Configuring Atlas Authorization

Atlas in CDP uses Ranger policies to control access to metadata that are managed by Atlas. Ranger policies also control access to Atlas administrative tasks.

Ranger provides authorization to access the following metadata and operations:

Types
Atlas "types" are the entity model definitions, whether provided in Atlas or added in your environment. Types include these "categories":
  • Entity
  • Classification
  • Relationship
  • Business Metadata
  • Struct
  • Enum
Ranger authorization allows you to configure access for users and groups to perform the following operations on types:
  • Create
  • Update
  • Delete
  • Read
The policies can be configured to apply to one or more types or all types. For example, the Atlas administrator user has access to create, update, and delete all type categories (type-category *).
Entities
Atlas "entities" are instances of entity types: entities represent assets and processes on your cluster. Ranger authorization allows you to configure access to users and groups to perform the following operations on entities:
  • Read
  • Create
  • Update
  • Delete
  • Read classification
  • Add classification
  • Update classification
  • Remove classification
  • Add label
  • Remove label
  • Update Business Metadata
Note that the classification operations are those that involve associating a classification to an entity; operations on a classification definition are controlled by authorization on the classification category of type described previously. Use the entity authorization to give a user the ability to associate an existing classification with any entity (entity-type *); use the type authorization to give a user the ability to create new classifications (type-category classification).
Policies for labels and business metadata work similarly to classifications: you can control whether users can add labels or business metadata to specific entity types, individual entities, or entities marked with specific classifications. For example, a default policy allows any authenticated user to update all business metadata for any entity types with any classifications and on any instances of entities (entity-type *, entity-classification *, entity-id *, entity-business-metadata *).
Some Atlas features, such as saved searches, are modeled as entities. You can control access to these features using entity policies. For example, a default policy allows any authenticated user to save Atlas searches (entity-type __AtlasUserProfile, __AtlasUserSavedSearch).
Relationships
Atlas "relationships" describe connections between two entities, including, but not limited to, the input and output relationships that are used to build lineage graphs. Ranger authorization allows you to configure access to users and groups to perform the following operations on relationships:
  • Add relationship
  • Update relationship
  • Remove relationship
These operations are required to build rich models among entities and are granted to administrative users and system users. Relationships cannot be updated by users through the Atlas UI.
Admin operations
Atlas administrative operations include:
  • Import entities
  • Export entities
These operations encompass all the privileges needed to create new and update existing entities. Typically, this access is granted to administrative users and system users such as RangerLookup and the Data Plane profiler user (DPProfiler).