[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages

Sun, 01 Dec 2019 08:41:47 -0800 


    [ 
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985605#comment-16985605
 ] 

ASF subversion and git services commented on ATLAS-3261:
--------------------------------------------------------

Commit 76d0276c0f8859661b5af6a10d7c09bda1aee022 in atlas's branch 
refs/heads/branch-2.0 from arempter
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=76d0276 ]

ATLAS-3261: added option to authorize notifications using username given in the 
message

Signed-off-by: Madhan Neethiraj <mad...@apache.org>
(cherry picked from commit 48df6544f92df81dc49820b8cd2900666cb14e0a)


> Ranger Authorizer for Atlas is not checked for kafka messages
> -------------------------------------------------------------
>
>                 Key: ATLAS-3261
>                 URL: https://issues.apache.org/jira/browse/ATLAS-3261
>             Project: Atlas
>          Issue Type: Bug
>          Components: atlas-intg
>    Affects Versions: 1.1.0, 2.0.0
>            Reporter: Adam Rempter
>            Priority: Major
>              Labels: security
>             Fix For: 2.1.0, 3.0.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger 
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>  
> When I use user via REST it works:
> curl -X GET -u testuser:testuser 
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to 
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>  
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974 
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>  
> Of course above is valid if another policy in ranger  (kafka plugin) allows 
> puting messages to ATLAS_HOOK topic. 
>  
> But if I have one user (technical account) to produce to kafka and I want to 
> deny access in Atlas based on user from message, atlas ranger authorizer 
> doens't work.
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to