TYPE_UPDATE; - public final class AtlasSimpleAuthorizer implements AtlasAuthorizer { private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizer.class); - private final static String WILDCARD_ASTERISK = "*"; - - private final static Set CLASSIFICATION_PRIVILEGES = new HashSet() {{ - add(ENTITY_ADD_CLASSIFICATION); - add(ENTITY_REMOVE_CLASSIFICATION); - add(ENTITY_UPDATE_CLASSIFICATION); - }}; + private static final Set CLASSIFICATION_PRIVILEGES = new HashSet<>(); + private static final String REGEX_MATCHALL = ".*"; + private static final String WILDCARD_ASTERISK = "*"; private AtlasSimpleAuthzPolicy authzPolicy; - private final static String REGEX_MATCHALL = ".*"; - public AtlasSimpleAuthorizer() { } @@ -73,11 +77,7 @@ public AtlasSimpleAuthorizer() { public void init() { LOG.info("==> SimpleAtlasAuthorizer.init()"); - InputStream inputStream = null; - - try { - inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json"); - + try (InputStream inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json")) { authzPolicy = AtlasJson.fromJson(inputStream, AtlasSimpleAuthzPolicy.class); addImpliedTypeReadPrivilege(authzPolicy); @@ -85,14 +85,6 @@ public void init() { LOG.error("SimpleAtlasAuthorizer.init(): initialization failed", e); throw new RuntimeException(e); - } finally { - if (inputStream != null) { - try { - inputStream.close(); - } catch (IOException excp) { - // ignore - } - } } LOG.info("<== SimpleAtlasAuthorizer.init()"); @@ -108,13 +100,10 @@ public void cleanUp() { } @Override - public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); - } - - boolean ret = false; + public boolean isAccessAllowed(AtlasAdminAccessRequest request) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + boolean ret = false; Set roles = getRoles(request.getUser(), request.getUserGroups()); for (String role : roles) { @@ -133,19 +122,60 @@ public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuth } } - if (LOG.isDebugEnabled()) { - LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); - } + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); return ret; } @Override - public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + public boolean isAccessAllowed(AtlasEntityAccessRequest request) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + + boolean ret = false; + final String action = request.getAction() != null ? request.getAction().getType() : null; + final Set entityTypes = request.getEntityTypeAndAllSuperTypes(); + final String entityId = request.getEntityId(); + final String attribute = request.getAttributeName(); + final Set entClsToAuthz = new HashSet<>(request.getEntityClassifications()); + final Set roles = getRoles(request.getUser(), request.getUserGroups()); + + for (String role : roles) { + List permissions = getEntityPermissionsForRole(role); + + if (permissions != null) { + for (AtlasEntityPermission permission : permissions) { + if (isMatch(action, permission.getPrivileges()) && isMatchAny(entityTypes, permission.getEntityTypes()) && + isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes()) && + isLabelMatch(request, permission) && isBusinessMetadataMatch(request, permission) && isClassificationMatch(request, permission)) { + // 1. entity could have multiple classifications + // 2. access for these classifications could be granted by multiple AtlasEntityPermission entries + // 3. classifications allowed by the current permission will be removed from entClsToAuthz + // 4. request will be allowed once entClsToAuthz is empty i.e. user has permission for all classifications + entClsToAuthz.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEntityClassifications())); + + ret = CollectionUtils.isEmpty(entClsToAuthz); + + if (ret) { + break; + } + } + } + } } + if (!ret) { + LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); + } + + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); + + return ret; + } + + @Override + public boolean isAccessAllowed(AtlasTypeAccessRequest request) { + LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); + boolean ret = false; Set roles = getRoles(request.getUser(), request.getUserGroups()); @@ -160,8 +190,8 @@ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAutho for (AtlasTypePermission permission : permissions) { if (isMatch(action, permission.getPrivileges()) && - isMatch(typeCategory, permission.getTypeCategories()) && - isMatch(typeName, permission.getTypeNames())) { + isMatch(typeCategory, permission.getTypeCategories()) && + isMatch(typeName, permission.getTypeNames())) { ret = true; break; @@ -170,15 +200,13 @@ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAutho } } - if (LOG.isDebugEnabled()) { - LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); - } + LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); return ret; } @Override - public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException { + public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) { final Set roles = getRoles(request.getUser(), request.getUserGroups()); final String relationShipType = request.getRelationshipType(); final Set end1EntityTypeAndSuperTypes = request.getEnd1EntityTypeAndAllSuperTypes(); @@ -203,29 +231,17 @@ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws At if (isMatch(relationShipType, permission.getRelationshipTypes()) && isMatch(action, permission.getPrivileges())) { //End1 permission check if (!hasEnd1EntityAccess) { - if (isMatchAny(end1EntityTypeAndSuperTypes, permission.getEnd1EntityType()) && isMatch(end1EntityId, permission.getEnd1EntityId())) { - for (Iterator iter = end1Classifications.iterator(); iter.hasNext();) { - String entityClassification = iter.next(); + if (isMatchAny(end1EntityTypeAndSuperTypes, permission.getEnd1EntityType()) && isMatch(end1EntityId, permission.getEnd1EntityId())) { + end1Classifications.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd1EntityClassification())); - if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd1EntityClassification())) { - iter.remove(); - } - } - - hasEnd1EntityAccess = CollectionUtils.isEmpty(end1Classifications); + hasEnd1EntityAccess = CollectionUtils.isEmpty(end1Classifications); } } //End2 permission chech if (!hasEnd2EntityAccess) { if (isMatchAny(end2EntityTypeAndSuperTypes, permission.getEnd2EntityType()) && isMatch(end2EntityId, permission.getEnd2EntityId())) { - for (Iterator iter = end2Classifications.iterator(); iter.hasNext();) { - String entityClassification = iter.next(); - - if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd2EntityClassification())) { - iter.remove(); - } - } + end2Classifications.removeIf(entityClassification -> isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEnd2EntityClassification())); hasEnd2EntityAccess = CollectionUtils.isEmpty(end2Classifications); } @@ -238,66 +254,8 @@ public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws At } @Override - public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", request); - } - - boolean ret = false; - final String action = request.getAction() != null ? request.getAction().getType() : null; - final Set entityTypes = request.getEntityTypeAndAllSuperTypes(); - final String entityId = request.getEntityId(); - final String attribute = request.getAttributeName(); - final Set entClsToAuthz = new HashSet<>(request.getEntityClassifications()); - final Set roles = getRoles(request.getUser(), request.getUserGroups()); - - for (String role : roles) { - List permissions = getEntityPermissionsForRole(role); - - if (permissions != null) { - for (AtlasEntityPermission permission : permissions) { - if (isMatch(action, permission.getPrivileges()) && isMatchAny(entityTypes, permission.getEntityTypes()) && - isMatch(entityId, permission.getEntityIds()) && isMatch(attribute, permission.getAttributes()) && - isLabelMatch(request, permission) && isBusinessMetadataMatch(request, permission) && isClassificationMatch(request, permission)) { - - // 1. entity could have multiple classifications - // 2. access for these classifications could be granted by multiple AtlasEntityPermission entries - // 3. classifications allowed by the current permission will be removed from entClsToAuthz - // 4. request will be allowed once entClsToAuthz is empty i.e. user has permission for all classifications - for (Iterator iter = entClsToAuthz.iterator(); iter.hasNext(); ) { - String entityClassification = iter.next(); - - if (isMatchAny(request.getClassificationTypeAndAllSuperTypes(entityClassification), permission.getEntityClassifications())) { - iter.remove(); - } - } - - ret = CollectionUtils.isEmpty(entClsToAuthz); - - if (ret) { - break; - } - } - } - } - } - - if (LOG.isDebugEnabled()) { - if (!ret) { - LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); - } - - LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", request, ret); - } - - return ret; - } - - @Override - public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", request); - } + public void scrubSearchResults(AtlasSearchResultScrubRequest request) { + LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", request); final AtlasSearchResult result = request.getSearchResult(); @@ -321,13 +279,11 @@ public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws Atl } } - if (LOG.isDebugEnabled()) { - LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}", request, result); - } + LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}", request, result); } @Override - public void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException { + public void filterTypesDef(AtlasTypesDefFilterRequest request) { AtlasTypesDef typesDef = request.getTypesDef(); filterTypes(request, typesDef.getEnumDefs()); @@ -361,9 +317,7 @@ private Set getRoles(String userName, Set userGroups) { } } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret); - } + LOG.debug("<== getRoles({}, {}): {}", userName, userGroups, ret); return ret; } @@ -404,7 +358,6 @@ private List getEntityPermissionsForRole(String roleName) return ret; } - private List getRelationshipPermissionsForRole(String roleName) { List ret = null; @@ -418,11 +371,9 @@ private List getRelationshipPermissionsForRole(Stri } private boolean isMatch(String value, List patterns) { - boolean ret = false; + boolean ret = value == null; - if (value == null) { - ret = true; - } if (CollectionUtils.isNotEmpty(patterns)) { + if (CollectionUtils.isNotEmpty(patterns)) { for (String pattern : patterns) { if (isMatch(value, pattern)) { ret = true; @@ -432,7 +383,7 @@ private boolean isMatch(String value, List patterns) { } } - if (!ret && LOG.isDebugEnabled()) { + if (!ret) { LOG.debug("<== isMatch({}, {}): {}", value, patterns, ret); } @@ -440,11 +391,9 @@ private boolean isMatch(String value, List patterns) { } private boolean isMatchAny(Set values, List patterns) { - boolean ret = false; + boolean ret = CollectionUtils.isEmpty(values); - if (CollectionUtils.isEmpty(values)) { - ret = true; - }if (CollectionUtils.isNotEmpty(patterns)) { + if (CollectionUtils.isNotEmpty(patterns)) { for (String value : values) { if (isMatch(value, patterns)) { ret = true; @@ -454,7 +403,7 @@ private boolean isMatchAny(Set values, List patterns) { } } - if (!ret && LOG.isDebugEnabled()) { + if (!ret) { LOG.debug("<== isMatchAny({}, {}): {}", values, patterns, ret); } @@ -473,7 +422,7 @@ private boolean isMatch(String value, String pattern) { return ret; } - private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException { + private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScrubRequest request) { if (entity != null && request != null) { final AtlasEntityAccessRequest entityAccessRequest = new AtlasEntityAccessRequest(request.getTypeRegistry(), AtlasPrivilege.ENTITY_READ, entity, request.getUser(), request.getUserGroups()); @@ -486,20 +435,20 @@ private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScru } private boolean isLabelMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) { - return (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) ? isMatch(request.getLabel(), permission.getLabels()) : true; + return !AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) && !AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction()) || isMatch(request.getLabel(), permission.getLabels()); } private boolean isBusinessMetadataMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) { - return AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) ? isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata()) : true; + return !AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction()) || isMatch(request.getBusinessMetadata(), permission.getBusinessMetadata()); } private boolean isClassificationMatch(AtlasEntityAccessRequest request, AtlasEntityPermission permission) { - return (CLASSIFICATION_PRIVILEGES.contains(request.getAction()) && request.getClassification() != null) ? isMatch(request.getClassification().getTypeName(), permission.getClassifications()) : true; + return !CLASSIFICATION_PRIVILEGES.contains(request.getAction()) || request.getClassification() == null || isMatch(request.getClassification().getTypeName(), permission.getClassifications()); } - private void filterTypes(AtlasAccessRequest request, List typeDefs)throws AtlasAuthorizationException { + private void filterTypes(AtlasAccessRequest request, List typeDefs) { if (typeDefs != null) { - for (ListIterator iter = typeDefs.listIterator(); iter.hasNext();) { + for (ListIterator iter = typeDefs.listIterator(); iter.hasNext(); ) { AtlasBaseTypeDef typeDef = iter.next(); AtlasTypeAccessRequest typeRequest = new AtlasTypeAccessRequest(request.getAction(), typeDef, request.getUser(), request.getUserGroups()); @@ -536,6 +485,10 @@ private void addImpliedTypeReadPrivilege(AtlasSimpleAuthzPolicy policy) { } } } -} - + static { + CLASSIFICATION_PRIVILEGES.add(ENTITY_ADD_CLASSIFICATION); + CLASSIFICATION_PRIVILEGES.add(ENTITY_REMOVE_CLASSIFICATION); + CLASSIFICATION_PRIVILEGES.add(ENTITY_UPDATE_CLASSIFICATION); + } +} diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java index ee13233efd..b4899a8bdf 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzPolicy.java @@ -1,13 +1,14 @@ -/** Licensed to the Apache Software Foundation (ASF) under one +/** + * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,11 +19,12 @@ import com.fasterxml.jackson.annotation.JsonAutoDetect; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.annotation.JsonInclude; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement; + import java.io.Serializable; import java.util.List; import java.util.Map; @@ -30,9 +32,9 @@ import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.NONE; import static com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility.PUBLIC_ONLY; -@JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) -@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) -@JsonIgnoreProperties(ignoreUnknown=true) +@JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) +@JsonInclude(JsonInclude.Include.NON_NULL) +@JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public class AtlasSimpleAuthzPolicy implements Serializable { @@ -42,7 +44,6 @@ public class AtlasSimpleAuthzPolicy implements Serializable { private Map> userRoles; private Map> groupRoles; - public Map getRoles() { return roles; } @@ -67,10 +68,9 @@ public void setGroupRoles(Map> groupRoles) { this.groupRoles = groupRoles; } - - @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) - @JsonIgnoreProperties(ignoreUnknown=true) + @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) + @JsonInclude(JsonInclude.Include.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public static class AtlasAuthzRole implements Serializable { @@ -122,12 +122,11 @@ public List getRelationshipPermissions() { public void setRelationshipPermissions(List relationshipPermissions) { this.relationshipPermissions = relationshipPermissions; } - } - @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) - @JsonIgnoreProperties(ignoreUnknown=true) + @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) + @JsonInclude(JsonInclude.Include.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public static class AtlasAdminPermission implements Serializable { @@ -151,9 +150,9 @@ public void setPrivileges(List privileges) { } } - @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) - @JsonIgnoreProperties(ignoreUnknown=true) + @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) + @JsonInclude(JsonInclude.Include.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public static class AtlasTypePermission implements Serializable { @@ -197,9 +196,9 @@ public void setTypeNames(List typeNames) { } } - @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) - @JsonIgnoreProperties(ignoreUnknown=true) + @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) + @JsonInclude(JsonInclude.Include.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public static class AtlasEntityPermission implements Serializable { @@ -297,10 +296,9 @@ public void setClassifications(List classifications) { } } - - @JsonAutoDetect(getterVisibility=PUBLIC_ONLY, setterVisibility=PUBLIC_ONLY, fieldVisibility=NONE) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) - @JsonIgnoreProperties(ignoreUnknown=true) + @JsonAutoDetect(getterVisibility = PUBLIC_ONLY, setterVisibility = PUBLIC_ONLY, fieldVisibility = NONE) + @JsonInclude(JsonInclude.Include.NON_NULL) + @JsonIgnoreProperties(ignoreUnknown = true) @XmlRootElement @XmlAccessorType(XmlAccessType.PROPERTY) public static class AtlasRelationshipPermission implements Serializable { @@ -315,7 +313,6 @@ public static class AtlasRelationshipPermission implements Serializable { private List end2EntityId; // value of end2 entity-unique attribute, wildcards supported private List end2EntityClassification; // name of end2 classification-type, wildcards supported - public AtlasRelationshipPermission() { } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java index fddde986be..83f3786a82 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthzUpdateTool.java @@ -1,13 +1,14 @@ -/** Licensed to the Apache Software Foundation (ASF) under one +/** + * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -17,52 +18,46 @@ package org.apache.atlas.authorize.simple; -import java.io.IOException; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasAuthzRole; +import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy.AtlasRelationshipPermission; import java.io.File; +import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; - import java.util.ArrayList; +import java.util.Collections; import java.util.List; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.*; -import com.fasterxml.jackson.databind.SerializationFeature; - public class AtlasSimpleAuthzUpdateTool { - + private AtlasSimpleAuthzUpdateTool() { + // to block instantiation + } public static void main(String[] args) { - - if (args != null & args.length > 0) { + if (args != null && args.length > 0) { updateSimpleAuthzJsonWithRelationshipPermissions(args[0]); } else { System.out.println("Provide Atlas conf path"); } - } - public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonConfPath) { - - List wildCard = new ArrayList(); - wildCard.add(".*"); + List wildCard = new ArrayList<>(Collections.singletonList(".*")); try { - - ObjectMapper mapper = new ObjectMapper(); - AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new File(jsonConfPath + "/atlas-simple-authz-policy.json"), AtlasSimpleAuthzPolicy.class); - - - AtlasSimpleAuthzPolicy.AtlasAuthzRole dataAdmin = authzPolicy.getRoles().get("ROLE_ADMIN"); - boolean permissionUpdated = false; - + ObjectMapper mapper = new ObjectMapper(); + AtlasSimpleAuthzPolicy authzPolicy = mapper.readValue(new File(jsonConfPath + "/atlas-simple-authz-policy.json"), AtlasSimpleAuthzPolicy.class); + AtlasAuthzRole dataAdmin = authzPolicy.getRoles().get("ROLE_ADMIN"); + boolean permissionUpdated = false; if (dataAdmin != null && dataAdmin.getRelationshipPermissions() == null) { - AtlasSimpleAuthzPolicy.AtlasRelationshipPermission relationshipPermissions = new AtlasSimpleAuthzPolicy.AtlasRelationshipPermission(); - relationshipPermissions.setPrivileges(wildCard); + AtlasRelationshipPermission relationshipPermissions = new AtlasRelationshipPermission(); + relationshipPermissions.setPrivileges(wildCard); relationshipPermissions.setRelationshipTypes(wildCard); relationshipPermissions.setEnd1EntityClassification(wildCard); @@ -73,25 +68,23 @@ public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonC relationshipPermissions.setEnd2EntityId(wildCard); relationshipPermissions.setEnd2EntityType(wildCard); - List relationshipPermissionsList = new ArrayList(); - - - relationshipPermissionsList.add(relationshipPermissions); + List relationshipPermissionsList = new ArrayList<>(Collections.singletonList(relationshipPermissions)); dataAdmin.setRelationshipPermissions(relationshipPermissionsList); + permissionUpdated = true; } - - AtlasSimpleAuthzPolicy.AtlasAuthzRole dataSteward = authzPolicy.getRoles().get("DATA_STEWARD"); - List permissiondataSteward = new ArrayList(); + AtlasAuthzRole dataSteward = authzPolicy.getRoles().get("DATA_STEWARD"); + List permissiondataSteward = new ArrayList<>(); permissiondataSteward.add("add-relationship"); permissiondataSteward.add("update-relationship"); permissiondataSteward.add("remove-relationship"); if (dataSteward != null && dataSteward.getRelationshipPermissions() == null) { - AtlasSimpleAuthzPolicy.AtlasRelationshipPermission relationshipPermissions = new AtlasSimpleAuthzPolicy.AtlasRelationshipPermission(); + AtlasRelationshipPermission relationshipPermissions = new AtlasRelationshipPermission(); + relationshipPermissions.setPrivileges(permissiondataSteward); relationshipPermissions.setRelationshipTypes(wildCard); @@ -103,29 +96,26 @@ public static void updateSimpleAuthzJsonWithRelationshipPermissions(String jsonC relationshipPermissions.setEnd2EntityId(wildCard); relationshipPermissions.setEnd2EntityType(wildCard); + List relationshipPermissionsList = new ArrayList<>(Collections.singletonList(relationshipPermissions)); - List relationshipPermissionsList = new ArrayList(); - relationshipPermissionsList.add(relationshipPermissions); dataSteward.setRelationshipPermissions(relationshipPermissionsList); + permissionUpdated = true; } - if(permissionUpdated) { + if (permissionUpdated) { writeUsingFiles(jsonConfPath + "/atlas-simple-authz-policy.json", toJson(authzPolicy, mapper)); } - - } catch (Exception e) { System.err.println(" Error while updating JSON " + e.getMessage()); } - } - public static String toJson(Object obj, ObjectMapper mapper) { mapper.enable(SerializationFeature.INDENT_OUTPUT); // to beautify json String ret; + try { if (obj instanceof JsonNode && ((JsonNode) obj).isTextual()) { ret = ((JsonNode) obj).textValue(); @@ -133,18 +123,17 @@ public static String toJson(Object obj, ObjectMapper mapper) { ret = mapper.writeValueAsString(obj); } } catch (IOException e) { - ret = null; } + return ret; } - private static void writeUsingFiles(String file, String data) { try { - Files.write(Paths.get( file ), data.getBytes()); + Files.write(Paths.get(file), data.getBytes()); } catch (IOException e) { System.err.println(" Error while writeUsingFiles JSON " + e.getMessage()); } } -} \ No newline at end of file +} diff --git a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java index 8d38ebe8cb..406af0f7f4 100644 --- a/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java +++ b/authorization/src/test/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizerTest.java @@ -16,16 +16,22 @@ */ package org.apache.atlas.authorize.simple; -import org.apache.atlas.authorize.*; +import org.apache.atlas.authorize.AtlasAccessRequest; +import org.apache.atlas.authorize.AtlasAuthorizationException; +import org.apache.atlas.authorize.AtlasAuthorizer; +import org.apache.atlas.authorize.AtlasAuthorizerFactory; +import org.apache.atlas.authorize.AtlasEntityAccessRequest; +import org.apache.atlas.authorize.AtlasPrivilege; import org.apache.atlas.model.instance.AtlasClassification; import org.apache.atlas.model.instance.AtlasEntityHeader; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.testng.AssertJUnit; import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; -import org.testng.AssertJUnit; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; @@ -34,7 +40,7 @@ import java.util.Set; public class AtlasSimpleAuthorizerTest { - private static Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class); + private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizerTest.class); private static final String USER_ADMIN = "admin"; private static final String USER_DATA_SCIENTIST = "dataScientist"; @@ -45,29 +51,9 @@ public class AtlasSimpleAuthorizerTest { private static final String USER_IN_ADMIN_GROUP = "admin-group-user"; private static final String USER_IN_UNKNOWN_GROUP = "unknown-group-user"; - private static final Map> USER_GROUPS = new HashMap>() {{ - put(USER_ADMIN, Collections.singleton("ROLE_ADMIN")); - put(USER_DATA_STEWARD, Collections.emptySet()); - put(USER_DATA_SCIENTIST, Collections.emptySet()); - put(USER_DATA_STEWARD_EX, Collections.singleton("DATA_STEWARD_EX")); - put(USER_FINANCE, Collections.singleton("FINANCE")); - put(USER_FINANCE_PII, Collections.singleton("FINANCE_PII")); - put(USER_IN_ADMIN_GROUP, Collections.singleton("ROLE_ADMIN")); - put(USER_IN_UNKNOWN_GROUP, Collections.singleton("UNKNOWN_GROUP")); - }}; - - private static final List ENTITY_PRIVILEGES = Arrays.asList(AtlasPrivilege.ENTITY_CREATE, - AtlasPrivilege.ENTITY_UPDATE, - AtlasPrivilege.ENTITY_READ, - AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, - AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION, - AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION, - AtlasPrivilege.ENTITY_READ_CLASSIFICATION, - AtlasPrivilege.ENTITY_ADD_LABEL, - AtlasPrivilege.ENTITY_REMOVE_LABEL, - AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA); - - private static final List LABEL_PRIVILEGES = Arrays.asList(AtlasPrivilege.ENTITY_ADD_LABEL, AtlasPrivilege.ENTITY_REMOVE_LABEL); + private static final Map> USER_GROUPS = new HashMap<>(); + private static final List ENTITY_PRIVILEGES = new ArrayList<>(); + private static final List LABEL_PRIVILEGES = new ArrayList<>(); private String originalConf; private AtlasAuthorizer authorizer; @@ -94,7 +80,7 @@ public void tearDown() throws Exception { authorizer = null; } - @Test(enabled = true) + @Test public void testAllAllowedForAdminUser() { try { for (AtlasPrivilege privilege : AtlasPrivilege.values()) { @@ -104,7 +90,7 @@ public void testAllAllowedForAdminUser() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals(privilege.name() + " should have been allowed for user " + USER_DATA_SCIENTIST, true, isAccessAllowed); + AssertJUnit.assertTrue(privilege.name() + " should have been allowed for user " + USER_DATA_SCIENTIST, isAccessAllowed); } } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -113,16 +99,16 @@ public void testAllAllowedForAdminUser() { } } - @Test(enabled = true) + @Test public void testAddPIIForStewardExUser() { try { - AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII")); + AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII")); setUser(request, USER_DATA_STEWARD_EX); boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", isAccessAllowed); } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -130,11 +116,11 @@ public void testAddPIIForStewardExUser() { } } - @Test(enabled = true) + @Test public void testAddClassificationOnEntityWithClassificationForStewardExUser() { try { - AtlasEntityHeader entityHeader = new AtlasEntityHeader(); + entityHeader.setClassifications(Arrays.asList(new AtlasClassification("PII_1"), new AtlasClassification("PII_2"))); AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, entityHeader, new AtlasClassification("PII")); @@ -143,7 +129,7 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUser() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed to add PII", isAccessAllowed); } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -151,11 +137,11 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUser() { } } - @Test(enabled = true) + @Test public void testAddClassificationOnEntityWithClassificationForStewardExUserShouldFail() { try { - AtlasEntityHeader entityHeader = new AtlasEntityHeader(); + entityHeader.setClassifications(Arrays.asList(new AtlasClassification("TAG1"), new AtlasClassification("TAG2"))); AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, entityHeader, new AtlasClassification("PII")); @@ -164,7 +150,7 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUserShoul boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have not been allowed to add PII on entity with TAG1,TAG2 classification ", false, isAccessAllowed); + AssertJUnit.assertFalse("user " + USER_DATA_STEWARD_EX + " should have not been allowed to add PII on entity with TAG1,TAG2 classification ", isAccessAllowed); } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -172,16 +158,16 @@ public void testAddClassificationOnEntityWithClassificationForStewardExUserShoul } } - @Test(enabled = true) + @Test public void testAddPIIForStewardUser() { try { - AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null , AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII")); + AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_ADD_CLASSIFICATION, null, new AtlasClassification("PII")); setUser(request, USER_DATA_STEWARD); boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD + " should not have been allowed to add PII", false, isAccessAllowed); + AssertJUnit.assertFalse("user " + USER_DATA_STEWARD + " should not have been allowed to add PII", isAccessAllowed); } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -189,12 +175,12 @@ public void testAddPIIForStewardUser() { } } - @Test(enabled = true) + @Test public void testFinancePIIEntityAccessForFinancePIIUser() { try { - AtlasEntityHeader entity = new AtlasEntityHeader() {{ - setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII"))); - }}; + AtlasEntityHeader entity = new AtlasEntityHeader(); + + entity.setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII"))); for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) { AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege, entity, new AtlasClassification("PII")); @@ -203,7 +189,7 @@ public void testFinancePIIEntityAccessForFinancePIIUser() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_FINANCE_PII + " should have been allowed " + privilege + " on entity with FINANCE & PII", true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_FINANCE_PII + " should have been allowed " + privilege + " on entity with FINANCE & PII", isAccessAllowed); } } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -212,12 +198,12 @@ public void testFinancePIIEntityAccessForFinancePIIUser() { } } - @Test(enabled = true) + @Test public void testFinancePIIEntityAccessForFinanceUser() { try { - AtlasEntityHeader entity = new AtlasEntityHeader() {{ - setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII"))); - }}; + AtlasEntityHeader entity = new AtlasEntityHeader(); + + entity.setClassifications(Arrays.asList(new AtlasClassification("FINANCE"), new AtlasClassification("PII"))); for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) { AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege, entity, new AtlasClassification("PII")); @@ -226,7 +212,7 @@ public void testFinancePIIEntityAccessForFinanceUser() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_FINANCE + " should not have been allowed " + privilege + " on entity with FINANCE & PII", false, isAccessAllowed); + AssertJUnit.assertFalse("user " + USER_FINANCE + " should not have been allowed " + privilege + " on entity with FINANCE & PII", isAccessAllowed); } } catch (Exception e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -235,12 +221,12 @@ public void testFinancePIIEntityAccessForFinanceUser() { } } - @Test(enabled = true) + @Test public void testFinanceEntityAccess() { try { - AtlasEntityHeader entity = new AtlasEntityHeader() {{ - setClassifications(Arrays.asList(new AtlasClassification("FINANCE"))); - }}; + AtlasEntityHeader entity = new AtlasEntityHeader(); + + entity.setClassifications(Collections.singletonList(new AtlasClassification("FINANCE"))); for (String userName : Arrays.asList(USER_FINANCE_PII, USER_FINANCE)) { for (AtlasPrivilege privilege : ENTITY_PRIVILEGES) { @@ -250,7 +236,7 @@ public void testFinanceEntityAccess() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + userName + " should have been allowed " + privilege + " on entity with FINANCE", true, isAccessAllowed); + AssertJUnit.assertTrue("user " + userName + " should have been allowed " + privilege + " on entity with FINANCE", isAccessAllowed); } } } catch (Exception e) { @@ -260,7 +246,7 @@ public void testFinanceEntityAccess() { } } - @Test(enabled = true) + @Test public void testAccessForUserInAdminGroup() { try { AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE); @@ -269,7 +255,7 @@ public void testAccessForUserInAdminGroup() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_IN_ADMIN_GROUP + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE, true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_IN_ADMIN_GROUP + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed); } catch (AtlasAuthorizationException e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -277,7 +263,7 @@ public void testAccessForUserInAdminGroup() { } } - @Test(enabled = true) + @Test public void testAccessForUserInUnknownGroup() { try { AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE); @@ -286,7 +272,7 @@ public void testAccessForUserInUnknownGroup() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_IN_UNKNOWN_GROUP + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, false, isAccessAllowed); + AssertJUnit.assertFalse("user " + USER_IN_UNKNOWN_GROUP + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE, isAccessAllowed); } catch (AtlasAuthorizationException e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -294,7 +280,7 @@ public void testAccessForUserInUnknownGroup() { } } - @Test(enabled = true) + @Test public void testLabels() { try { for (AtlasPrivilege privilege : LABEL_PRIVILEGES) { @@ -305,7 +291,7 @@ public void testLabels() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + userName + " should not have been allowed " + privilege, false, isAccessAllowed); + AssertJUnit.assertFalse("user " + userName + " should not have been allowed " + privilege, isAccessAllowed); } AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, privilege); @@ -314,7 +300,7 @@ public void testLabels() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed " + privilege, true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed " + privilege, isAccessAllowed); } } catch (AtlasAuthorizationException e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -323,7 +309,7 @@ public void testLabels() { } } - @Test(enabled = true) + @Test public void testBusinessMetadata() { try { for (String userName : Arrays.asList(USER_DATA_SCIENTIST, USER_DATA_STEWARD)) { @@ -333,7 +319,7 @@ public void testBusinessMetadata() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + userName + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, false, isAccessAllowed); + AssertJUnit.assertFalse("user " + userName + " should not have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, isAccessAllowed); } AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(null, AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA); @@ -342,7 +328,7 @@ public void testBusinessMetadata() { boolean isAccessAllowed = authorizer.isAccessAllowed(request); - AssertJUnit.assertEquals("user " + USER_DATA_STEWARD_EX + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, true, isAccessAllowed); + AssertJUnit.assertTrue("user " + USER_DATA_STEWARD_EX + " should have been allowed " + AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA, isAccessAllowed); } catch (AtlasAuthorizationException e) { LOG.error("Exception in AtlasSimpleAuthorizerTest", e); @@ -355,4 +341,29 @@ private void setUser(AtlasAccessRequest request, String userName) { request.setUser(userName, userGroups != null ? userGroups : Collections.emptySet()); } + + static { + USER_GROUPS.put(USER_ADMIN, Collections.singleton("ROLE_ADMIN")); + USER_GROUPS.put(USER_DATA_STEWARD, Collections.emptySet()); + USER_GROUPS.put(USER_DATA_SCIENTIST, Collections.emptySet()); + USER_GROUPS.put(USER_DATA_STEWARD_EX, Collections.singleton("DATA_STEWARD_EX")); + USER_GROUPS.put(USER_FINANCE, Collections.singleton("FINANCE")); + USER_GROUPS.put(USER_FINANCE_PII, Collections.singleton("FINANCE_PII")); + USER_GROUPS.put(USER_IN_ADMIN_GROUP, Collections.singleton("ROLE_ADMIN")); + USER_GROUPS.put(USER_IN_UNKNOWN_GROUP, Collections.singleton("UNKNOWN_GROUP")); + + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_CREATE); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_CLASSIFICATION); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_CLASSIFICATION); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_READ_CLASSIFICATION); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL); + ENTITY_PRIVILEGES.add(AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA); + + LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_ADD_LABEL); + LABEL_PRIVILEGES.add(AtlasPrivilege.ENTITY_REMOVE_LABEL); + } }