[ATLAS-4170] v2/entity/bulk Entity GET API is able to read unauthorised entities too when skipFailedEntities is passed as True - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.0
Fix Version/s: 3.0.0, 2.2.0
Component/s: atlas-core
Labels:
None

Description

As part of https://issues.apache.org/jira/browse/ATLAS-3855, skipFailedEntities was introduced to ignore the entities where it fails to read

When skipFailedEntities is not passed or is passed as skipFailedEntities=False, then we get 403 with below error as expected

{    
"errorCode": "ATLAS-403-00-001",    
"errorMessage": "hrt is not authorized to perform read entity: guid=ad0f349c-1fe6-46f0-be6d-98ca2e754e1c"
}

But when we pass skipFailedEntities=True, then API is able to retrieve the data for even those entities on which the user has explicit deny conditions. Ideally, we should be ignoring these unauthorised entities and return data only for authorised ones.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ATLAS-4170.patch
19/Feb/21 02:07
2 kB
Sidharth Kumar Mishra

Issue Links

links to

Code Review

Activity

People

Assignee:: Sidharth Kumar Mishra

Reporter:: Sidharth Kumar Mishra

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Feb/21 01:21

Updated:: 19/Feb/21 05:35

Resolved:: 19/Feb/21 05:35