[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages
[
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985605#comment-16985605
]
ASF subversion and git services commented on ATLAS-3261:
Commit 76d0276c0f8859661b5af6a10d7c09bda1aee022 in atlas's branch
refs/heads/branch-2.0 from arempter
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=76d0276 ]
ATLAS-3261: added option to authorize notifications using username given in the
message
Signed-off-by: Madhan Neethiraj
(cherry picked from commit 48df6544f92df81dc49820b8cd2900666cb14e0a)
> Ranger Authorizer for Atlas is not checked for kafka messages
> -
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
>Affects Versions: 1.1.0, 2.0.0
>Reporter: Adam Rempter
>Priority: Major
> Labels: security
> Fix For: 2.1.0, 3.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows
> puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to
> deny access in Atlas based on user from message, atlas ranger authorizer
> doens't work.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages
[
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985604#comment-16985604
]
ASF subversion and git services commented on ATLAS-3261:
Commit 48df6544f92df81dc49820b8cd2900666cb14e0a in atlas's branch
refs/heads/master from arempter
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=48df654 ]
ATLAS-3261: added option to authorize notifications using username given in the
message
Signed-off-by: Madhan Neethiraj
> Ranger Authorizer for Atlas is not checked for kafka messages
> -
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
>Affects Versions: 1.1.0, 2.0.0
>Reporter: Adam Rempter
>Priority: Major
> Labels: security
> Fix For: 2.1.0, 3.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows
> puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to
> deny access in Atlas based on user from message, atlas ranger authorizer
> doens't work.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages
[
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984449#comment-16984449
]
Adam Rempter commented on ATLAS-3261:
-
[~madhan] patch looks ok to me
> Ranger Authorizer for Atlas is not checked for kafka messages
> -
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
>Affects Versions: 1.1.0, 2.0.0
>Reporter: Adam Rempter
>Priority: Major
> Labels: security
> Fix For: 2.1.0, 3.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows
> puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to
> deny access in Atlas based on user from message, atlas ranger authorizer
> doens't work.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages
[
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984361#comment-16984361
]
Adam Rempter commented on ATLAS-3261:
-
nice, will do
> Ranger Authorizer for Atlas is not checked for kafka messages
> -
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
>Affects Versions: 1.1.0, 2.0.0
>Reporter: Adam Rempter
>Priority: Major
> Labels: security
> Fix For: 2.1.0, 3.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Atlas can be configured to authorize user actions with Ranger
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows
> puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to
> deny access in Atlas based on user from message, atlas ranger authorizer
> doens't work.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (ATLAS-3261) Ranger Authorizer for Atlas is not checked for kafka messages
[
https://issues.apache.org/jira/browse/ATLAS-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16856722#comment-16856722
]
Adam Rempter commented on ATLAS-3261:
-
I did some checking on this issue, and what happens, when new message is
received, security check is done by AtlasAuthorizationUtils
before entity is created.
public static boolean isAccessAllowed(AtlasAdminAccessRequest request) {
boolean ret = false;
*String userName = getCurrentUserName(); <-- returns ""*
*if (StringUtils.isNotEmpty(userName)) { <-- false*
try {
AtlasAuthorizer authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
request.setUser(userName, getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
}
*} else { <-- if no user return true*
ret = true;
}
Now I added user from kafka as current security principal (see patch) and then
it properly calls authorizer:
rg.apache.atlas.exception.AtlasBaseException: *testuser is not authorized to
perform create entity: type=server*
at
org.apache.atlas.authorize.AtlasAuthorizationUtils.verifyAccess(AtlasAuthorizationUtils.java:61)
at
org.apache.atlas.repository.store.graph.v2.AtlasEntityStoreV2.createOrUpdate(AtlasEntityStoreV2.java:664)
But I am not sure it this is best way to handle this case...
> Ranger Authorizer for Atlas is not checked for kafka messages
> -
>
> Key: ATLAS-3261
> URL: https://issues.apache.org/jira/browse/ATLAS-3261
> Project: Atlas
> Issue Type: Bug
> Components: atlas-intg
>Affects Versions: 1.1.0, 2.0.0
>Reporter: Adam Rempter
>Priority: Major
> Labels: security
> Attachments: 0001-set-message-user-as-principal.patch
>
>
> Atlas can be configured to authorize user actions with Ranger
> ([https://atlas.apache.org/1.1.0/Atlas-Authorization-Ranger-Authorizer.html]).
>
> When I use user via REST it works:
> curl -X GET -u testuser:testuser
> http://localhost:21000/api/atlas/v2/entity/guid/f52151a0-fa08-4eab-b885-ece847a106e0
> {"errorCode":"ATLAS-403-00-001","errorMessage":"testuser is not authorized to
> perform read entity: guid=f52151a0-fa08-4eab-b885-ece847a106e0"}
>
> When I send lineage to ATLAS_HOOK, I can create lineage successfully:
> 2019-06-04 14:01:38,974
> 2019-06-04T12:01:23.867Z|testuser|NotificationHookConsumer|POST|api/atlas/v2/entity/|200|15119
> In above, I think user is taken from lineage message field user in json.
>
> Of course above is valid if another policy in ranger (kafka plugin) allows
> puting messages to ATLAS_HOOK topic.
>
> But if I have one user (technical account) to produce to kafka and I want to
> deny access in Atlas based on user from message, atlas ranger authorizer
> doens't work.
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
