Configuring Atlas Authorization

More specifically, you can restrict access to Atlas types and entities, and to administrative operations.

Access to Types

Create
Update
Delete

Access to Entities

Read
Create
Update
Delete
Add classification
Update classification
Remove classification

Admin Operations

admin-export
admin-import

You can use simple or Ranger authorization:

Simple authorization – Authorization policies are specified using a JSON file.
Ranger authorization – Authorization policies are specified using Apache Ranger.

Configure Simple Authorization

Select Atlas > Configs > Advanced on the Ambari dashboard, then click Advanced application-properties.
Set the value of the atlas.authorizer.impl property to simple.
Confirm that the value of the atlas.simple.authz.policy.file property is set to {{conf_dir}}/atlas-simple-authz-policy.json.

Edit the {{conf_dir}}/atlas-simple-authz-policy.json file to specify authorization settings:

vi /usr/hdp/current/atlas-server/conf/atlas-simple-authz-policy.json

The following is a sample atlas-simple-authz-policy.json file:

{
  "roles": {
    "ROLE_ADMIN": {
      "adminPermissions": [
        {
          "privileges": [ ".*" ]
        }
      ],

      "entityPermissions": [
        {
          "privileges":      [ ".*" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*" ],
          "classifications": [ ".*" ]
        }
      ],

      "typePermissions": [
        {
          "privileges":     [ ".*" ],
          "typeCategories": [ ".*" ],
          "typeNames":      [ ".*" ]
        }
      ]
    },

    "DATA_SCIENTIST": {
      "entityPermissions": [
        {
          "privileges":      [ "entity-read"],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*" ],
          "classifications": [ ".*" ]
        }
      ]
    },

    "DATA_STEWARD": {
      "entityPermissions": [
        {
          "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*" ],
          "classifications": [ ".*" ]
        }
      ]
    }
  },

  "userRoles": {
    "admin": [ "ROLE_ADMIN" ]
  },

  "groupRoles": {
    "ROLE_ADMIN":      [ "ROLE_ADMIN" ],
    "hadoop":          [ "DATA_STEWARD" ],
    "DATA_STEWARD":    [ "DATA_STEWARD" ],
    "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ]
  }
}

To apply these permissions, restart Atlas and any other services that require a restart.

Configure Ranger Authorization

On the Ranger Configs page, select the Ranger Plugin tab.
Under Atlas Ranger Plugin, select On, then click Save in the black menu bar.
A Save Configuration pop-up appears. Type in a note describing the changes you just made, then click Save.
A Dependent Configurations pop-up appears. Click OK to confirm the recommended configuration updates.
Click OK on the Save Configuration Changes pop-up.
Select Actions in the navigation menu, then select Restart All Required to restart all services that require a restart.
Click Confirm Restart All on the confirmation pop-up to confirm the Storm restart. After the services restart, the Ranger plugin for Atlas is enabled.
Log in to the Apache Ranger Web UI.
On the Apache Ranger Service Manager page, select an existing service under Atlas.
On the List of Policies page, click Add New Policy.
Use the Create Policy page to specify the Atlas authorization policy, then click Add. The following figures show sample Ranger policy pages for Atlas authorization.
Authorize Access to Atlas Types
Authorize Access to Atlas Entities
Authorize Access to Atlas Admin Operations

Authorization in the Apache Atlas Web UI

An error message appears in the Atlas Web UI if a user attempts to perform an unauthorized operation.

You should also note that Atlas Search displays all results, but if a user does not have Read permissions for some of the search results, links will not be available to access those entities.