wip - access controls

TODO:
* cache keys - need to be context aware to prevent incorrect results
* ownership migration upgrade step
* complete unit tests for access controls
* restricted entity hydration and graphql response (chris)

Author: david-leifker

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/QueryContext.java

@@ -3,6 +3,7 @@
 import com.datahub.authentication.Actor;
 import com.datahub.authentication.Authentication;
 import com.datahub.plugins.auth.authorization.Authorizer;
+import io.datahubproject.metadata.context.OperationContext;
 
 /** Provided as input to GraphQL resolvers; used to carry information about GQL request context. */
 public interface QueryContext {
@@ -25,4 +26,9 @@ default String getActorUrn() {
 
   /** Returns the authorizer used to authorize specific actions. */
   Authorizer getAuthorizer();
+
+  /**
+   * @return Returns the operational context
+   */
+  OperationContext getOperationContext();
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/analytics/resolver/GetMetadataAnalyticsResolver.java

@@ -2,17 +2,16 @@
 
 import static com.linkedin.datahub.graphql.resolvers.ResolverUtils.bindArgument;
 
-import com.datahub.authentication.Authentication;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
+import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.analytics.service.AnalyticsUtil;
 import com.linkedin.datahub.graphql.generated.AnalyticsChart;
 import com.linkedin.datahub.graphql.generated.AnalyticsChartGroup;
 import com.linkedin.datahub.graphql.generated.BarChart;
 import com.linkedin.datahub.graphql.generated.BarSegment;
 import com.linkedin.datahub.graphql.generated.MetadataAnalyticsInput;
 import com.linkedin.datahub.graphql.generated.NamedBar;
-import com.linkedin.datahub.graphql.resolvers.ResolverUtils;
 import com.linkedin.datahub.graphql.types.entitytype.EntityTypeMapper;
 import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.Constants;
@@ -22,6 +21,7 @@
 import com.linkedin.metadata.search.utils.QueryUtils;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
+import io.datahubproject.metadata.context.OperationContext;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -41,24 +41,24 @@ public final class GetMetadataAnalyticsResolver implements DataFetcher<List<Anal
 
   @Override
   public final List<AnalyticsChartGroup> get(DataFetchingEnvironment environment) throws Exception {
-    final Authentication authentication = ResolverUtils.getAuthentication(environment);
+    final QueryContext context = environment.getContext();
     final MetadataAnalyticsInput input =
         bindArgument(environment.getArgument("input"), MetadataAnalyticsInput.class);
 
     try {
       final AnalyticsChartGroup group = new AnalyticsChartGroup();
       group.setGroupId("FilteredMetadataAnalytics");
       group.setTitle("");
-      group.setCharts(getCharts(input, authentication));
+      group.setCharts(getCharts(input, context.getOperationContext()));
       return ImmutableList.of(group);
     } catch (Exception e) {
       log.error("Failed to retrieve metadata analytics!", e);
       return Collections.emptyList(); // Simply return nothing.
     }
   }
 
-  private List<AnalyticsChart> getCharts(
-      MetadataAnalyticsInput input, Authentication authentication) throws Exception {
+  private List<AnalyticsChart> getCharts(MetadataAnalyticsInput input, OperationContext opContext)
+      throws Exception {
     final List<AnalyticsChart> charts = new ArrayList<>();
 
     List<String> entities = Collections.emptyList();
@@ -77,8 +77,7 @@ private List<AnalyticsChart> getCharts(
     }
 
     SearchResult searchResult =
-        _entityClient.searchAcrossEntities(
-            entities, query, filter, 0, 0, null, null, authentication);
+        _entityClient.searchAcrossEntities(opContext, entities, query, filter, 0, 0, null, null);
 
     List<AggregationMetadata> aggregationMetadataList =
         searchResult.getMetadata().getAggregations();
@@ -96,7 +95,7 @@ private List<AnalyticsChart> getCharts(
           Constants.DOMAIN_ENTITY_NAME,
           ImmutableSet.of(Constants.DOMAIN_PROPERTIES_ASPECT_NAME),
           AnalyticsUtil::getDomainName,
-          authentication);
+          opContext.getSessionAuthentication());
       charts.add(BarChart.builder().setTitle("Entities by Domain").setBars(domainChart).build());
     }
 
@@ -113,7 +112,7 @@ private List<AnalyticsChart> getCharts(
           Constants.DATA_PLATFORM_ENTITY_NAME,
           ImmutableSet.of(Constants.DATA_PLATFORM_INFO_ASPECT_NAME),
           AnalyticsUtil::getPlatformName,
-          authentication);
+          opContext.getSessionAuthentication());
       charts.add(
           BarChart.builder().setTitle("Entities by Platform").setBars(platformChart).build());
     }
@@ -132,7 +131,7 @@ private List<AnalyticsChart> getCharts(
           ImmutableSet.of(
               Constants.GLOSSARY_TERM_KEY_ASPECT_NAME, Constants.GLOSSARY_TERM_INFO_ASPECT_NAME),
           AnalyticsUtil::getTermName,
-          authentication);
+          opContext.getSessionAuthentication());
       charts.add(BarChart.builder().setTitle("Entities by Term").setBars(termChart).build());
     }
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/auth/ListAccessTokensResolver.java

@@ -65,13 +65,13 @@ public CompletableFuture<ListAccessTokenResult> get(DataFetchingEnvironment envi
                       .setOrder(SortOrder.DESCENDING);
               final SearchResult searchResult =
                   _entityClient.search(
+                      context.getOperationContext(),
                       Constants.ACCESS_TOKEN_ENTITY_NAME,
                       "",
                       buildFilter(filters, Collections.emptyList()),
                       sortCriterion,
                       start,
                       count,
-                      getAuthentication(environment),
                       new SearchFlags().setFulltext(true));
 
               final List<AccessTokenMetadata> tokens =

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/container/ContainerEntitiesResolver.java

@@ -79,6 +79,7 @@ public CompletableFuture<SearchResults> get(final DataFetchingEnvironment enviro
 
             return UrnSearchResultsMapper.map(
                 _entityClient.searchAcrossEntities(
+                    context.getOperationContext(),
                     CONTAINABLE_ENTITY_NAMES,
                     query,
                     new Filter()
@@ -90,8 +91,7 @@ public CompletableFuture<SearchResults> get(final DataFetchingEnvironment enviro
                     start,
                     count,
                     null,
-                    null,
-                    context.getAuthentication()));
+                    null));
 
           } catch (Exception e) {
             throw new RuntimeException(

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/dataproduct/ListDataProductAssetsResolver.java

@@ -151,14 +151,14 @@ public CompletableFuture<SearchResults> get(DataFetchingEnvironment environment)
 
             return UrnSearchResultsMapper.map(
                 _entityClient.searchAcrossEntities(
+                    context.getOperationContext(),
                     finalEntityNames,
                     sanitizedQuery,
                     finalFilter,
                     start,
                     count,
                     searchFlags,
-                    null,
-                    ResolverUtils.getAuthentication(environment)));
+                    null));
           } catch (Exception e) {
             log.error(
                 "Failed to execute search for data product assets: entity types {}, query {}, filters: {}, start: {}, count: {}",

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/domain/DomainEntitiesResolver.java

@@ -86,6 +86,7 @@ public CompletableFuture<SearchResults> get(final DataFetchingEnvironment enviro
 
             return UrnSearchResultsMapper.map(
                 _entityClient.searchAcrossEntities(
+                    context.getOperationContext(),
                     SEARCHABLE_ENTITY_TYPES.stream()
                         .map(EntityTypeMapper::getName)
                         .collect(Collectors.toList()),
@@ -97,8 +98,7 @@ public CompletableFuture<SearchResults> get(final DataFetchingEnvironment enviro
                     start,
                     count,
                     null,
-                    null,
-                    context.getAuthentication()));
+                    null));
 
           } catch (Exception e) {
             throw new RuntimeException(

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/domain/ListDomainsResolver.java

@@ -62,6 +62,7 @@ public CompletableFuture<ListDomainsResult> get(final DataFetchingEnvironment en
             // First, get all domain Urns.
             final SearchResult gmsResult =
                 _entityClient.search(
+                    context.getOperationContext(),
                     Constants.DOMAIN_ENTITY_NAME,
                     query,
                     filter,
@@ -70,7 +71,6 @@ public CompletableFuture<ListDomainsResult> get(final DataFetchingEnvironment en
                         .setOrder(SortOrder.DESCENDING),
                     start,
                     count,
-                    context.getAuthentication(),
                     new SearchFlags().setFulltext(true));
 
             // Now that we have entities we can bind this to a result.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/CreateGlossaryTermResolver.java

@@ -140,7 +140,7 @@ private Map<Urn, EntityResponse> getTermsWithSameParent(Urn parentNode, QueryCon
       final Filter filter = buildParentNodeFilter(parentNode);
       final SearchResult searchResult =
           _entityClient.filter(
-              GLOSSARY_TERM_ENTITY_NAME, filter, null, 0, 1000, context.getAuthentication());
+              context.getOperationContext(), GLOSSARY_TERM_ENTITY_NAME, filter, null, 0, 1000);
 
       final List<Urn> termUrns =
           searchResult.getEntities().stream()

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/GetRootGlossaryNodesResolver.java

@@ -53,12 +53,12 @@ public CompletableFuture<GetRootGlossaryNodesResult> get(
             final Filter filter = buildGlossaryEntitiesFilter();
             final SearchResult gmsNodesResult =
                 _entityClient.filter(
+                    context.getOperationContext(),
                     Constants.GLOSSARY_NODE_ENTITY_NAME,
                     filter,
                     null,
                     start,
-                    count,
-                    context.getAuthentication());
+                    count);
 
             final List<Urn> glossaryNodeUrns =
                 gmsNodesResult.getEntities().stream()

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/GetRootGlossaryTermsResolver.java

@@ -53,12 +53,12 @@ public CompletableFuture<GetRootGlossaryTermsResult> get(
             final Filter filter = buildGlossaryEntitiesFilter();
             final SearchResult gmsTermsResult =
                 _entityClient.filter(
+                    context.getOperationContext(),
                     Constants.GLOSSARY_TERM_ENTITY_NAME,
                     filter,
                     null,
                     start,
-                    count,
-                    context.getAuthentication());
+                    count);
 
             final List<Urn> glossaryTermUrns =
                 gmsTermsResult.getEntities().stream()

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/group/ListGroupsResolver.java

@@ -58,6 +58,7 @@ public CompletableFuture<ListGroupsResult> get(final DataFetchingEnvironment env
               // First, get all group Urns.
               final SearchResult gmsResult =
                   _entityClient.search(
+                      context.getOperationContext(),
                       CORP_GROUP_ENTITY_NAME,
                       query,
                       null,
@@ -66,7 +67,6 @@ public CompletableFuture<ListGroupsResult> get(final DataFetchingEnvironment env
                           .setOrder(SortOrder.DESCENDING),
                       start,
                       count,
-                      context.getAuthentication(),
                       new SearchFlags().setFulltext(true));
 
               // Then, get hydrate all groups.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/execution/IngestionSourceExecutionRequestsResolver.java

@@ -67,6 +67,7 @@ public CompletableFuture<IngestionSourceExecutionRequests> get(
 
             final SearchResult executionsSearchResult =
                 _entityClient.filter(
+                    context.getOperationContext(),
                     Constants.EXECUTION_REQUEST_ENTITY_NAME,
                     new Filter()
                         .setOr(
@@ -78,8 +79,7 @@ public CompletableFuture<IngestionSourceExecutionRequests> get(
                         .setField(REQUEST_TIME_MS_FIELD_NAME)
                         .setOrder(SortOrder.DESCENDING),
                     start,
-                    count,
-                    context.getAuthentication());
+                    count);
 
             // 2. Batch fetch the related ExecutionRequests
             final Set<Urn> relatedExecRequests =

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/ListSecretsResolver.java

@@ -67,6 +67,7 @@ public CompletableFuture<ListSecretsResult> get(final DataFetchingEnvironment en
               // First, get all secrets
               final SearchResult gmsResult =
                   _entityClient.search(
+                      context.getOperationContext(),
                       Constants.SECRETS_ENTITY_NAME,
                       query,
                       null,
@@ -75,7 +76,6 @@ public CompletableFuture<ListSecretsResult> get(final DataFetchingEnvironment en
                           .setOrder(SortOrder.DESCENDING),
                       start,
                       count,
-                      context.getAuthentication(),
                       new SearchFlags().setFulltext(true));
 
               // Then, resolve all secrets

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/source/ListIngestionSourcesResolver.java

@@ -63,13 +63,13 @@ public CompletableFuture<ListIngestionSourcesResult> get(
               // First, get all ingestion sources Urns.
               final SearchResult gmsResult =
                   _entityClient.search(
+                      context.getOperationContext(),
                       Constants.INGESTION_SOURCE_ENTITY_NAME,
                       query,
                       buildFilter(filters, Collections.emptyList()),
                       null,
                       start,
                       count,
-                      context.getAuthentication(),
                       new SearchFlags().setFulltext(true));
 
               // Then, resolve all ingestion sources

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/jobs/DataJobRunsResolver.java

@@ -63,12 +63,12 @@ public CompletableFuture<DataProcessInstanceResult> get(DataFetchingEnvironment
             final SortCriterion sortCriterion = buildTaskRunsSortCriterion();
             final SearchResult gmsResult =
                 _entityClient.filter(
+                    context.getOperationContext(),
                     Constants.DATA_PROCESS_INSTANCE_ENTITY_NAME,
                     filter,
                     sortCriterion,
                     start,
-                    count,
-                    context.getAuthentication());
+                    count);
             final List<Urn> dataProcessInstanceUrns =
                 gmsResult.getEntities().stream()
                     .map(SearchEntity::getEntity)

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/jobs/EntityRunsResolver.java

@@ -69,12 +69,12 @@ public CompletableFuture<DataProcessInstanceResult> get(DataFetchingEnvironment
             final SortCriterion sortCriterion = buildTaskRunsSortCriterion();
             final SearchResult gmsResult =
                 _entityClient.filter(
+                    context.getOperationContext(),
                     Constants.DATA_PROCESS_INSTANCE_ENTITY_NAME,
                     filter,
                     sortCriterion,
                     start,
-                    count,
-                    context.getAuthentication());
+                    count);
             final List<Urn> dataProcessInstanceUrns =
                 gmsResult.getEntities().stream()
                     .map(SearchEntity::getEntity)

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/DomainUtils.java

@@ -212,7 +212,7 @@ public static boolean hasChildDomains(
     // Limit count to 1 for existence check
     final SearchResult searchResult =
         entityClient.filter(
-            DOMAIN_ENTITY_NAME, parentDomainFilter, null, 0, 1, context.getAuthentication());
+            context.getOperationContext(), DOMAIN_ENTITY_NAME, parentDomainFilter, null, 0, 1);
     return (searchResult.getNumEntities() > 0);
   }
 
@@ -226,7 +226,7 @@ private static Map<Urn, EntityResponse> getDomainsByNameAndParent(
 
       final SearchResult searchResult =
           entityClient.filter(
-              DOMAIN_ENTITY_NAME, filter, null, 0, 1000, context.getAuthentication());
+              context.getOperationContext(), DOMAIN_ENTITY_NAME, filter, null, 0, 1000);
 
       final Set<Urn> domainUrns =
           searchResult.getEntities().stream()

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ownership/ListOwnershipTypesResolver.java

@@ -60,13 +60,13 @@ public CompletableFuture<ListOwnershipTypesResult> get(DataFetchingEnvironment e
 
             final SearchResult gmsResult =
                 _entityClient.search(
+                    context.getOperationContext(),
                     Constants.OWNERSHIP_TYPE_ENTITY_NAME,
                     query,
                     buildFilter(filters, Collections.emptyList()),
                     DEFAULT_SORT_CRITERION,
                     start,
                     count,
-                    context.getAuthentication(),
                     new SearchFlags().setFulltext(true));
 
             final ListOwnershipTypesResult result = new ListOwnershipTypesResult();

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/policy/ListPoliciesResolver.java

@@ -42,7 +42,7 @@ public CompletableFuture<ListPoliciesResult> get(final DataFetchingEnvironment e
       final String query = input.getQuery() == null ? DEFAULT_QUERY : input.getQuery();
 
       return _policyFetcher
-          .fetchPolicies(start, query, count, context.getAuthentication())
+          .fetchPolicies(context.getOperationContext(), start, query, count)
           .thenApply(
               policyFetchResult -> {
                 final ListPoliciesResult result = new ListPoliciesResult();

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/post/ListPostsResolver.java

@@ -57,13 +57,13 @@ public CompletableFuture<ListPostsResult> get(final DataFetchingEnvironment envi
             // First, get all Post Urns.
             final SearchResult gmsResult =
                 _entityClient.search(
+                    context.getOperationContext(),
                     POST_ENTITY_NAME,
                     query,
                     null,
                     sortCriterion,
                     start,
                     count,
-                    context.getAuthentication(),
                     new SearchFlags().setFulltext(true));
 
             // Then, get and hydrate all Posts.