atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Radley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ATLAS-1696) Governance Action Framework OMAS
Date Mon, 03 Jul 2017 15:30:00 GMT

    [ https://issues.apache.org/jira/browse/ATLAS-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16072640#comment-16072640
] 

David Radley commented on ATLAS-1696:
-------------------------------------

[~jonesn] Some comments on the Swagger:
comments on the Swagger : 
- how are we defining tags vs classifications. /v2/gaf/tags is the uri, but the description
is "Get all classifications". It is inconsistent. 
-  /v2/gaf/roles - get list of roles assigned to entities. I would think that the endpoint
should be assigned roles or return all the roles Atlas knows about.  

I suggest we do not mention Ranger in the API docs and keep the GAF implementaton neutral.


> Governance Action Framework OMAS
> --------------------------------
>
>                 Key: ATLAS-1696
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1696
>             Project: Atlas
>          Issue Type: New Feature
>            Reporter: Nigel Jones
>            Assignee: Nigel Jones
>              Labels: VirtualDataConnector
>
> Governance Action OMAS is one of multiple consumer-centric based interfaces that will
be added to Apache Atlas, & provides the API (REST and messaging) to support policy enforcement
frameworks such as Apache Ranger. Detailed knowledge of the Atlas data models and structure
can then be hidden from these consumers.
> The functionality of gaf includes
>  - ability to retrieve classifications associated to assets
>   - restricted to "interesting" classifications 
>   - restricted to interesting assets being managed by the requesting endpoint
>  - to retrieve a list of interesting roles that relate to enforcement
>  - to retrieve any template rule definitions/lookup tables that might be used to construct
executable rules
> The scoping constructs supported in the API will include
>  - Only get classifications that are relevant for security enforcement (ie: only those
inheriting from a specified supertype? Verify in ATLAS-1839)
>  - only get information about assets (resources) in a certain part of the datalake (Q:
HOW. By zone? How to specify? by asset type? By associated endpoint?)
>  - pagination
>  
> See ATLAS-1839 for more information on the model and classifications
> In the Atlas data model classifications propagate - for example
>  * An database column DOB has no explicit classification
>  * It's containing table CDB  is classified as "customer personal details"
>  * The "SPI" classification is attached to this table with the value "sensitive"
> At enforcement time all that an engine such as ranger cares about is that the column
"DOB" is sensitive, how we got there isn't important.  In the example above the propogation
occurs
>  * Along the assigned term relationship 
>  * along the structural containment relationship (table->column)
> Therefore gaf omas will "flatten" the structure - so in this case we'll see
>  table/CDB - SPI:sensitive
>  column/DOB - SPI:sensitive
> There will be cases where multiple classifications (of the same type) can be navigated
to from an asset like DOB. This may not make logical sense, however, Until precedence is resolved
in ATLAS-1839 & related Jiras, OMAS will pass through multiple classifications
> This interface will also support message notifications of changes to managed resources
such as a new role, classification. A single kafka topic will be used. 
>  <tbd>
> A first pass swagger can be found at https://app.swaggerhub.com/apis/planetf1/GovernanceActionOMAS/0.1



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message