feat: add policies for feature flag

atlanhq · May 6, 2024 · 21d33fd · 21d33fd
1 parent b8a0f44
commit 21d33fd
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/addons/policies/bootstrap_admin_policies.json b/addons/policies/bootstrap_admin_policies.json
@@ -49,6 +49,31 @@
           "admin-task-cud"
         ]
       }
+    },
+    {
+      "typeName": "AuthPolicy",
+      "attributes": {
+        "name": "ADMIN_ALLOW_FEATURE_FLAG_CUD",
+        "qualifiedName": "ADMIN_ALLOW_FEATURE_FLAG_CUD",
+        "policyCategory": "bootstrap",
+        "policySubCategory": "default",
+        "policyServiceName": "atlas",
+        "policyType": "allow",
+        "policyPriority": 1,
+        "policyUsers": [
+          "service-account-atlan-argo",
+          "service-account-atlan-backend"
+        ],
+        "policyGroups": [],
+        "policyRoles": [],
+        "policyResourceCategory": "ADMIN",
+        "policyResources": [
+          "atlas-service:*"
+        ],
+        "policyActions": [
+          "admin-featureFlag-cud"
+        ]
+      }
     }
   ]
 }
diff --git a/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json b/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json
@@ -450,6 +450,11 @@
 			"itemId": 24,
 			"name": "admin-task-cud",
 			"label": "Admin task CUD API"
+		},
+		{
+			"itemId": 25,
+			"name": "admin-featureFlag-cud",
+			"label": "Admin featureflag CUD API"
 		}
 
 	],

diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
@@ -51,7 +51,9 @@ public enum AtlasPrivilege {
      ADMIN_ENTITY_AUDITS("admin-entity-audits"),
      ADMIN_REPAIR_INDEX("admin-repair-index"),
 
-     ADMIN_TASK_CUD("admin-task-cud");
+     ADMIN_TASK_CUD("admin-task-cud"),
+
+     ADMIN_FEATURE_FLAG_CUD("admin-featureFlag-cud");
      private final String type;
 
      AtlasPrivilege(String actionType){

diff --git a/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java b/webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java
@@ -934,14 +934,16 @@ public Map getDebugMetrics() {
     @POST
     @Path("featureFlag")
     @Produces(MediaType.APPLICATION_JSON)
-    public void setFeatureFlag(@QueryParam("key") String key, @QueryParam("value") String value) {
+    public void setFeatureFlag(@QueryParam("key") String key, @QueryParam("value") String value) throws AtlasBaseException {
+        AtlasAuthorizationUtils.verifyAccess(new AtlasAdminAccessRequest(AtlasPrivilege.ADMIN_FEATURE_FLAG_CUD), "featureFlag");
         FeatureFlagStore.setFlag(key, value);
     }
 
     @DELETE
     @Path("featureFlag/{flag}")
     @Produces(MediaType.APPLICATION_JSON)
-    public void deleteFeatureFlag(@PathParam("flag") String key) {
+    public void deleteFeatureFlag(@PathParam("flag") String key) throws AtlasBaseException {
+        AtlasAuthorizationUtils.verifyAccess(new AtlasAdminAccessRequest(AtlasPrivilege.ADMIN_FEATURE_FLAG_CUD), "featureFlag");
         FeatureFlagStore.deleteFlag(key);
     }
     private String getEditableEntityTypes(Configuration config) {