ATLAS-5326: Enforce Atlas authorization on AdminResource REST endpoints by rkundam · Pull Request #674 · apache/atlas

rkundam · 2026-06-18T00:32:10Z

What changes were proposed in this pull request?

ATLAS-5326: Enforce Atlas authorization on AdminResource REST endpoints

Add AtlasAuthorizationUtils.verifyAccess() to sensitive AdminResource REST endpoints that previously lacked Atlas-level authorization checks.
Leave operational and UI-facing endpoints (/version, /status, /metrics, /metricsstats*, /liveness, /readiness) accessible to any authenticated user without an additional Atlas privilege check.
AdminResource.java: Enforce authorization on 15 endpoint groups using existing privileges (ADMIN_EXPORT, ADMIN_IMPORT, ADMIN_PURGE, ADMIN_AUDITS, ENTITY_READ).
AdminResourceTest.java: Add withAuthorizationBypass / withAuthorizationBypassCallable test helpers and update unit tests for protected vs. open endpoints.

Endpoint	Privilege
GET /stack	ADMIN_EXPORT
GET /session	ENTITY_READ
GET/DELETE /activeSearches	ADMIN_EXPORT
GET /server/{serverName}	ADMIN_EXPORT
GET /expimp/audit	ADMIN_EXPORT
POST /checkstate	ENTITY_READ
GET /patches	ADMIN_IMPORT
GET /audit/{auditGuid}/details	ADMIN_AUDITS
GET/DELETE /tasks	ADMIN_PURGE
GET /debug/metrics	ADMIN_EXPORT
DELETE /async/import/{importId}	ADMIN_IMPORT
GET /async/import/status*	ADMIN_IMPORT

GET /version, /status, /metrics
GET /metricsstats, /metricsstat/{collectionTime}, /metricsstats/range, /metricsstats/charts
GET /liveness, /readiness

Manual Testing

ATLAS-5326: Enforce Atlas authorization on AdminResource REST endpoints

a9a6690

rodriguesnixon approved these changes Jun 18, 2026

View reviewed changes

rkundam closed this Jun 18, 2026