Added authz to repair index endpoint

atlanhq · Jun 27, 2023 · 91f1a08 · 91f1a08
1 parent 7f85c21
commit 91f1a08
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 8 deletions.
diff --git a/addons/policies/bootstrap_entity_policies.json b/addons/policies/bootstrap_entity_policies.json
@@ -2860,6 +2860,31 @@
                     "entity-update"
                 ]
             }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "attributes": {
+                "name": "RUN_REPAIR_INDEX",
+                "qualifiedName": "RUN_REPAIR_INDEX",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers": [
+                    "service-account-atlan-argo",
+                    "service-account-atlan-backend"
+                ],
+                "policyGroups": [],
+                "policyRoles": [],
+                "policyResourceCategory": "ADMIN",
+                "policyResources": [
+                    "atlas-service:*"
+                ],
+                "policyActions": [
+                    "admin-repair-index"
+                ]
+            }
         }
     ]
 }
diff --git a/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json b/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json
@@ -115,7 +115,7 @@
 			},
 			"label": "Atlas Service",
 			"description": "Atlas Service",
-			"accessTypeRestrictions": ["admin-import", "admin-export", "admin-purge", "admin-audits", "admin-entity-audits"]
+			"accessTypeRestrictions": ["admin-import", "admin-export", "admin-purge", "admin-audits", "admin-entity-audits", "admin-repair-index"]
 		},
 		{
 			"itemId": 7,
@@ -440,7 +440,13 @@
 			"itemId": 22,
 			"name": "admin-entity-audits",
 			"label": "Admin Entity Audits"
+		},
+		{
+			"itemId": 23,
+			"name": "admin-repair-index",
+			"label": "Admin Repair Index"
 		}
+
 	],
 	"configs": [
 		{

diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasPrivilege.java
@@ -48,7 +48,8 @@ public enum AtlasPrivilege {
 
      ADMIN_AUDITS("admin-audits"),
 
-     ADMIN_ENTITY_AUDITS("admin-entity-audits");
+     ADMIN_ENTITY_AUDITS("admin-entity-audits"),
+     ADMIN_REPAIR_INDEX("admin-repair-index");
 
      private final String type;
 

diff --git a/tools/atlas-index-repair/src/main/java/org/apache/atlas/tools/RepairIndex.java b/tools/atlas-index-repair/src/main/java/org/apache/atlas/tools/RepairIndex.java
@@ -266,12 +266,11 @@ public void restoreSelective(String guid, Map<String, AtlasEntity> referredEntit
         IndexSerializer indexSerializer = janusGraph.getIndexSerializer();
 
         for (String indexName : getIndexes()) {
-            displayCrlf("Restoring: " + indexName);
+            LOG.info("Restoring: " + indexName);
             long startTime = System.currentTimeMillis();
             reindexVertex(indexName, indexSerializer, referencedGUIDs);
 
-            display(": Time taken: " + (System.currentTimeMillis() - startTime) + " ms");
-            displayCrlf(": Done!");
+            LOG.info(": Time taken: " + (System.currentTimeMillis() - startTime) + " ms");
         }
     }
 
@@ -281,12 +280,12 @@ public void restoreByIds(Set<String> guids) throws Exception {
         IndexSerializer indexSerializer = janusGraph.getIndexSerializer();
 
         for (String indexName : getIndexes()) {
-//            displayCrlf("Restoring: " + indexName);
+            LOG.info("Restoring: " + indexName);
             long startTime = System.currentTimeMillis();
             reindexVertex(indexName, indexSerializer, guids);
 
-//            display(": Time taken: " + (System.currentTimeMillis() - startTime) + " ms");
-//            displayCrlf(": Done!");
+            LOG.info(": Time taken: " + (System.currentTimeMillis() - startTime) + " ms");
+            LOG.info(": Done!");
         }
     }
 }
diff --git a/webapp/src/main/java/org/apache/atlas/web/rest/EntityREST.java b/webapp/src/main/java/org/apache/atlas/web/rest/EntityREST.java
@@ -1805,6 +1805,8 @@ private void validateEntityForAccessors(String guid, String qualifiedName, Strin
     public void repairEntityIndex(@PathParam("guid") String guid) throws AtlasBaseException {
         Servlets.validateQueryParamLength("guid", guid);
 
+        AtlasAuthorizationUtils.verifyAccess(new AtlasAdminAccessRequest(AtlasPrivilege.ADMIN_REPAIR_INDEX), "Admin Repair Index");
+
         AtlasPerfTracer perf = null;
 
         try {
@@ -1839,6 +1841,8 @@ public void repairIndexByTypeName(@PathParam("typename") String typename, @Query
                 perf = AtlasPerfTracer.getPerfTracer(PERF_LOG, "EntityREST.repairAllEntitiesIndex");
             }
 
+            AtlasAuthorizationUtils.verifyAccess(new AtlasAdminAccessRequest(AtlasPrivilege.ADMIN_REPAIR_INDEX), "Admin Repair Index");
+
             RepairIndex repairIndex = new RepairIndex();
             repairIndex.setupGraph();