| <!DOCTYPE html> |
| <!-- |
| | Generated by Apache Maven Doxia Site Renderer 1.8 from src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki at 2018-06-14 |
| | Rendered using Apache Maven Fluido Skin 1.7 |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <meta charset="UTF-8" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
| <meta name="Date-Revision-yyyymmdd" content="20180614" /> |
| <meta http-equiv="Content-Language" content="en" /> |
| <title>Apache Atlas – Setting up Atlas to use Simple Authorizer</title> |
| <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" /> |
| <link rel="stylesheet" href="./css/site.css" /> |
| <link rel="stylesheet" href="./css/print.css" media="print" /> |
| <script type="text/javascript" src="./js/apache-maven-fluido-1.7.min.js"></script> |
| </head> |
| <body class="topBarEnabled"> |
| <div id="topbar" class="navbar navbar-fixed-top "> |
| <div class="navbar-inner"> |
| <div class="container" style="width: 68%;"><div class="nav-collapse"> |
| <ul class="nav"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache Atlas <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="index.html" title="Overview">Overview</a></li> |
| <li><a href="license.html" title="License">License</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="Downloads">Downloads</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/ATLAS" title="Wiki">Wiki</a></li> |
| <li><a href="https://git-wip-us.apache.org/repos/asf/atlas.git" title="Git">Git</a></li> |
| <li><a href="https://issues.apache.org/jira/browse/ATLAS" title="Jira">Jira</a></li> |
| <li><a href="https://reviews.apache.org/groups/atlas/?sort=-time_added" title="Review Board">Review Board</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Information <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="project-info.html" title="Summary">Summary</a></li> |
| <li><a href="mail-lists.html" title="Mailing Lists">Mailing Lists</a></li> |
| <li><a href="team-list.html" title="Team">Team</a></li> |
| <li><a href="issue-tracking.html" title="Issue Tracking">Issue Tracking</a></li> |
| <li><a href="source-repository.html" title="Source Repository">Source Repository</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Downloads <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="1.0.0">1.0.0</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.8.2">0.8.2</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.8.1">0.8.1</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.8-incubating">0.8-incubating</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.7.1-incubating">0.7.1-incubating</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.7-incubating">0.7-incubating</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.6-incubating">0.6-incubating</a></li> |
| <li><a href="http://atlas.apache.org/#/Downloads" target="_blank" title="0.5-incubating">0.5-incubating</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Documentation <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="../index.html" title="latest">latest</a></li> |
| <li><a href="../1.0.0/index.html" title="1.0.0">1.0.0</a></li> |
| <li><a href="../0.8.2/index.html" title="0.8.2">0.8.2</a></li> |
| <li><a href="../0.8.1/index.html" title="0.8.1">0.8.1</a></li> |
| <li><a href="../0.8.0-incubating/index.html" title="0.8-incubating">0.8-incubating</a></li> |
| <li><a href="../0.7.1-incubating/index.html" title="0.7.1-incubating">0.7.1-incubating</a></li> |
| <li><a href="../0.7.0-incubating/index.html" title="0.7-incubating">0.7-incubating</a></li> |
| <li><a href="../0.6.0-incubating/index.html" title="0.6-incubating">0.6-incubating</a></li> |
| <li><a href="../0.5.0-incubating/index.html" title="0.5-incubating">0.5-incubating</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a></li> |
| <li><a href="https://www.apache.org/events/current-event" title="Events">Events</a></li> |
| <li><a href="https://www.apache.org/licenses/" title="License">License</a></li> |
| <li><a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a></li> |
| </ul> |
| </li> |
| </ul> |
| <form id="search-form" action="https://www.google.com/search" method="get" class="navbar-search pull-right" > |
| <input value="http://atlas.apache.org" name="sitesearch" type="hidden"/> |
| <input class="search-query" name="q" id="query" type="text" /> |
| </form> |
| <script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script> |
| <iframe src="https://www.facebook.com/plugins/like.php?href=http://atlas.apache.org/atlas-docs&send=false&layout=button_count&show-faces=false&action=like&colorscheme=dark" |
| scrolling="no" frameborder="0" |
| style="border:none; width:100px; height:20px; margin-top: 10px;" class="pull-right" ></iframe> |
| <script type="text/javascript">asyncJs( 'https://apis.google.com/js/plusone.js' )</script> |
| <ul class="nav pull-right"><li style="margin-top: 10px;"> |
| <div class="g-plusone" data-href="http://atlas.apache.org/atlas-docs" data-size="medium" width="60px" align="right" ></div> |
| </li></ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="container"> |
| <div id="banner"> |
| <div class="pull-left"><a href=".." id="bannerLeft"><img src="images/atlas-logo.png" alt="Apache Atlas" width="200px" height="45px"/></a></div> |
| <div class="pull-right"></div> |
| <div class="clear"><hr/></div> |
| </div> |
| |
| <div id="breadcrumbs"> |
| <ul class="breadcrumb"> |
| <li class=""><a href="http://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> |
| <li class=""><a href="index.html" title="Atlas">Atlas</a><span class="divider">/</span></li> |
| <li class="active ">Setting up Atlas to use Simple Authorizer</li> |
| <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2018-06-14</li> |
| <li id="projectVersion" class="pull-right">Version: 1.0.0</li> |
| </ul> |
| </div> |
| <div id="bodyColumn" > |
| <div class="section"> |
| <h4><a name="Setting_up_Atlas_to_use_Simple_Authorizer"></a>Setting up Atlas to use Simple Authorizer</h4> |
| <p>As detailed in <a href="./Atlas-Authorization-Model.html">Atlas Authorization Model</a>, Apache Atlas supports a pluggable authorization model. Simple authorizer is the default authorizer implementation included in Apache Atlas. Simple authorizer uses policies defined in a JSON file. This document provides details of steps to configure Apache Atlas to use the simple authorizer and details of the JSON file format containing authorization policies.</p></div> |
| <div class="section"> |
| <h5><a name="Configure_Apache_Atlas"></a>Configure Apache Atlas</h5> |
| <p>To configure Apache Atlas to use simple authorizer, include the following properties in application.properties config file:</p> |
| <div class="source"><pre class="prettyprint"> |
| atlas.authorizer.impl=simple |
| atlas.authorizer.simple.authz.policy.file=/etc/atlas/conf/atlas-simple-authz-policy.json |
| |
| </pre></div> |
| <p>Please note that if the policy file location specified is not an absolute path, the file will be looked up in following paths:</p> |
| <ul> |
| <li>Apache Atlas configuration directory (specified by system property <tt>atlas.conf</tt>)</li> |
| <li>Apache Atlas server's current directory</li> |
| <li>CLASSPATH</li></ul></div> |
| <div class="section"> |
| <h5><a name="Policy_file_format"></a>Policy file format</h5> |
| <p>Simple authorizer uses <tt>roles</tt> to group permissions, which can then be assigned to users and user-groups. Following examples would help to understand the details of the policy file format:</p></div> |
| <div class="section"> |
| <h6><a name="Roles"></a>Roles</h6> |
| <p>Following policy file defines 3 roles:</p> |
| <ul> |
| <li>ROLE_ADMIN: has all permissions</li> |
| <li>PROD_READ_ONLY: has access to read entities having qualifiedName ending with "@prod"</li> |
| <li>TEST_ALL_ACCESS: has all access to entities having qualifiedName ending with "@test"</li></ul> |
| <p>Simple authorizer supports Java reg-ex to specify values for privilege/entity-type/entity-id/classification/typeName/typeCategory.</p> |
| <div class="source"><pre class="prettyprint"> |
| { |
| "roles": { |
| "ROLE_ADMIN": { |
| "adminPermissions": [ |
| { |
| "privileges": [ ".*" ] |
| } |
| ], |
| |
| "entityPermissions": [ |
| { |
| "privileges": [ ".*" ], |
| "entityTypes": [ ".*" ], |
| "entityIds": [ ".*" ], |
| "classifications": [ ".*" ] |
| } |
| ], |
| |
| "typePermissions": [ |
| { |
| "privileges": [ ".*" ], |
| "typeCategories": [ ".*" ], |
| "typeNames": [ ".*" ] |
| } |
| ] |
| }, |
| |
| "PROD_READ_ONLY" : { |
| "entityPermissions": [ |
| { |
| "privileges": [ "entity-read", "entity-read-classification" ], |
| "entityTypes": [ ".*" ], |
| "entityIds": [ ".*@prod" ], |
| "classifications": [ ".*" ] |
| } |
| } |
| |
| "TEST_ALL_ACCESS" : { |
| "entityPermissions": [ |
| { |
| "privileges": [ ".*" ], |
| "entityTypes": [ ".*" ], |
| "entityIds": [ ".*@test" ], |
| "classifications": [ ".*" ] |
| } |
| } |
| }, |
| |
| "userRoles": { |
| ... |
| }, |
| |
| "groupRoles": { |
| ... |
| } |
| } |
| |
| |
| </pre></div></div> |
| <div class="section"> |
| <h6><a name="Assign_Roles_to_Users_and_User_Groups"></a>Assign Roles to Users and User Groups</h6> |
| <p>Roles defined above can be assigned (granted) to users as shown below:</p> |
| <div class="source"><pre class="prettyprint"> |
| { |
| "roles": { |
| ... |
| }, |
| |
| "userRoles": { |
| "admin": [ "ROLE_ADMIN" ], |
| "steward": [ "DATA_STEWARD" ], |
| "user1": [ "PROD_READ_ONLY" ], |
| "user2": [ "TEST_ALL_ACCESS" ], |
| "user3": [ "PROD_READ_ONLY", "TEST_ALL_ACCESS" ], |
| }, |
| |
| "groupRoles": { |
| ... |
| } |
| } |
| |
| </pre></div> |
| <p>Roles can be assigned (granted) to user-groups as shown below. An user can belong to multiple groups; roles assigned to all groups the user belongs to will be used to authorize the access.</p> |
| <div class="source"><pre class="prettyprint"> |
| { |
| "roles": { |
| ... |
| }, |
| |
| "userRoles": { |
| ... |
| }, |
| |
| "groupRoles": { |
| "admins": [ "ROLE_ADMIN" ], |
| "dataStewards": [ "DATA_STEWARD" ], |
| "testUsers": [ "TEST_ALL_ACCESS" ], |
| "prodReadUsers": [ "PROD_READ_ONLY" ] |
| } |
| } |
| |
| </pre></div></div> |
| </div> |
| </div> |
| <hr/> |
| <footer> |
| <div class="container"> |
| <div class="row"> |
| <p><a href="https://www.apache.org/foundation/contributing"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support the ASF" id="asf-logo" height="20" width="20" /></a>Copyright © 2011-2018 The Apache Software Foundation. Licensed under the <a href="https://www.apache.org/licenses/">Apache License, Version 2.0</a>.<br/> |
| Apache Atlas, Atlas, Apache, the Apache feather logo are trademarks of the <a href="https://www.apache.org">Apache Software Foundation</a>.<br/> |
| All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p> |
| </div> |
| <p id="poweredBy" class="pull-right"><a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a> |
| </p> |
| </div> |
| </footer> |
| </body> |
| </html> |