| {"version":3,"sources":["/home/madhan/Apache/git/atlas/docs/target/src/documents/Security/AuthorizationModel.md","/home/madhan/Apache/git/atlas/docs/target/theme/styles/styled-colors.js"],"names":["layoutProps","MDXContent","components","props","mdxType","parentName","wrapLines","language","style","theme","isMDXComponent","dark","hljs","color"],"mappings":"slBAWMA,EAAc,GAIL,SAASC,EAAW,GAG/B,IAFFC,EAAU,EAAVA,WACGC,EAAK,iBAER,OAAO,cALS,UAKC,iBAAKH,EAAiBG,EAAK,CAAED,WAAYA,EAAYE,QAAQ,cAE5E,oBACE,GAAM,6BAA2B,6BAEnC,oBACE,GAAM,gBAAc,gBAEtB,8jBAKA,4JACA,oBACE,GAAM,oCAAkC,oCAE1C,0QAEA,wBACE,oBAAIC,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,kBACnB,oBAAIA,WAAW,MAAI,gBACnB,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,SAErB,kLAEA,wBACE,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,WAErB,2FACA,wBACE,oBAAIA,WAAW,MAAI,gEACnB,oBAAIA,WAAW,MAAI,+DACnB,oBAAIA,WAAW,MAAI,mGAErB,oBACE,GAAM,uCAAqC,uCAE7C,+WAGA,wBACE,oBAAIA,WAAW,MAAI,QACnB,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,UACnB,oBAAIA,WAAW,MAAI,uBACnB,oBAAIA,WAAW,MAAI,sBACnB,oBAAIA,WAAW,MAAI,yBACnB,oBAAIA,WAAW,MAAI,0BAErB,2FACA,wBACE,oBAAIA,WAAW,MAAI,0EACnB,oBAAIA,WAAW,MAAI,4FACnB,oBAAIA,WAAW,MAAI,yEACnB,oBAAIA,WAAW,MAAI,uGACnB,oBAAIA,WAAW,MAAI,mFAErB,oBACE,GAAM,qCAAmC,qCAE3C,8IACA,wBACE,oBAAIA,WAAW,MAAK,oBAAIA,WAAW,MAAI,oBACvC,oBAAIA,WAAW,MAAK,oBAAIA,WAAW,MAAI,qBAEzC,6JACA,oBACE,GAAM,2BAAyB,2BAEjC,qKACA,iJAA8H,4BAAYA,WAAW,KAAG,yBAAuC,wFAAyF,4BAAYA,WAAW,KAAG,2DAAyE,KAC3X,cAAC,IAAiB,CAACC,WAAW,EAAMC,SAAS,QAAQC,MAAOC,IAAYL,QAAQ,qBAAmB,ibAcnG,oBACE,GAAM,qBAAmB,qBAE3B,4LACmC,mBAAGC,WAAW,IAC7C,KAAQ,2BAAyB,8CAErC,oBACE,GAAM,qBAAmB,qBAE3B,0LAEA,cAAC,IAAiB,CAACC,WAAW,EAAMC,SAAS,QAAQC,MAAOC,IAAYL,QAAQ,qBAAmB,gCAGnG,8OACuF,mBAAGC,WAAW,IACjG,KAAQ,2BAAyB,6CACiB,KACtD,oBACE,GAAM,mBAAiB,mBAEzB,yQACA,cAAC,IAAiB,CAACC,WAAW,EAAMC,SAAS,QAAQC,MAAOC,IAAYL,QAAQ,qBAAmB,+BAItG,kMAEDH,EAAWS,gBAAiB,G,+DC3I5B,iFAqBAC,IAAKC,KAAKC,MAAQ,UACHF,MAAI","file":"static/js/documents-security-authorization-model.b50faded.js","sourcesContent":["\nimport React from 'react'\nimport { mdx } from '@mdx-js/react'\n\n/* @jsxRuntime classic */\n/* @jsx mdx */\nimport themen from 'theme/styles/styled-colors';\nimport * as theme from 'react-syntax-highlighter/dist/esm/styles/hljs';\nimport SyntaxHighlighter from 'react-syntax-highlighter';\n\n\nconst layoutProps = {\n \n};\nconst MDXLayout = \"wrapper\"\nexport default function MDXContent({\n components,\n ...props\n}) {\n return <MDXLayout {...layoutProps} {...props} components={components} mdxType=\"MDXLayout\">\n\n <h1 {...{\n \"id\": \"atlas-authorization-model\"\n }}>{`Atlas Authorization Model`}</h1>\n <h2 {...{\n \"id\": \"introduction\"\n }}>{`Introduction`}</h2>\n <p>{`Atlas is a scalable and extensible set of core foundational governance services – enabling enterprises to effectively and\nefficiently meet their compliance requirements within Hadoop and allows integration with the whole enterprise data ecosystem.\nApache Atlas provides open metadata management and governance capabilities for organizations to build a catalog of their\ndata assets, classify and govern these assets and provide collaboration capabilities around these data assets for data\nscientists, analysts and the data governance team.`}</p>\n <p>{`This document covers details of the authorization model supported by Apache Atlas to control access to metadata managed by Atlas.`}</p>\n <h2 {...{\n \"id\": \"authorization-of-access-to-types\"\n }}>{`Authorization of access to Types`}</h2>\n <p>{`Apache Atlas provides a type system that allows users to model the metadata objects they would like to manage. The model\nis composed of definitions called ‘types’. Apache Atlas type system supports following categories of types:`}</p>\n <ul>\n <li parentName=\"ul\">{`Entity`}</li>\n <li parentName=\"ul\">{`Classification`}</li>\n <li parentName=\"ul\">{`Relationship`}</li>\n <li parentName=\"ul\">{`Struct`}</li>\n <li parentName=\"ul\">{`Enum`}</li>\n </ul>\n <p>{`The authorization model enables control of which users, groups can perform the following operations on types, based on\ntype names and type categories:`}</p>\n <ul>\n <li parentName=\"ul\">{`create`}</li>\n <li parentName=\"ul\">{`update`}</li>\n <li parentName=\"ul\">{`delete`}</li>\n </ul>\n <p>{`Here are few examples of access controls supported by the model:`}</p>\n <ul>\n <li parentName=\"ul\">{`Admin users can create/update/delete types of all categories`}</li>\n <li parentName=\"ul\">{`Data stewards can create/update/delete classification types`}</li>\n <li parentName=\"ul\">{`Healthcare data stewards can create/update/delete types having names start with “hc”`}</li>\n </ul>\n <h2 {...{\n \"id\": \"authorization-of-access-to-entities\"\n }}>{`Authorization of access to Entities`}</h2>\n <p>{`An entity is an instance of an entity-type and such instances represent objects in the real world – for example a table\nin Hive, a HDFS file, a Kafka topic. The authorization model enables control of which users, groups can perform the\nfollowing operations on entities – based on entity-types, entity-classifications, entity-id:`}</p>\n <ul>\n <li parentName=\"ul\">{`read`}</li>\n <li parentName=\"ul\">{`create`}</li>\n <li parentName=\"ul\">{`update`}</li>\n <li parentName=\"ul\">{`delete`}</li>\n <li parentName=\"ul\">{`read classification`}</li>\n <li parentName=\"ul\">{`add classification`}</li>\n <li parentName=\"ul\">{`update classification`}</li>\n <li parentName=\"ul\">{`remove classification`}</li>\n </ul>\n <p>{`Here are few examples of access controls supported by the model:`}</p>\n <ul>\n <li parentName=\"ul\">{`Admin users can perform all entity operations on entities of all types`}</li>\n <li parentName=\"ul\">{`Data stewards can perform all entity operations, except delete, on entities of all types`}</li>\n <li parentName=\"ul\">{`Data quality admins can add/update/remove DATA_QUALITY classification`}</li>\n <li parentName=\"ul\">{`Users in specific groups can read/update entities with PII classification or its sub-classification`}</li>\n <li parentName=\"ul\">{`Finance users can read/update entities whose ID start with ‘finance’`}</li>\n </ul>\n <h2 {...{\n \"id\": \"authorization-of-admin-operations\"\n }}>{`Authorization of Admin operations`}</h2>\n <p>{`The authorization model enables control of which users, groups can perform the following administrative operations:`}</p>\n <ul>\n <li parentName=\"ul\"><em parentName=\"li\">{`import entities`}</em></li>\n <li parentName=\"ul\"><em parentName=\"li\">{`export entities`}</em></li>\n </ul>\n <p>{`Users with above accesses can import/export entities without requiring them to be granted with fine-grained entity level accesses.`}</p>\n <h2 {...{\n \"id\": \"pluggable-authorization\"\n }}>{`Pluggable Authorization`}</h2>\n <p>{`Apache Atlas supports a pluggable authorization interface, as shown below, that enable alternate implementations to handle authorizations.`}</p>\n <p>{`The name of the class implementing the authorization interface can be registered with Apache Atlas using configuration `}<inlineCode parentName=\"p\">{`atlas.authorizer.impl`}</inlineCode>{`. When this property is not set, Apache Atlas will use its default implementation in `}<inlineCode parentName=\"p\">{`org.apache.atlas.authorize.simple.AtlasSimpleAuthorizer`}</inlineCode>{`.`}</p>\n <SyntaxHighlighter wrapLines={true} language=\"shell\" style={theme.dark} mdxType=\"SyntaxHighlighter\">\n {`\n package org.apache.atlas.authorize;\n public interface AtlasAuthorizer {\n void init();\n void cleanUp();\n\n boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException;\n\n boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException;\n\n boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException;\n }`}\n </SyntaxHighlighter>\n <h2 {...{\n \"id\": \"simple-authorizer\"\n }}>{`Simple Authorizer`}</h2>\n <p>{`Simple authorizer is the default authorizer implementation included in Apache Atlas. For details of setting up Apache Atlas\nto use simple authorizer, please see `}<a parentName=\"p\" {...{\n \"href\": \"#/AtlasSimpleAuthorizer\"\n }}>{`Setting up Atlas to use Simple Authorizer`}</a></p>\n <h2 {...{\n \"id\": \"ranger-authorizer\"\n }}>{`Ranger Authorizer`}</h2>\n <p>{`To configure Apache Atlas to use authorization implementation provided by Apache Ranger, include the following property\nin application.properties config file:`}</p>\n <SyntaxHighlighter wrapLines={true} language=\"shell\" style={theme.dark} mdxType=\"SyntaxHighlighter\">\n {`atlas.authorizer.impl=ranger`}\n </SyntaxHighlighter>\n <p>{`Apache Ranger Authorizer requires configuration files to be setup, for example to specify Apache Ranger admin server URL,\nname of the service containing authorization policies, etc. For more details please see, `}<a parentName=\"p\" {...{\n \"href\": \"#/AtlasRangerAuthorizer\"\n }}>{`Setting up Atlas to use Ranger Authorizer`}</a>{`.`}</p>\n <h2 {...{\n \"id\": \"none-authorizer\"\n }}>{`None authorizer`}</h2>\n <p>{`In addition to the default authorizer, Apache Atlas includes an authorizer that permits all accesses to all users. This authorizer can be useful in test environments and unit tests. To use this authorizer, set the following configuration:`}</p>\n <SyntaxHighlighter wrapLines={true} language=\"shell\" style={theme.dark} mdxType=\"SyntaxHighlighter\">\n {`atlas.authorizer.impl=NONE`}\n </SyntaxHighlighter>\n </MDXLayout>;\n}\n;\nMDXContent.isMDXComponent = true;","/**\n * Licensed to the Apache Software Foundation (ASF) under one\n * or more contributor license agreements. See the NOTICE file\n * distributed with this work for additional information\n * regarding copyright ownership. The ASF licenses this file\n * to you under the Apache License, Version 2.0 (the\n * \"License\"); you may not use this file except in compliance\n * with the License. You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { dark } from \"react-syntax-highlighter/dist/esm/styles/hljs\";\n\n//dark[\"powershell\"][\"color\"] = \"#37bb9b\";\ndark.hljs.color = \"#37bb9b\";\nexport default dark;"],"sourceRoot":""} |