Support Questions

Find answers, ask questions, and share your expertise

How to set the authority/right of Atlas Web UI User?

Explorer

I want to add a new user account for atlas Web UI, so I append a line text into <atlas-conf>/users-credentials.properties

zte=ADMIN::8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

This means that, the user name is zte, and the password is 123456.

But when I login in the Atlas Web UI by using this user name and password, it shown like this:

6990-zteuser.jpg

The tips which on the top right of this screenshot showed that, this account are not authorized for READ *.

So, how can I set the authority/right of my new user account ?

Thank you very much.

1 ACCEPTED SOLUTION

@Ethan HsiehTwo authorization methods are available for Atlas: Simple and Ranger.

Simple Authorization

The default setting is Simple, and the following properties are automatically set under Advanced application-properties on the Advanced tab.

Table: Apache Atlas Simple Authorization

PropertyValue
atlas.authorizer.implsimple
atlas.auth.policy.file{{conf_dir}}/policy-store.txt

The policy-store.txt file has the following format:

Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name

For example:

adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
userReadPolicy;;readUser1:r,readUser2:r;;DATA_SCIENTIST:r;;type:*,entity:*,operation:*,taxonomy:*,term:*
userWritePolicy;;writeUser1:rwu,writeUser2:rwu;;BUSINESS_GROUP:rwu,DATA_STEWARD:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*

In this example readUser1, readUser2, writeUser1 and writeUser2 are the user IDs, each with its corresponding access rights. The User_Name, Group_Name and Operations_Allowed are comma-separated lists.

Authorizer Resource Types:

  • Operation
  • Type
  • Entity
  • Taxonomy
  • Term
  • Unknown

Operations_Allowed are r = read, w = write, u = update, d = delete

Let me know if you have Ranger enabled in your cluster, different operations would be needed for Ranger authorization.

View solution in original post

12 REPLIES 12

@Ethan HsiehTwo authorization methods are available for Atlas: Simple and Ranger.

Simple Authorization

The default setting is Simple, and the following properties are automatically set under Advanced application-properties on the Advanced tab.

Table: Apache Atlas Simple Authorization

PropertyValue
atlas.authorizer.implsimple
atlas.auth.policy.file{{conf_dir}}/policy-store.txt

The policy-store.txt file has the following format:

Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name

For example:

adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
userReadPolicy;;readUser1:r,readUser2:r;;DATA_SCIENTIST:r;;type:*,entity:*,operation:*,taxonomy:*,term:*
userWritePolicy;;writeUser1:rwu,writeUser2:rwu;;BUSINESS_GROUP:rwu,DATA_STEWARD:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*

In this example readUser1, readUser2, writeUser1 and writeUser2 are the user IDs, each with its corresponding access rights. The User_Name, Group_Name and Operations_Allowed are comma-separated lists.

Authorizer Resource Types:

  • Operation
  • Type
  • Entity
  • Taxonomy
  • Term
  • Unknown

Operations_Allowed are r = read, w = write, u = update, d = delete

Let me know if you have Ranger enabled in your cluster, different operations would be needed for Ranger authorization.

Contributor

@Ethan Hsieh Just as @Ayub Pathan's explanation you will be able to assign users with permissions if you add the user into policy-store.txt

adminPolicy;;admin:rwud,zte:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*

or you should be able add user with different roles into users-credentials.properties by adding entries like below

zte=ROLE_ADMIN::8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
testuser=DATA_SCIENTIST::8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

Hello @Ayub Khan

I am trying to add custom policy like

dataAnalyistPolicy;;;;DATA_ANALYST:r;;type:*,entity:contents,taxonomy:*,term:*

I am assuming that if I mention specific type or entity or term it will allow to perform set actions to a particular. I have tried mentioning entity:content but it block all operations. Can you guide on this.

Thanks,

Expert Contributor

@Naseem Rafique, you have to specify * for Atlas 0.8, granular level authorization in pipeline.

@Nixon Rodrigues

You mean currently I can only specify * I can't authorize a user to access to a specific type right?

Version I am using is apache-atlas-0.9-incubating-SNAPSHOT.

Expert Contributor

Yes, it will allow all (*) or none.

Hi, How do we solve this while using Ranger. I gave the Read access however it shows the same issue.

Expert Contributor

@Varun Nemmani , Please follow this documentation regarding setting up atlas ranger policies.

https://cwiki.apache.org/confluence/display/RANGER/ATLAS+Plugin

Hi Nixon,

Thanks. Yes the relevant permissions for Read are given on all the ATLAS policies. However the user gets the error in the UI.

Regards,

Varun

Hi, User sync has solved the problem.

Regards,

Varun

New Contributor

Hi @Varun Nemmani,

Which usersync did you have to run?

Thanks

Hi Alex It is Ranger user sync.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.