in webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthorizationFilter.java [88:178]
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
if (isDebugEnabled) {
LOG.debug("==> AuthorizationFilter.doFilter");
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(response);
responseWrapper.setHeader("X-Frame-Options", "DENY");
String pathInfo = request.getServletPath();
if (!Strings.isNullOrEmpty(pathInfo) && (pathInfo.startsWith(BASE_URL) || BASE_URL.startsWith(pathInfo))) {
if (isDebugEnabled) {
LOG.debug("{} is a valid REST API request!!!", pathInfo);
}
String userName = null;
Set<String> groups = new HashSet<>();
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
userName = auth.getName();
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
for (GrantedAuthority c : authorities) {
groups.add(c.getAuthority());
}
} else {
if (LOG.isErrorEnabled()) {
LOG.error("Cannot obtain Security Context");
}
throw new ServletException("Cannot obtain Security Context");
}
AtlasAccessRequest atlasRequest = new AtlasAccessRequest(request, userName, groups);
if (isDebugEnabled) {
LOG.debug("============================\nUserName :: {}\nGroups :: {}\nURL :: {}\nAction :: {}\nrequest.getServletPath() :: {}\n============================\n", atlasRequest.getUser(), atlasRequest.getUserGroups(), request.getRequestURL(), atlasRequest.getAction(), pathInfo);
}
boolean accessAllowed = false;
Set<AtlasResourceTypes> atlasResourceTypes = atlasRequest.getResourceTypes();
if (atlasResourceTypes.size() == 1 && atlasResourceTypes.contains(AtlasResourceTypes.UNKNOWN)) {
// Allowing access to unprotected resource types
if (LOG.isDebugEnabled()) {
LOG.debug("Allowing access to unprotected resource types {}", atlasResourceTypes);
}
accessAllowed = true;
} else {
try {
if (authorizer != null) {
accessAllowed = authorizer.isAccessAllowed(atlasRequest);
}
} catch (AtlasAuthorizationException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Access Restricted. Could not process the request :: {}", e);
}
}
if (isDebugEnabled) {
LOG.debug("Authorizer result :: {}", accessAllowed);
}
}
if (accessAllowed) {
if (isDebugEnabled) {
LOG.debug("Access is allowed so forwarding the request!!!");
}
chain.doFilter(req, res);
} else {
JSONObject json = new JSONObject();
json.put("AuthorizationError", "You are not authorized for " + atlasRequest.getAction().name() + " on "
+ atlasResourceTypes + " : " + atlasRequest.getResource());
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.sendError(HttpServletResponse.SC_FORBIDDEN, json.toString());
if (isDebugEnabled) {
LOG.debug("You are not authorized for {} on {} : {}\nReturning 403 since the access is blocked update!!!!", atlasRequest.getAction().name(), atlasResourceTypes, atlasRequest.getResource());
}
}
} else {
if (isDebugEnabled) {
LOG.debug("Ignoring request {}", pathInfo);
}
chain.doFilter(req, res);
}
}