Cloudera Docs

Configuring Simple Authorization in Atlas

Atlas in CDP uses the simple authorization, which is the default authorizer to manage different users, user groups, and group roles.

This type of authorization does not involve creating policies in Ranger UI. This is NOT a recommended authorization method to grant permissions in Atlas but can still be used to manage user authorization. The simple authorizer employs policies that are defined in a JSON file.

The following properties must be configured in Atlas properties. When you uncheck Ranger authorizer, these properties are automatically added by the Cloudera Manager.
  • atlas.authorizer.impl=simple
  • atlas.authorizer.simple.authz.policy.file=atlas-simple-authz-policy.json


Simple Authorization provides certain roles for managing Atlas metadata and related operations. Under each role, you could define the permission for each resource, based on the entity type for which you want to grant access.

There are three supported roles:

  • ROLE_ADMIN - Has all permissions to perform any action.
  • DATA_SCIENTIST - Has permission for reading and classifying entities.
  • DATA_STEWARD - Has permission to read, classify, create, update, add, and remove classifications.

An example JSON file that displays the above scenarios:


{

 "roles": {

   "ROLE_ADMIN": {

     "adminPermissions": [

       {
         "privileges": [ ".*" ]
       }
     ],

     "typePermissions": [

       {
         "privileges":     [ ".*" ],
         "typeCategories": [ ".*" ],
         "typeNames":      [ ".*" ]
       }
     ],

     "entityPermissions": [

       {

          "privileges":      [ ".*" ],
          "entityTypes":     [ ".*" ],
          "entityIds":       [ ".*" ],
          "classifications": [ ".*" ],
          "labels" :         [ ".*" ],
          "businessMetadata" : [ ".*" ],
          "attributes" :     [ ".*" ]

       }
     ],

     "relationshipPermissions": [

       {

         "privileges":     [ ".*" ],
         "relationshipTypes": [ ".*" ],
         "end1EntityType":           [ ".*" ],
         "end1EntityId":             [ ".*" ],
         "end1EntityClassification": [ ".*" ],
         "end2EntityType":           [ ".*" ],
         "end2EntityId":             [ ".*" ],
         "end2EntityClassification": [ ".*" ]

       }
     ]
   },

   "DATA_SCIENTIST": {

     "entityPermissions": [

       {
         "privileges":      [ "entity-read", "entity-read-classification" ],
         "entityTypes":     [ ".*" ],
         "entityIds":       [ ".*" ],
         "classifications": [ ".*" ]
       }
     ]
   },

   "DATA_STEWARD": {

     "entityPermissions": [

       {
         "privileges":      [ "entity-read", "entity-create", "entity-update", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ],
         "entityTypes":     [ ".*" ],
         "entityIds":       [ ".*" ],
         "classifications": [ ".*" ]=
       }
     ],

     "relationshipPermissions": [

       {
         "privileges":               [ "add-relationship", "update-relationship", "remove-relationship" ],
         "relationshipTypes":        [ ".*" ],
         "end1EntityType":           [ ".*" ],
         "end1EntityId":             [ ".*" ],
         "end1EntityClassification": [ ".*" ],
         "end2EntityType":           [ ".*" ],
         "end2EntityId":             [ ".*" ],
         "end2EntityClassification": [ ".*" ]

       }
     ]
   }
 },

The simple authorization roles that are defined as explained earlier can be assigned to users:


"userRoles": {
"admin":[ "ROLE_ADMIN" ],
"rangertagsync":[ "DATA_SCIENTIST" ]

Roles can be granted to user-groups. An user can belong to multiple groups; roles assigned to all groups the user belongs to will be used to authorize the access.


"groupRoles": {

   "ROLE_ADMIN":      [ "ROLE_ADMIN"],
   "hadoop":          [ "DATA_STEWARD" ],
   "DATA_STEWARD":    [ "DATA_STEWARD" ],
   "RANGER_TAG_SYNC": [ "DATA_SCIENTIST" ]
 }

}