atlas-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yhema...@apache.org
Subject incubator-atlas git commit: ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues via yhemanth)
Date Tue, 21 Jun 2016 17:17:01 GMT
Repository: incubator-atlas
Updated Branches:
  refs/heads/master dfd9c96ba -> b25d198ca


ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues
via yhemanth)


Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/b25d198c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/b25d198c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/b25d198c

Branch: refs/heads/master
Commit: b25d198ca8b0f9d572ce46681a05f9c418cb745d
Parents: dfd9c96
Author: Hemanth Yamijala <hyamijala@hortonworks.com>
Authored: Tue Jun 21 22:46:38 2016 +0530
Committer: Hemanth Yamijala <hyamijala@hortonworks.com>
Committed: Tue Jun 21 22:46:38 2016 +0530

----------------------------------------------------------------------
 .../twiki/Authentication-Authorization.twiki    | 165 +++++++++++++++++++
 docs/src/site/twiki/index.twiki                 |   1 +
 release-log.txt                                 |   1 +
 3 files changed, 167 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/b25d198c/docs/src/site/twiki/Authentication-Authorization.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Authentication-Authorization.twiki b/docs/src/site/twiki/Authentication-Authorization.twiki
new file mode 100644
index 0000000..1e35ceb
--- /dev/null
+++ b/docs/src/site/twiki/Authentication-Authorization.twiki
@@ -0,0 +1,165 @@
+---++ Authentication & Authorization in Apache Atlas.
+
+---+++ Authentication
+
+Atlas supports following authentication methods
+
+   * *File*
+   * *Kerberos*
+   * *LDAP*
+
+
+Following properties should be set true to enable the authentication of that type in =atlas-application.properties=
file.
+
+
+<verbatim>
+atlas.authentication.method.kerberos=true|false
+atlas.authentication.method.ldap=true|false
+atlas.authentication.method.file=true|false
+</verbatim>
+
+If two or more authentication methods are set to true, then the authentication falls back
to the latter method if the earlier one fails.
+For example if Kerberos authentication is set to true and ldap authentication is also set
to true then, if for a request without kerberos principal and keytab LDAP authentication will
be used as a fallback scenario.
+
+---++++FILE method.
+
+File authentication requires users' login details in users credentials file in the format
specified below and
+the file path should set to property =atlas.authentication.method.file.filename= in =atlas-application.properties=.
+
+<verbatim>
+atlas.authentication.method.file=true
+atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
+</verbatim>
+
+The users credentials file should have below format
+<verbatim>
+username=group::sha256-password
+</verbatim>
+
+For e.g.
+<verbatim>
+admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
+</verbatim>
+
+Users group can be either *ADMIN*, *DATA_STEWARD* OR *DATA_SCIENTIST*
+
+*Note*:-password is encoded with sha256 encoding method and can be generated using unix tool.
+
+For e.g.
+<verbatim>
+echo -n "Password" | sha256sum
+e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a  -
+</verbatim>
+
+---++++ Kerberos Method.
+
+To enable the authentication in Kerberos mode in Atlas, set the property =atlas.authentication.method.kerberos=
to true in =atlas-application.properties=
+
+<verbatim>
+atlas.authentication.method.kerberos = true
+</verbatim>
+
+Also following properties should be set.
+
+<verbatim>
+atlas.authentication.method.kerberos.principal=<principal>/<fqdn>@EXAMPLE.COM
+atlas.authentication.method.kerberos.keytab = /<key tab filepath>.keytab
+atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/
+</verbatim>
+
+
+---++++ LDAP Method.
+
+To enable the authentication in LDAP mode in Atlas, set the property =atlas.authentication.method.ldap=
to true and also set Ldap type to property =atlas.authentication.method.ldap.type= to LDAP
or AD in =atlas-application.properties=.
+Use AD if connecting to Active Directory.
+
+<verbatim>
+atlas.authentication.method.ldap=true
+atlas.authentication.method.ldap.type=ldap|ad
+</verbatim>
+
+
+For LDAP or AD the following configuration needs to be set in atlas application properties.
+
+*Active Directory*
+
+<verbatim>
+atlas.authentication.method.ldap.ad.domain= example.com
+atlas.authentication.method.ldap.ad.url=ldap://<AD server ip>:389
+atlas.authentication.method.ldap.ad.base.dn=DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.dn=CN=Administrator,CN=Users,DC=example,DC=com
+atlas.authentication.method.ldap.ad.bind.password=<password>
+atlas.authentication.method.ldap.ad.referral=ignore
+atlas.authentication.method.ldap.ad.user.searchfilter=(sAMAccountName={0})
+atlas.authentication.method.ldap.ad.default.role=ROLE_USER
+</verbatim>
+
+*LDAP Directroy*
+
+<verbatim>
+atlas.authentication.method.ldap.url=ldap://<Ldap server ip>:389
+atlas.authentication.method.ldap.userDNpattern=uid={0],ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchBase=dc=example,dc=com
+atlas.authentication.method.ldap.groupSearchFilter=(member=cn={0},ou=users,dc=example,dc=com
+atlas.authentication.method.ldap.groupRoleAttribute=cn
+atlas.authentication.method.ldap.base.dn=dc=example,dc=com
+atlas.authentication.method.ldap.bind.dn=cn=Manager,dc=example,dc=com
+atlas.authentication.method.ldap.bind.password=<password>
+atlas.authentication.method.ldap.referral=ignore
+atlas.authentication.method.ldap.user.searchfilter=(uid={0})
+atlas.authentication.method.ldap.default.role=ROLE_USER
+</verbatim>
+
+---+++ Authorization
+
+
+---++++ Atlas Authorization Methods [Simple/Ranger]
+To set authorization in atlas, update the =atlas.authorizer.impl= properties in =atlas-application.properties=
+   * *Simple*
+   * *Ranger*
+
+
+
+<verbatim>
+atlas.authorizer.impl=simple | ranger | <Qualified Authorizer Class Name>
+</verbatim>
+
+---++++ Simple Authorizer.
+
+In Simple Authorizer the policy store file is configured locally. The path of policy store
file is set in
+=atlas.auth.policy.file= property of =atlas-application.properties=
+
+<verbatim>
+atlas.auth.policy.file={{conf_dir}}/policy-store.txt
+</verbatim>
+
+The policy store file format is as follows:
+
+<verbatim>
+Policy_Name;;User_Name:Operations_Allowed;;Group_Name:Operations_Allowed;;Resource_Type:Resource_Name
+</verbatim>
+
+eg. of admin policy:
+<verbatim>
+adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
+</verbatim>
+
+Note : The User_Name, Group_Name and Operations_Allowed are comma(,) separated lists.
+
+Authorizer Resource Types:
+   * Operation
+   * Type
+   * Entity
+   * Taxonomy
+   * Term
+   * Unknown
+
+
+Operations_Allowed are  r = read, w = write, u = update, d = delete
+
+
+---++++ Ranger Authorizer.
+
+Ranger Authorizer is enabled by activating Atlas-Ranger plugin from Ambari.
+
+For more details visit the [[http://ranger.apache.org/][Apache-Ranger documentation]].

http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/b25d198c/docs/src/site/twiki/index.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/index.twiki b/docs/src/site/twiki/index.twiki
index 8c57d06..8dda474 100755
--- a/docs/src/site/twiki/index.twiki
+++ b/docs/src/site/twiki/index.twiki
@@ -42,6 +42,7 @@ allows integration with the whole enterprise data ecosystem.
    * [[Repository][Metadata Repository]]
    * [[Search][Search]]
    * [[security][Security]]
+   * [[Authentication-Authorization][Authentication and Authorization]]
    * [[Configuration][Configuration]]
    * Notification
       * [[Notification-Entity][Entity Notification]]

http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/b25d198c/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index c2f8747..ec2bcf7 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -39,6 +39,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file
(dosset
 ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via
shwethags)
 
 ALL CHANGES:
+ATLAS-765 Need documentation for Authentication and Authorization features of Atlas (nixonrodrigues
via yhemanth)
 ATLAS-930 QuickStart is failing when run after a specific sequence of operations (yhemanth
via shwethags)
 ATLAS-904 Hive hook fails due to session state not being set (sumasai via yhemanth)
 ATLAS-929 Add test for trait preservation on column rename for non-default database (svimal2106
via shwethags)


Mime
View raw message