[PR] ATLAS-5326: Enforce Atlas authorization on AdminResource REST endpoints [atlas]

Wed, 17 Jun 2026 17:32:24 -0700 


rkundam opened a new pull request, #674:
URL: https://github.com/apache/atlas/pull/674

   ## What changes were proposed in this pull request?
   ATLAS-5326: Enforce Atlas authorization on AdminResource REST endpoints
   - Add `AtlasAuthorizationUtils.verifyAccess()` to sensitive `AdminResource` 
REST endpoints that previously lacked Atlas-level authorization checks.
   - Leave operational and UI-facing endpoints (`/version`, `/status`, 
`/metrics`, `/metricsstats*`, `/liveness`, `/readiness`) accessible to any 
authenticated user without an additional Atlas privilege check.
   
   - **AdminResource.java**: Enforce authorization on 15 endpoint groups using 
existing privileges (`ADMIN_EXPORT`, `ADMIN_IMPORT`, `ADMIN_PURGE`, 
`ADMIN_AUDITS`, `ENTITY_READ`).
   - **AdminResourceTest.java**: Add `withAuthorizationBypass` / 
`withAuthorizationBypassCallable` test helpers and update unit tests for 
protected vs. open endpoints.
   ## Protected endpoints
   | Endpoint | Privilege |
   |----------|-----------|
   | GET /stack | ADMIN_EXPORT |
   | GET /session | ENTITY_READ |
   | GET/DELETE /activeSearches | ADMIN_EXPORT |
   | GET /server/{serverName} | ADMIN_EXPORT |
   | GET /expimp/audit | ADMIN_EXPORT |
   | POST /checkstate | ENTITY_READ |
   | GET /patches | ADMIN_IMPORT |
   | GET /audit/{auditGuid}/details | ADMIN_AUDITS |
   | GET/DELETE /tasks | ADMIN_PURGE |
   | GET /debug/metrics | ADMIN_EXPORT |
   | DELETE /async/import/{importId} | ADMIN_IMPORT |
   | GET /async/import/status* | ADMIN_IMPORT |
   ## Intentionally unprotected (authentication only)
   - GET /version, /status, /metrics
   - GET /metricsstats, /metricsstat/{collectionTime}, /metricsstats/range, 
/metricsstats/charts
   - GET /liveness, /readiness
   
   ## How was this patch tested?
   - [ ] cd webapp && mvn -Dtest=AdminResourceTest test
   - [ ] Verify protected endpoints return authorization failure for users 
without required privileges
   - [ ] Verify metrics, status, version, liveness, and readiness remain 
accessible to authenticated users
   - [ ] Confirm dashboard Statistics page and UI session endpoint still work 
for authorized users
   - [ ] Regression test POST /admin/export, POST /admin/import, and POST 
/admin/audits


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to