feat(auth) - New privilege for Associate entities for entities tags and glossary terms

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/exception/DataHubGraphQLErrorCode.java

@@ -4,6 +4,7 @@ public enum DataHubGraphQLErrorCode {
   BAD_REQUEST(400),
   UNAUTHORIZED(403),
   NOT_FOUND(404),
+  UNAUTHORIZED_TAG_ERROR(405),
   SERVER_ERROR(500);
 
   private final int _code;

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/exception/TagAuthorizationException.java

@@ -0,0 +1,16 @@
+package com.linkedin.datahub.graphql.exception;
+
+
+/**
+ * Exception thrown when update fails due to ASSOCIATE_TAG privilege.
+ */
+public class TagAuthorizationException extends DataHubGraphQLException {
+
+  public TagAuthorizationException(String message) {
+    super(message, DataHubGraphQLErrorCode.UNAUTHORIZED_TAG_ERROR);
+  }
+
+  public TagAuthorizationException(String message, Throwable cause) {
+    super(message, DataHubGraphQLErrorCode.UNAUTHORIZED_TAG_ERROR);
+  }
+}

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java

@@ -6,6 +6,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.generated.TagAssociationInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -35,6 +36,10 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
       throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
     }
 
+    if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+      throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+    }
+
     return CompletableFuture.supplyAsync(() -> {
       LabelUtils.validateResourceAndLabel(
           tagUrn,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java

@@ -7,6 +7,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.AddTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -43,6 +44,12 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
         throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
       }
 
+      tagUrns.forEach((tagUrn) -> {
+        if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+          throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+        }
+      });
+
       LabelUtils.validateResourceAndLabel(
           tagUrns,
           targetUrn,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java

@@ -4,6 +4,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.BatchAddTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -45,7 +46,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     return CompletableFuture.supplyAsync(() -> {
 
       // First, validate the batch
-      validateTags(tagUrns);
+      validateTags(tagUrns, context);
 
       if (resources.size() == 1 && resources.get(0).getSubResource() != null) {
         return handleAddTagsToSingleSchemaField(context, resources, tagUrns);
@@ -117,9 +118,13 @@ private Boolean attemptBatchAddTagsWithSiblings(
     }
   }
 
-  private void validateTags(List<Urn> tagUrns) {
+  private void validateTags(List<Urn> tagUrns, QueryContext context) {
     for (Urn tagUrn : tagUrns) {
       LabelUtils.validateLabel(tagUrn, Constants.TAG_ENTITY_NAME, _entityService);
+
+      if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+        throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+      }
     }
   }
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java

@@ -4,6 +4,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.BatchRemoveTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -37,6 +38,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     return CompletableFuture.supplyAsync(() -> {
 
       // First, validate the batch
+      validateTags(tagUrns, context);
+
+      // Next, validate the batch
       validateInputResources(resources, context);
 
       try {
@@ -50,6 +54,14 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     });
   }
 
+  private void validateTags(List<Urn> tagUrns, QueryContext context) {
+    for (Urn tagUrn : tagUrns) {
+      if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+        throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+      }
+    }
+  }
+
   private void validateInputResources(List<ResourceRefInput> resources, QueryContext context) {
     for (ResourceRefInput resource : resources) {
       validateInputResource(resource, context);

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java

@@ -5,6 +5,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.generated.TagAssociationInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -33,6 +34,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     if (!LabelUtils.isAuthorizedToUpdateTags(environment.getContext(), targetUrn, input.getSubResource())) {
       throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
     }
+    if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+      throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+    }
 
     return CompletableFuture.supplyAsync(() -> {
       LabelUtils.validateResourceAndLabel(

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java

@@ -201,6 +201,21 @@ public static boolean isAuthorizedToUpdateTags(@Nonnull QueryContext context, Ur
         orPrivilegeGroups);
   }
 
+  public static boolean isAuthorizedToAssociateTag(@Nonnull QueryContext context, Urn targetUrn) {
+
+    // Decide whether the current principal should be allowed to associate the tag
+    final DisjunctivePrivilegeGroup orPrivilegeGroups = new DisjunctivePrivilegeGroup(ImmutableList.of(
+        new ConjunctivePrivilegeGroup(ImmutableList.of(PoliciesConfig.ASSOCIATE_TAGS_PRIVILEGE.getType()))
+    ));
+
+    return AuthorizationUtils.isAuthorized(
+        context.getAuthorizer(),
+        context.getActorUrn(),
+        targetUrn.getEntityType(),
+        targetUrn.toString(),
+        orPrivilegeGroups);
+  }
+
   public static boolean isAuthorizedToUpdateTerms(@Nonnull QueryContext context, Urn targetUrn, String subResource) {
 
     Boolean isTargetingSchema = subResource != null && subResource.length() > 0;

datahub-graphql-core/src/main/resources/entity.graphql

@@ -8200,6 +8200,10 @@ enum PolicyMatchCondition {
   Whether the field matches the value
   """
   EQUALS
+  """
+  Whether the field does not the value
+  """
+  NOT_EQUALS
 }
 
 """

datahub-web-react/src/app/entity/shared/utils.ts

@@ -145,6 +145,13 @@ export const handleBatchError = (urns, e, defaultMessage) => {
             duration: 3,
         };
     }
+    if (urns.length > 1 && getGraphqlErrorCode(e) === 405) {
+        return {
+            content:
+                'Only users granted permission to this tag can assign or remove it. The bulk edit being performed will not be saved. ',
+            duration: 3,
+        };
+    }
     return defaultMessage;
 };
 

datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx

@@ -3,9 +3,14 @@ import { Link } from 'react-router-dom';
 import { Button, Divider, Modal, Tag, Typography } from 'antd';
 import styled from 'styled-components';
 import { useEntityRegistry } from '../../useEntityRegistry';
-import { Maybe, Policy, PolicyState, PolicyType } from '../../../types.generated';
+import { Maybe, Policy, PolicyMatchCondition, PolicyState, PolicyType } from '../../../types.generated';
 import { useAppConfig } from '../../useAppConfig';
-import { convertLegacyResourceFilter, getFieldValues, mapResourceTypeToDisplayName } from './policyUtils';
+import {
+    convertLegacyResourceFilter,
+    getFieldCondition,
+    getFieldValues,
+    mapResourceTypeToDisplayName,
+} from './policyUtils';
 import AvatarsGroup from '../AvatarsGroup';
 
 type PrivilegeOptionType = {
@@ -69,6 +74,7 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
     const resources = convertLegacyResourceFilter(policy?.resources);
     const resourceTypes = getFieldValues(resources?.filter, 'RESOURCE_TYPE') || [];
     const resourceEntities = getFieldValues(resources?.filter, 'RESOURCE_URN') || [];
+    const policyMatchCondition = getFieldCondition(resources?.filter, 'RESOURCE_URN');
     const domains = getFieldValues(resources?.filter, 'DOMAIN') || [];
 
     const {
@@ -157,6 +163,13 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
                                     );
                                 })) || <PoliciesTag>All</PoliciesTag>}
                         </div>
+                        <div>
+                            <Typography.Title level={5}>Asset Condition</Typography.Title>
+                            <ThinDivider />
+                            <PoliciesTag>
+                                {policyMatchCondition === PolicyMatchCondition.NotEquals ? 'Excludes' : 'Includes'}
+                            </PoliciesTag>
+                        </div>
                         <div>
                             <Typography.Title level={5}>Assets</Typography.Title>
                             <ThinDivider />