Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth) - New privilege for Associate entities for entities tags and glossary terms #8644

Open
wants to merge 26 commits into
base: master
Choose a base branch
from
+291 −78
Open

feat(auth) - New privilege for Associate entities for entities tags and glossary terms #8644

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
c923b8b
New privilege for Associate tags
Aug 16, 2023
f60a413
Add Associate_tags policy for admin and editors
Aug 16, 2023
0da4478
Merge branch 'master' into master
mkamalas Aug 16, 2023
5067773
Set Tag Authorization error as 403 error code
Aug 18, 2023
0ee58b0
Merge branch 'master' into master
mkamalas Aug 18, 2023
e03e2af
Merge branch 'master' into master
mkamalas Aug 20, 2023
67a991f
Merge branch 'master' into master
mkamalas Aug 22, 2023
df12d4a
Merge branch 'master' into master
mkamalas Aug 23, 2023
e5216d4
Merge branch 'master' into master
mkamalas Aug 23, 2023
7f002d5
Merge branch 'master' into master
mkamalas Aug 23, 2023
c35550a
Merge branch 'master' into master
mkamalas Aug 24, 2023
2750e54
Add Associate_Tags privilege for datahub
Aug 27, 2023
15d56b1
Merge branch 'master' into master
mkamalas Aug 27, 2023
80efa94
For NOT_EQUALS, check all resources match the condition
mkamalas Sep 11, 2023
c60d9ab
Merge branch 'master' into master
mkamalas Aug 8, 2024
bf81623
Merge from upstream
mkamalas Aug 27, 2024
193a093
Format and linting fixes
mkamalas Aug 30, 2024
74074fb
Merge branch 'datahub-project:master' into master
mkamalas Aug 30, 2024
f37a807
Fix documentation for NOT_EQUALS
mkamalas Aug 30, 2024
fae9dd0
Merge branch 'master' into master
mkamalas Sep 4, 2024
4c1aa72
Resolve merge conflict issue
mkamalas Sep 9, 2024
f703c95
Update metadata-service/auth-impl/src/main/java/com/datahub/authoriza…
mkamalas Sep 18, 2024
8b43d10
Merge branch 'master' into master
mkamalas Sep 19, 2024
49977c1
Merge from upstream fork
mkamalas Feb 14, 2025
b235f0d
Rename privilege to Associate Entity and apply to terms
mkamalas Feb 16, 2025
e98fb1e
Merge branch 'master' into master
mkamalas Mar 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ...phql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
}

if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
throw new AuthorizationException("Only users granted permission to this tag can assign or remove it");
}

return CompletableFuture.supplyAsync(() -> {
LabelUtils.validateResourceAndLabel(
tagUrn,
Expand Down
6 changes: 6 additions & 0 deletions ...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
}

tagUrns.forEach((tagUrn) -> {
if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
throw new AuthorizationException("Only users granted permission to this tag can assign or remove it");
}
});

LabelUtils.validateResourceAndLabel(
tagUrns,
targetUrn,
Expand Down
8 changes: 6 additions & 2 deletions ...ore/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
return CompletableFuture.supplyAsync(() -> {

// First, validate the batch
validateTags(tagUrns);
validateTags(tagUrns, context);

if (resources.size() == 1 && resources.get(0).getSubResource() != null) {
return handleAddTagsToSingleSchemaField(context, resources, tagUrns);
Expand Down Expand Up @@ -117,9 +117,13 @@ private Boolean attemptBatchAddTagsWithSiblings(
}
}

private void validateTags(List<Urn> tagUrns) {
private void validateTags(List<Urn> tagUrns, QueryContext context) {
for (Urn tagUrn : tagUrns) {
LabelUtils.validateLabel(tagUrn, Constants.TAG_ENTITY_NAME, _entityService);

if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auth calls should come first before sending validation operations to the entity service, ideally done as soon as possible before any business logic occurs to short circuit.

throw new AuthorizationException("Only users granted permission to this tag can assign or remove it");
}
}
}

Expand Down
11 changes: 11 additions & 0 deletions .../src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
return CompletableFuture.supplyAsync(() -> {

// First, validate the batch
validateTags(tagUrns, context);

// Next, validate the batch
validateInputResources(resources, context);

try {
Expand All @@ -50,6 +53,14 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
});
}

private void validateTags(List<Urn> tagUrns, QueryContext context) {
for (Urn tagUrn : tagUrns) {
if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
throw new AuthorizationException("Only users granted permission to this tag can assign or remove it");
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now in all these resolvers we'd be checking they have the EDIT_ENTITY_TAGS_PRIVILEGE as well as this new ASSOCIATE_TAGS_PRIVILEGE which seems confusing to me to require to privileges for the same action. In validateInputResource in these resolvers you can see us make these checks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDIT_ENTITY_TAGS_PRIVILEGE is a privilege for the entity to which a list of tags are associated. ASSOCIATE_TAGS_PRIVILEGE is for the list of tags that are being associated. That is the reason I have created 2 different methods.

}
}

private void validateInputResources(List<ResourceRefInput> resources, QueryContext context) {
for (ResourceRefInput resource : resources) {
validateInputResource(resource, context);
Expand Down
3 changes: 3 additions & 0 deletions ...l-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
if (!LabelUtils.isAuthorizedToUpdateTags(environment.getContext(), targetUrn, input.getSubResource())) {
throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
}
if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
throw new AuthorizationException("Only users granted permission to this tag can assign or remove it");
}

return CompletableFuture.supplyAsync(() -> {
LabelUtils.validateResourceAndLabel(
Expand Down
15 changes: 15 additions & 0 deletions ...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,21 @@ public static boolean isAuthorizedToUpdateTags(@Nonnull QueryContext context, Ur
orPrivilegeGroups);
}

public static boolean isAuthorizedToAssociateTag(@Nonnull QueryContext context, Urn targetUrn) {

// Decide whether the current principal should be allowed to associate the tag
final DisjunctivePrivilegeGroup orPrivilegeGroups = new DisjunctivePrivilegeGroup(ImmutableList.of(
new ConjunctivePrivilegeGroup(ImmutableList.of(PoliciesConfig.ASSOCIATE_TAGS_PRIVILEGE.getType()))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm I'm a little confused here - so what's the benefit of this new privilege when we have the EDIT_ENTITY_TAGS_PRIVILEGE privilege already that seems to be doing type of thing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm I'm a little confused here - so what's the benefit of this new privilege when we have the EDIT_ENTITY_TAGS_PRIVILEGE privilege already that seems to be doing type of thing?

Please check my response to your other comment on the need for this new privilege

));

return AuthorizationUtils.isAuthorized(
context.getAuthorizer(),
context.getActorUrn(),
targetUrn.getEntityType(),
targetUrn.toString(),
orPrivilegeGroups);
}

public static boolean isAuthorizedToUpdateTerms(@Nonnull QueryContext context, Urn targetUrn, String subResource) {

Boolean isTargetingSchema = subResource != null && subResource.length() > 0;
Expand Down
4 changes: 4 additions & 0 deletions datahub-graphql-core/src/main/resources/entity.graphql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8200,6 +8200,10 @@ enum PolicyMatchCondition {
Whether the field matches the value
"""
EQUALS
"""
Whether the field does not the value
"""
NOT_EQUALS
}

"""
Expand Down
6 changes: 6 additions & 0 deletions datahub-web-react/src/app/entity/shared/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,12 @@ function getGraphqlErrorCode(e) {

export const handleBatchError = (urns, e, defaultMessage) => {
if (urns.length > 1 && getGraphqlErrorCode(e) === 403) {
if (e.message === 'Only users granted permission to this tag can assign or remove it') {
return {
content: `${e.message}. The bulk edit being performed will not be saved.`,
duration: 3,
};
}
Comment on lines +100 to +105
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this new message when we have a message about being unauthorized below?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new error message is for clarity to pinpoint which authorization is missing.

return {
content:
'Your bulk edit selection included entities that you are unauthorized to update. The bulk edit being performed will not be saved.',
Expand Down
17 changes: 15 additions & 2 deletions datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,14 @@ import { Link } from 'react-router-dom';
import { Button, Divider, Modal, Tag, Typography } from 'antd';
import styled from 'styled-components';
import { useEntityRegistry } from '../../useEntityRegistry';
import { Maybe, Policy, PolicyState, PolicyType } from '../../../types.generated';
import { Maybe, Policy, PolicyMatchCondition, PolicyState, PolicyType } from '../../../types.generated';
import { useAppConfig } from '../../useAppConfig';
import { convertLegacyResourceFilter, getFieldValues, mapResourceTypeToDisplayName } from './policyUtils';
import {
convertLegacyResourceFilter,
getFieldCondition,
getFieldValues,
mapResourceTypeToDisplayName,
} from './policyUtils';
import AvatarsGroup from '../AvatarsGroup';

type PrivilegeOptionType = {
Expand Down Expand Up @@ -69,6 +74,7 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
const resources = convertLegacyResourceFilter(policy?.resources);
const resourceTypes = getFieldValues(resources?.filter, 'RESOURCE_TYPE') || [];
const resourceEntities = getFieldValues(resources?.filter, 'RESOURCE_URN') || [];
const policyMatchCondition = getFieldCondition(resources?.filter, 'RESOURCE_URN');
const domains = getFieldValues(resources?.filter, 'DOMAIN') || [];

const {
Expand Down Expand Up @@ -157,6 +163,13 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
);
})) || <PoliciesTag>All</PoliciesTag>}
</div>
<div>
<Typography.Title level={5}>Asset Condition</Typography.Title>
<ThinDivider />
<PoliciesTag>
{policyMatchCondition === PolicyMatchCondition.NotEquals ? 'Excludes' : 'Includes'}
</PoliciesTag>
</div>
<div>
<Typography.Title level={5}>Assets</Typography.Title>
<ThinDivider />
Expand Down
Loading