[master] DG-215 Full restrictions on READ indexsearch

addons/override-policies/glossary_policies.json

@@ -0,0 +1,113 @@
+{
+    "entities":
+    [
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 28
+            },
+            "attributes":
+            {
+                "name": "READ_GLOSSARY",
+                "qualifiedName": "READ_GLOSSARY",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossary",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 29
+            },
+            "attributes":
+            {
+                "name": "READ_TERM",
+                "qualifiedName": "READ_TERM",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossaryTerm",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        },
+        {
+            "typeName": "AuthPolicy",
+            "customAttributes": {
+                "internalId": 30
+            },
+            "attributes":
+            {
+                "name": "READ_CATEGORY",
+                "qualifiedName": "READ_CATEGORY",
+                "policyCategory": "bootstrap",
+                "policySubCategory": "default",
+                "policyServiceName": "atlas",
+                "policyType": "allow",
+                "policyPriority": 1,
+                "policyUsers":
+                [],
+                "policyGroups":
+                [],
+                "policyRoles":
+                [
+                    "$admin",
+                    "$api-token-default-access"
+                ],
+                "policyResourceCategory": "ENTITY",
+                "policyResources":
+                [
+                    "entity-type:AtlasGlossaryCategory",
+                    "entity-classification:*",
+                    "entity:*"
+                ],
+                "policyActions":
+                [
+                    "entity-read"
+                ]
+            }
+        }
+    ]
+}

auth-agents-common/pom.xml

@@ -55,6 +55,12 @@
             <version>${project.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.atlas</groupId>
+            <artifactId>auth-common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.atlas</groupId>
             <artifactId>auth-audits</artifactId>

auth-agents-common/src/main/java/org/apache/atlas/plugin/service/RangerBasePlugin.java

@@ -19,6 +19,8 @@
 
 package org.apache.atlas.plugin.service;
 
+import org.apache.atlas.authorizer.store.PoliciesStore;
+import org.apache.atlas.authorizer.store.UsersStore;
 import org.apache.atlas.type.AtlasTypeRegistry;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
@@ -176,6 +178,7 @@ public RangerRoles getRoles() {
 
 	public void setRoles(RangerRoles roles) {
 		this.roles = roles;
+		UsersStore.setAllRoles(roles);
 
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -192,6 +195,7 @@ public RangerUserStore getUserStore() {
 
 	public void setUserStore(RangerUserStore userStore) {
 		this.userStore = userStore;
+		UsersStore.setUserStore(userStore);
 
 		// RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -296,6 +300,14 @@ public void setPolicies(ServicePolicies policies) {
 			LOG.debug("==> setPolicies(" + policies + ")");
 		}
 
+		if (policies != null) {
+			List<RangerPolicy> resourcePolicies = policies.getPolicies();
+			List<RangerPolicy> tagPolicies = policies.getTagPolicies().getPolicies();
+
+			PoliciesStore.setResourcePolicies(resourcePolicies);
+			PoliciesStore.setTagPolicies(tagPolicies);
+		}
+
 		// guard against catastrophic failure during policy engine Initialization or
 		try {
 			RangerPolicyEngine oldPolicyEngine = this.policyEngine;

auth-common/pom.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>apache-atlas</artifactId>
+        <groupId>org.apache.atlas</groupId>
+        <version>3.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>auth-common</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.htrace</groupId>
+            <artifactId>htrace-core4</artifactId>
+            <version>4.1.0-incubating</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>

auth-common/src/main/java/org/apache/atlas/plugin/model/GroupInfo.java

@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.atlas.plugin.model;
+
+import org.apache.atlas.plugin.util.RangerUserStoreUtil;
+import org.apache.htrace.shaded.fasterxml.jackson.annotation.JsonInclude;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.HashMap;
+import java.util.Map;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@XmlRootElement
+@XmlAccessorType(XmlAccessType.FIELD)
+public class GroupInfo extends RangerBaseModelObject implements java.io.Serializable {
+
+    private static final long serialVersionUID = 1L;
+    private String                  name;
+    private String                  description;
+    private Map<String, String>     otherAttributes;
+
+    public GroupInfo() {
+        this(null, null, null);
+    }
+
+    public GroupInfo(String name, String description, Map<String, String> otherAttributes) {
+        setName(name);
+        setDescription(description);
+        setOtherAttributes(otherAttributes);
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Map<String, String> getOtherAttributes() {
+        return otherAttributes;
+    }
+
+    public void setOtherAttributes(Map<String, String> otherAttributes) {
+        this.otherAttributes = otherAttributes == null ? new HashMap<>() : otherAttributes;
+    }
+
+    @Override
+    public String toString() {
+        return "{name=" + name
+                + ", description=" + description
+                + ", otherAttributes=" + RangerUserStoreUtil.getPrintableOptions(otherAttributes)
+                + "}";
+    }
+
+}