feat(auth) - New privilege for Associate entities for entities tags and glossary terms

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java

@@ -38,6 +38,11 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
           "Unauthorized to perform this action. Please contact your DataHub administrator.");
     }
 
+    if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+      throw new AuthorizationException(
+          "Only users granted permission to this tag can assign or remove it");
+    }
+
     return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           LabelUtils.validateResourceAndLabel(

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java

@@ -43,6 +43,14 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
                 "Unauthorized to perform this action. Please contact your DataHub administrator.");
           }
 
+          tagUrns.forEach(
+              (tagUrn) -> {
+                if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+                  throw new AuthorizationException(
+                      "Only users granted permission to this tag can assign or remove it");
+                }
+              });
+
           LabelUtils.validateResourceAndLabel(
               context.getOperationContext(),
               tagUrns,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java

@@ -15,7 +15,6 @@
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
-import io.datahubproject.metadata.context.OperationContext;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -45,7 +44,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
         () -> {
 
           // First, validate the batch
-          validateTags(context.getOperationContext(), tagUrns);
+          validateTags(context, tagUrns);
 
           if (resources.size() == 1 && resources.get(0).getSubResource() != null) {
             return handleAddTagsToSingleSchemaField(context, resources, tagUrns);
@@ -127,9 +126,15 @@ private Boolean attemptBatchAddTagsWithSiblings(
     }
   }
 
-  private void validateTags(@Nonnull OperationContext opContext, List<Urn> tagUrns) {
+  private void validateTags(@Nonnull QueryContext context, List<Urn> tagUrns) {
     for (Urn tagUrn : tagUrns) {
-      LabelUtils.validateLabel(opContext, tagUrn, Constants.TAG_ENTITY_NAME, _entityService);
+      LabelUtils.validateLabel(
+          context.getOperationContext(), tagUrn, Constants.TAG_ENTITY_NAME, _entityService);
+
+      if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+        throw new AuthorizationException(
+            "Only users granted permission to this tag can assign or remove it");
+      }
     }
   }
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java

@@ -39,6 +39,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
 
+          // First, validate the tag urns
+          validateTags(tagUrns, context);
+
           // First, validate the batch
           validateInputResources(context.getOperationContext(), resources, context);
 
@@ -57,6 +60,15 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
         "get");
   }
 
+  private void validateTags(List<Urn> tagUrns, QueryContext context) {
+    for (Urn tagUrn : tagUrns) {
+      if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+        throw new AuthorizationException(
+            "Only users granted permission to this tag can assign or remove it");
+      }
+    }
+  }
+
   private void validateInputResources(
       @Nonnull OperationContext opContext, List<ResourceRefInput> resources, QueryContext context) {
     for (ResourceRefInput resource : resources) {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java

@@ -36,6 +36,10 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
       throw new AuthorizationException(
           "Unauthorized to perform this action. Please contact your DataHub administrator.");
     }
+    if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+      throw new AuthorizationException(
+          "Only users granted permission to this tag can assign or remove it");
+    }
 
     return GraphQLConcurrencyUtils.supplyAsync(
         () -> {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java

@@ -258,6 +258,23 @@ public static boolean isAuthorizedToUpdateTags(
         orPrivilegeGroups);
   }
 
+  public static boolean isAuthorizedToAssociateTag(@Nonnull QueryContext context, Urn targetUrn) {
+
+    // Decide whether the current principal should be allowed to associate the tag
+    final DisjunctivePrivilegeGroup orPrivilegeGroups =
+        new DisjunctivePrivilegeGroup(
+            ImmutableList.of(
+                new ConjunctivePrivilegeGroup(
+                    ImmutableList.of(PoliciesConfig.ASSOCIATE_TAGS_PRIVILEGE.getType()))));
+
+    return AuthorizationUtils.isAuthorized(
+        context.getAuthorizer(),
+        context.getActorUrn(),
+        targetUrn.getEntityType(),
+        targetUrn.toString(),
+        orPrivilegeGroups);
+  }
+
   public static boolean isAuthorizedToUpdateTerms(
       @Nonnull QueryContext context, Urn targetUrn, String subResource) {
 

datahub-graphql-core/src/main/resources/entity.graphql

@@ -9152,6 +9152,10 @@ enum PolicyMatchCondition {
   Whether the field matches the value
   """
   EQUALS
+  """
+  Whether the field does not match the value
+  """
+  NOT_EQUALS
 }
 
 """

datahub-web-react/src/app/entity/shared/utils.ts

@@ -97,6 +97,12 @@ function getGraphqlErrorCode(e) {
 
 export const handleBatchError = (urns, e, defaultMessage) => {
     if (urns.length > 1 && getGraphqlErrorCode(e) === 403) {
+        if (e.message === 'Only users granted permission to this tag can assign or remove it') {
+            return {
+                content: `${e.message}. The bulk edit being performed will not be saved.`,
+                duration: 3,
+            };
+        }
         return {
             content:
                 'Your bulk edit selection included entities that you are unauthorized to update. The bulk edit being performed will not be saved.',

datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx

@@ -3,9 +3,14 @@ import { Link } from 'react-router-dom';
 import { Button, Divider, Modal, Tag, Typography } from 'antd';
 import styled from 'styled-components';
 import { useEntityRegistry } from '../../useEntityRegistry';
-import { Maybe, Policy, PolicyState, PolicyType } from '../../../types.generated';
+import { Maybe, Policy, PolicyMatchCondition, PolicyState, PolicyType } from '../../../types.generated';
 import { useAppConfig } from '../../useAppConfig';
-import { convertLegacyResourceFilter, getFieldValues, mapResourceTypeToDisplayName } from './policyUtils';
+import {
+    convertLegacyResourceFilter,
+    getFieldCondition,
+    getFieldValues,
+    mapResourceTypeToDisplayName,
+} from './policyUtils';
 import AvatarsGroup from '../AvatarsGroup';
 
 type PrivilegeOptionType = {
@@ -67,9 +72,11 @@ export default function PolicyDetailsModal({ policy, open, onClose, privileges }
     const isMetadataPolicy = policy?.type === PolicyType.Metadata;
 
     const resources = convertLegacyResourceFilter(policy?.resources);
+
     const resourceTypes = getFieldValues(resources?.filter, 'TYPE') || [];
     const dataPlatformInstances = getFieldValues(resources?.filter, 'DATA_PLATFORM_INSTANCE') || [];
     const resourceEntities = getFieldValues(resources?.filter, 'URN') || [];
+    const policyMatchCondition = getFieldCondition(resources?.filter, 'URN');
     const domains = getFieldValues(resources?.filter, 'DOMAIN') || [];
 
     const {
@@ -158,6 +165,13 @@ export default function PolicyDetailsModal({ policy, open, onClose, privileges }
                                     );
                                 })) || <PoliciesTag>All</PoliciesTag>}
                         </div>
+                        <div>
+                            <Typography.Title level={5}>Asset Condition</Typography.Title>
+                            <ThinDivider />
+                            <PoliciesTag>
+                                {policyMatchCondition === PolicyMatchCondition.NotEquals ? 'Excludes' : 'Includes'}
+                            </PoliciesTag>
+                        </div>
                         <div>
                             <Typography.Title level={5}>Assets</Typography.Title>
                             <ThinDivider />