From 17a945fbe2e17e878390e8b771b3bf95864126cb Mon Sep 17 00:00:00 2001 From: ankitpatnaik-atlan Date: Tue, 28 Jan 2025 13:49:55 +0530 Subject: [PATCH 1/5] mesh-370: new asset create flow --- .../v2/preprocessor/AssetPreProcessor.java | 51 ++++++++++++++----- 1 file changed, 37 insertions(+), 14 deletions(-) diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java index 791b19fca8..c70d634e8c 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java @@ -56,36 +56,39 @@ public void processAttributes(AtlasStruct entityStruct, EntityMutationContext co switch (operation) { case CREATE: - processCreateAsset(entity, vertex); + processCreateAsset(entity, vertex, operation); break; case UPDATE: - processUpdateAsset(entity, vertex); + processUpdateAsset(entity, vertex, operation); + break; + case DELETE: + processDelete(vertex); break; } } - private void processCreateAsset(AtlasEntity entity, AtlasVertex vertex) throws AtlasBaseException { + private void processCreateAsset(AtlasEntity entity, AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { AtlasPerfMetrics.MetricRecorder metricRecorder = RequestContext.get().startMetricRecord("processCreateAsset"); - processDomainLinkAttribute(entity, vertex); + processDomainLinkAttribute(entity, vertex, operation); RequestContext.get().endMetricRecord(metricRecorder); } - private void processUpdateAsset(AtlasEntity entity, AtlasVertex vertex) throws AtlasBaseException { + private void processUpdateAsset(AtlasEntity entity, AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { AtlasPerfMetrics.MetricRecorder metricRecorder = RequestContext.get().startMetricRecord("processUpdateAsset"); - processDomainLinkAttribute(entity, vertex); + processDomainLinkAttribute(entity, vertex, operation); RequestContext.get().endMetricRecord(metricRecorder); } - private void processDomainLinkAttribute(AtlasEntity entity, AtlasVertex vertex) throws AtlasBaseException { + private void processDomainLinkAttribute(AtlasEntity entity, AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { if(entity.hasAttribute(DOMAIN_GUIDS)){ validateDomainAssetLinks(entity); - isAuthorized(vertex); + isAuthorized(vertex, operation); } } @@ -116,16 +119,36 @@ private void validateDomainAssetLinks(AtlasEntity entity) throws AtlasBaseExcept } } - private void isAuthorized(AtlasVertex vertex) throws AtlasBaseException { + @Override + public void processDelete(AtlasVertex vertex) throws AtlasBaseException { + //remove the domain link + if (vertex != null) { + vertex.removeProperty(DOMAIN_GUIDS); + } + } + + private void isAuthorized(AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { AtlasEntityHeader sourceEntity = retrieverNoRelation.toAtlasEntityHeaderWithClassifications(vertex); - // source -> UPDATE + READ - AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, sourceEntity), - "update on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + switch (operation) { + case CREATE: + // source -> CREATE + READ + AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, sourceEntity), + "create on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + + break; - AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_READ, sourceEntity), - "read on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + case UPDATE: + // source -> UPDATE + READ + AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, sourceEntity), + "update on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_READ, sourceEntity), + "read on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + break; + } } } + + From b4d74be8a587720dc2951209599bbd45e772dd78 Mon Sep 17 00:00:00 2001 From: ankitpatnaik-atlan Date: Mon, 3 Feb 2025 12:41:13 +0530 Subject: [PATCH 2/5] adding info logs --- .../apache/atlas/plugin/service/RangerBasePlugin.java | 2 ++ .../atlas/authorizer/RangerAtlasAuthorizer.java | 9 +++++++++ .../apache/atlas/authorize/AtlasAuthorizationUtils.java | 2 ++ .../atlas/authorize/simple/AtlasSimpleAuthorizer.java | 2 ++ 4 files changed, 15 insertions(+) diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java index fdf689c396..f0e008353f 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java @@ -476,6 +476,8 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc if (policyEngine != null) { ret = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null); + LOG.info("Policy engine is not null with the value " + policyEngine); + LOG.info("Policy engine evaluation result is " + ret); } if (ret != null) { diff --git a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index dd645b473b..42b865a94b 100644 --- a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -705,15 +705,20 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud for (AtlasClassification classificationToAuthorize : request.getEntityClassifications()) { rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize.getTypeName())); + LOG.info("Checking access for classification: " + classificationToAuthorize.getTypeName()); + ret = checkAccess(rangerRequest, auditHandler); if (!ret) { + LOG.info("Access denied for classification: " + classificationToAuthorize.getTypeName()); break; } } } else { rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, ENTITY_NOT_CLASSIFIED ); + LOG.info("Checking access for entity without classification"); + ret = checkAccess(rangerRequest, auditHandler); } @@ -723,6 +728,8 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud } } + LOG.info("from RangerAtlasAuthorization isAccessAllowed(" + request + "): " + ret); + if (LOG.isDebugEnabled()) { LOG.debug("<== isAccessAllowed(" + request + "): " + ret); } @@ -811,6 +818,8 @@ private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHan RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler); + LOG.info("from RangerAtlasAuthorization checkAccess(" + request + "): " + result.getIsAllowed()); + ret = result != null && result.getIsAllowed(); } else { diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java index 0a0659acb4..3d52b5c9b5 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java @@ -170,6 +170,8 @@ public static boolean isAccessAllowed(AtlasEntityAccessRequest request) { RequestContext.get().endMetricRecord(metric); + LOG.info("from Atlas AuthorizationUtils isAccessAllowed: ret={}", ret); + return ret; } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java index 16dd9f68de..0cd05fc7fb 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java @@ -306,6 +306,8 @@ public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAut } } + LOG.info("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); + if (LOG.isDebugEnabled()) { if (!ret) { LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); From 239e7a399567405636070da77a7cb52d530f510c Mon Sep 17 00:00:00 2001 From: ankitpatnaik-atlan Date: Fri, 14 Feb 2025 17:40:17 +0530 Subject: [PATCH 3/5] create asset with domain enabled --- .../plugin/service/RangerBasePlugin.java | 2 -- .../authorizer/RangerAtlasAuthorizer.java | 7 ----- .../authorize/AtlasAuthorizationUtils.java | 2 -- .../simple/AtlasSimpleAuthorizer.java | 2 -- .../v2/preprocessor/AssetPreProcessor.java | 30 ++++++++----------- 5 files changed, 12 insertions(+), 31 deletions(-) diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java index f0e008353f..fdf689c396 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java @@ -476,8 +476,6 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc if (policyEngine != null) { ret = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null); - LOG.info("Policy engine is not null with the value " + policyEngine); - LOG.info("Policy engine evaluation result is " + ret); } if (ret != null) { diff --git a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index 42b865a94b..e1ccadd494 100644 --- a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -705,20 +705,15 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud for (AtlasClassification classificationToAuthorize : request.getEntityClassifications()) { rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize.getTypeName())); - LOG.info("Checking access for classification: " + classificationToAuthorize.getTypeName()); - ret = checkAccess(rangerRequest, auditHandler); if (!ret) { - LOG.info("Access denied for classification: " + classificationToAuthorize.getTypeName()); break; } } } else { rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, ENTITY_NOT_CLASSIFIED ); - LOG.info("Checking access for entity without classification"); - ret = checkAccess(rangerRequest, auditHandler); } @@ -728,8 +723,6 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud } } - LOG.info("from RangerAtlasAuthorization isAccessAllowed(" + request + "): " + ret); - if (LOG.isDebugEnabled()) { LOG.debug("<== isAccessAllowed(" + request + "): " + ret); } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java index 3d52b5c9b5..0a0659acb4 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java @@ -170,8 +170,6 @@ public static boolean isAccessAllowed(AtlasEntityAccessRequest request) { RequestContext.get().endMetricRecord(metric); - LOG.info("from Atlas AuthorizationUtils isAccessAllowed: ret={}", ret); - return ret; } diff --git a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java index 0cd05fc7fb..16dd9f68de 100644 --- a/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java +++ b/authorization/src/main/java/org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.java @@ -306,8 +306,6 @@ public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAut } } - LOG.info("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); - if (LOG.isDebugEnabled()) { if (!ret) { LOG.debug("isAccessAllowed={}; classificationsWithNoAccess={}", ret, entClsToAuthz); diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java index c70d634e8c..fe139028b8 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java @@ -88,7 +88,7 @@ private void processUpdateAsset(AtlasEntity entity, AtlasVertex vertex, EntityMu private void processDomainLinkAttribute(AtlasEntity entity, AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { if(entity.hasAttribute(DOMAIN_GUIDS)){ validateDomainAssetLinks(entity); - isAuthorized(vertex, operation); + isAuthorized(vertex, operation, entity); } } @@ -127,26 +127,20 @@ public void processDelete(AtlasVertex vertex) throws AtlasBaseException { } } - private void isAuthorized(AtlasVertex vertex, EntityMutations.EntityOperation operation) throws AtlasBaseException { - AtlasEntityHeader sourceEntity = retrieverNoRelation.toAtlasEntityHeaderWithClassifications(vertex); + private void isAuthorized(AtlasVertex vertex, EntityMutations.EntityOperation operation, AtlasEntity entity) throws AtlasBaseException { + AtlasEntityHeader sourceEntity; - switch (operation) { - case CREATE: - // source -> CREATE + READ - AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_CREATE, sourceEntity), - "create on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); - - break; + if (operation == EntityMutations.EntityOperation.CREATE) { + sourceEntity = new AtlasEntityHeader(entity); + } else { + sourceEntity = retrieverNoRelation.toAtlasEntityHeaderWithClassifications(vertex); + } - case UPDATE: - // source -> UPDATE + READ - AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, sourceEntity), - "update on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); + AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_UPDATE, sourceEntity), + "update on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); - AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_READ, sourceEntity), - "read on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); - break; - } + AtlasAuthorizationUtils.verifyAccess(new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_READ, sourceEntity), + "read on source Entity, link/unlink operation denied: ", sourceEntity.getAttribute(NAME)); } } From d1632e7037435a0d0820e6e1da092ed62e3eea1a Mon Sep 17 00:00:00 2001 From: ankitpatnaik-atlan Date: Tue, 18 Feb 2025 12:48:01 +0530 Subject: [PATCH 4/5] removed info log statement added during debugging --- .../authorization/atlas/authorizer/RangerAtlasAuthorizer.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index e1ccadd494..dd645b473b 100644 --- a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -811,8 +811,6 @@ private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHan RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler); - LOG.info("from RangerAtlasAuthorization checkAccess(" + request + "): " + result.getIsAllowed()); - ret = result != null && result.getIsAllowed(); } else { From e82141940257bf6c6450a72be77682fe1a88e8ff Mon Sep 17 00:00:00 2001 From: ankitpatnaik-atlan Date: Mon, 24 Feb 2025 15:20:51 +0530 Subject: [PATCH 5/5] removed unused operation DELETE --- .../graph/v2/preprocessor/AssetPreProcessor.java | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java index fe139028b8..29be4db090 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AssetPreProcessor.java @@ -61,9 +61,6 @@ public void processAttributes(AtlasStruct entityStruct, EntityMutationContext co case UPDATE: processUpdateAsset(entity, vertex, operation); break; - case DELETE: - processDelete(vertex); - break; } } @@ -119,14 +116,6 @@ private void validateDomainAssetLinks(AtlasEntity entity) throws AtlasBaseExcept } } - @Override - public void processDelete(AtlasVertex vertex) throws AtlasBaseException { - //remove the domain link - if (vertex != null) { - vertex.removeProperty(DOMAIN_GUIDS); - } - } - private void isAuthorized(AtlasVertex vertex, EntityMutations.EntityOperation operation, AtlasEntity entity) throws AtlasBaseException { AtlasEntityHeader sourceEntity;