[
https://issues.apache.org/jira/browse/ATLAS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15263656#comment-15263656
]
Hemanth Yamijala commented on ATLAS-497:
----------------------------------------
Few comments:
* Do we have a requirement for separating creates and updates? Can we merge
them into one write operation? In fact many operations in Atlas backend are a
create or update kind of operation. Merging into one may be better, IMHO.
* In AtlasAccessRequest and PolicyUtil there are many unused methods. Please
remove them.
* In the authorization code path where AtlasException is thrown due to
authorization problems, maybe it is better to throw a custom
AtlasAuthorizationException. This could have information about what was
attempted to be accessed etc.
* For requests that require access to multiple resource types (e.g. paths like
entities/traits - which requires access to both entities & traits), access
should be granted only if all of them are allowed, no? Currently, even if one
matches we are allowing access, as far as I can tell.
* Currently, since we don't have resource specific match, in
SimpleAtlasAuthorizer, can we simplify the resource check logic and just check
for access to resourcetypes for now?
* Without the above, there are some important issues: for e.g. since
SimpleAtlasAuthorizer is a singleton object, the value isMatchAny is being
accessed in a non-thread safe manner.
* In a later JIRA, we'll need to figure how principal information like user
name / groups will be got in Kerberos authentication case. This is because
currently we are picking these up from Spring security context.
* Can we please add a merge test in PolicyUtilTest - one that has > 1 policies
with different (possibly conflicting) rules and see how the end result works
out?
* Please add some tests for AtlasAuthorizationFilter.
> Simple Authorization
> --------------------
>
> Key: ATLAS-497
> URL: https://issues.apache.org/jira/browse/ATLAS-497
> Project: Atlas
> Issue Type: New Feature
> Affects Versions: 0.7-incubating
> Reporter: Erik Bergenholtz
> Assignee: Saqeeb Shaikh
> Fix For: 0.7-incubating
>
> Attachments: ATLAS-497.1.patch, ATLAS-497.2.patch, ATLAS-497.patch
>
>
> Atlas needs to support a simple (out of box) authorization mechanism.
> Defined Roles:
> - Data Scientist: provides a read only view (GET)
> - Data Steward: provides a read/edit view (PUT, POST, DELETE)
> - Admin (can do anything)
> All can comment on entity
> Requirements
> - Atlas will implement a simple file based store for providing user to role
> mapping
> - The out of box experience will be this file based mechanism for
> authorization
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
