yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-09-25 08:50:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixes #3812 - Disable deleted system Roles and Policies (#7274)

Browse Source
This commit is contained in:
Suresh Srinivas 2022-09-06 15:10:59 -07:00 committed by GitHub
parent 65e44e3b08
commit 30c92a3c9a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
catalog-rest-service/src/main/java/org/openmetadata/catalog/exception/CatalogExceptionMessage.java
View File

@ -183,4 +183,8 @@ public final class CatalogExceptionMessage {
public static String failedToEvaluate(String message) {
return String.format("Failed to evaluate - %s", message);
}
public static String deletionNotAllowed(String entityType, String name) {
return String.format("Deletion of %s %s is not allowed", entityType, name);
}
}

8
catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/PolicyRepository.java
View File

@ -13,6 +13,7 @@
package org.openmetadata.catalog.jdbi3;
import static java.lang.Boolean.FALSE;
import static org.openmetadata.catalog.Entity.FIELD_DESCRIPTION;
import static org.openmetadata.catalog.Entity.FIELD_OWNER;
import static org.openmetadata.catalog.Entity.LOCATION;
@ -139,6 +140,13 @@ public class PolicyRepository extends EntityRepository<Policy> {
return new PolicyUpdater(original, updated, operation);
}
@Override
protected void preDelete(Policy entity) {
if (FALSE.equals(entity.getAllowDelete())) {
throw new IllegalArgumentException(CatalogExceptionMessage.deletionNotAllowed(Entity.POLICY, entity.getName()));
}
}
public void validateRules(Policy policy) throws IOException {
// Resolve JSON blobs into Rule object and perform schema based validation
List<Rule> rules = policy.getRules();

8
catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/RoleRepository.java
View File

@ -13,6 +13,7 @@
package org.openmetadata.catalog.jdbi3;
import static java.lang.Boolean.FALSE;
import static org.openmetadata.catalog.Entity.POLICIES;
import static org.openmetadata.catalog.util.EntityUtil.entityReferenceMatch;
import static org.openmetadata.common.utils.CommonUtil.listOrEmpty;
@ -110,6 +111,13 @@ public class RoleRepository extends EntityRepository<Role> {
return new RoleUpdater(original, updated, operation);
}
@Override
protected void preDelete(Role entity) {
if (FALSE.equals(entity.getAllowDelete())) {
throw new IllegalArgumentException(CatalogExceptionMessage.deletionNotAllowed(Entity.ROLE, entity.getName()));
}
}
/** Handles entity updated from PUT and POST operation. */
public class RoleUpdater extends EntityUpdater {
public RoleUpdater(Role original, Role updated, Operation operation) {

1
catalog-rest-service/src/main/resources/json/data/policy/DataConsumerPolicy.json
View File

@ -4,6 +4,7 @@
"fullyQualifiedName": "DataConsumerPolicy",
"description": "Policy for Data Consumer to perform operations on metadata entities",
"enabled": true,
"allowDelete": false,
"rules": [
{
"name": "DataConsumerPolicy-EditRule",

1
catalog-rest-service/src/main/resources/json/data/policy/DataStewardPolicy.json
View File

@ -4,6 +4,7 @@
"fullyQualifiedName": "DataStewardPolicy",
"description": "Policy for Data Steward Role to perform operations on metadata entities",
"enabled": true,
"allowDelete": false,
"rules": [
{
"name": "DataStewardPolicy-EditRule",

1
catalog-rest-service/src/main/resources/json/data/policy/OrganizationPolicy.json
View File

@ -4,6 +4,7 @@
"fullyQualifiedName": "OrganizationPolicy",
"description": "Policy for all the users of an organization.",
"enabled": true,
"allowDelete": false,
"rules": [
{
"name": "OrganizationPolicy-Owner-Rule",

1
catalog-rest-service/src/main/resources/json/data/policy/TeamOnlyPolicy.json
View File

@ -4,6 +4,7 @@
"fullyQualifiedName": "TeamOnlyPolicy",
"description": "Policy when attached to a team allows only users with in the team hierarchy to access the resources.",
"enabled": true,
"allowDelete": false,
"rules": [
{
"name": "TeamOnlyPolicy-Rule",

1
catalog-rest-service/src/main/resources/json/data/role/DataConsumer.json
View File

@ -2,6 +2,7 @@
"name": "DataConsumer",
"displayName": "Data Consumer",
"description": "Users with Data Consumer role use different data assets for their day to day work.",
"allowDelete": false,
"policies" : [
{
"type" : "policy",

2
catalog-rest-service/src/main/resources/json/data/role/DataSteward.json
View File

@ -2,7 +2,7 @@
"name": "DataSteward",
"displayName": "Data Steward",
"description": "Users with Data Steward role are responsible for ensuring correctness of metadata for data assets, thereby facilitating data governance principles within the organization.<br/>Data Stewards can update metadata for any entity.",
"deleted": false,
"allowDelete": false,
"policies" : [
{
"type" : "policy",

8
catalog-rest-service/src/main/resources/json/schema/entity/policies/policy.json
View File

@ -83,6 +83,14 @@
"$ref": "../../type/entityReference.json",
"default": null
},
"allowDelete" : {
"description": "Some system policies can't be deleted",
"type" : "boolean"
},
"allowEdit" : {
"description": "Some system roles can't be edited",
"type" : "boolean"
},
"deleted": {
"description": "When `true` indicates the entity has been soft deleted.",
"type": "boolean",

8
catalog-rest-service/src/main/resources/json/schema/entity/teams/role.json
View File

@ -51,6 +51,14 @@
"description": "Change that lead to this version of the entity.",
"$ref": "../../type/entityHistory.json#/definitions/changeDescription"
},
"allowDelete" : {
"description": "Some system roles can't be deleted",
"type" : "boolean"
},
"allowEdit" : {
"description": "Some system roles can't be edited",
"type" : "boolean"
},
"deleted": {
"description": "When `true` indicates the entity has been soft deleted.",
"type": "boolean",

15
catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/policies/PolicyResourceTest.java
View File

@ -59,6 +59,7 @@ import org.openmetadata.catalog.entity.policies.accessControl.Rule;
import org.openmetadata.catalog.entity.policies.accessControl.Rule.Effect;
import org.openmetadata.catalog.entity.teams.Role;
import org.openmetadata.catalog.entity.teams.Team;
import org.openmetadata.catalog.exception.CatalogExceptionMessage;
import org.openmetadata.catalog.resources.CollectionRegistry;
import org.openmetadata.catalog.resources.EntityResourceTest;
import org.openmetadata.catalog.resources.locations.LocationResourceTest;
@ -232,6 +233,20 @@ public class PolicyResourceTest extends EntityResourceTest<Policy, CreatePolicy>
failsToEvaluate(policyName, "abc");
}
@Test
void delete_Disallowed() {
List<EntityReference> policies = new ArrayList<>(DATA_CONSUMER_ROLE.getPolicies());
policies.addAll(DATA_STEWARD_ROLE.getPolicies());
policies.add(TEAM_ONLY_POLICY.getEntityReference());
for (EntityReference policy : policies) {
assertResponse(
() -> deleteEntity(policy.getId(), ADMIN_AUTH_HEADERS),
BAD_REQUEST,
CatalogExceptionMessage.deletionNotAllowed(Entity.POLICY, policy.getName()));
}
}
private void failsToParse(String policyName, String condition) {
validateCondition(policyName, condition, "Failed to parse");
}

10
catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/teams/RoleResourceTest.java
View File

@ -136,6 +136,16 @@ public class RoleResourceTest extends EntityResourceTest<Role, CreateRole> {
CatalogExceptionMessage.EMPTY_POLICIES_IN_ROLE);
}
@Test
void delete_Disallowed() {
for (Role role : List.of(DATA_CONSUMER_ROLE, DATA_STEWARD_ROLE)) {
assertResponse(
() -> deleteEntity(role.getId(), ADMIN_AUTH_HEADERS),
BAD_REQUEST,
CatalogExceptionMessage.deletionNotAllowed(Entity.ROLE, role.getName()));
}
}
private static void validateRole(
Role role, String expectedDescription, String expectedDisplayName, String expectedUpdatedBy) {
assertListNotNull(role.getId(), role.getHref());