Fixes #4120 - Rework Roles and Policies - Default roles inherited team should be dynamically added (#4121)

catalog-rest-service/src/main/java/org/openmetadata/catalog/CatalogApplication.java

@@ -101,7 +101,7 @@ public class CatalogApplication extends Application<CatalogApplicationConfig> {
     validateMigrations(jdbi, catalogConfig.getMigrationConfiguration());
 
     // Register Authorizer
-    registerAuthorizer(catalogConfig, environment, jdbi);
+    registerAuthorizer(catalogConfig, environment);
 
     // Unregister dropwizard default exception mappers
     ((DefaultServerFactory) catalogConfig.getServerFactory()).setRegisterDefaultExceptionMappers(false);
@@ -178,7 +178,7 @@ public class CatalogApplication extends Application<CatalogApplicationConfig> {
     }
   }
 
-  private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment, Jdbi jdbi)
+  private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment)
       throws NoSuchMethodException, ClassNotFoundException, IllegalAccessException, InvocationTargetException,
           InstantiationException, IOException {
     AuthorizerConfiguration authorizerConf = catalogConfig.getAuthorizerConfiguration();

catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java

@@ -72,8 +72,6 @@ public class UserRepository extends EntityRepository<User> {
     Set<UUID> roleIds = listOrEmpty(user.getRoles()).stream().map(EntityReference::getId).collect(Collectors.toSet());
     // Get default role set up globally.
     daoCollection.roleDAO().getDefaultRolesIds().forEach(roleIdStr -> roleIds.add(UUID.fromString(roleIdStr)));
-    // Get default roles from the teams that the user belongs to.
-    getTeamDefaultRoles(user).forEach(roleRef -> roleIds.add(roleRef.getId()));
 
     // Assign roles.
     List<EntityReference> rolesRef = new ArrayList<>(roleIds.size());
@@ -93,7 +91,7 @@ public class UserRepository extends EntityRepository<User> {
         defaultRoles.addAll(team.getDefaultRoles());
       }
     }
-    return defaultRoles;
+    return defaultRoles.stream().distinct().collect(Collectors.toList());
   }
 
   @Override
@@ -183,7 +181,9 @@ public class UserRepository extends EntityRepository<User> {
   /* Add all the roles that user has been assigned, to User entity */
   private List<EntityReference> getRoles(User user) throws IOException {
     List<String> roleIds = findTo(user.getId(), Entity.USER, Relationship.HAS, Entity.ROLE);
-    return EntityUtil.populateEntityReferences(roleIds, Entity.ROLE);
+    List<EntityReference> roles = EntityUtil.populateEntityReferences(roleIds, Entity.ROLE);
+    roles.addAll(getTeamDefaultRoles(user));
+    return roles.stream().distinct().collect(Collectors.toList()); // Remove duplicates
   }
 
   /* Add all the teams that user belongs to User entity */

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java

@@ -126,7 +126,6 @@ public class DefaultAuthorizer implements Authorizer {
       if (entityReference == null) {
         // In some cases there is no specific entity being acted upon. Eg: Lineage.
         return RoleEvaluator.getInstance().hasPermissions(user.getRoles(), null, operation);
-        //        return policyEvaluator.hasPermission(user, null, operation);
       }
 
       Object entity = Entity.getEntity(entityReference, new Fields(List.of("tags", FIELD_OWNER)), Include.NON_DELETED);

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/policyevaluator/PolicyEvaluator.java

@@ -82,13 +82,6 @@ public class PolicyEvaluator {
       policies = policyRepository.getAccessControlPolicies();
       for (final Policy policy : policies) {
         Rules rules = getRules(policy);
-        //      policy.getRules().stream()
-        //          // Add rules only if they are enabled.
-        //          .filter(t -> ((org.openmetadata.catalog.entity.policies.accessControl.Rule) t).getEnabled())
-        //          .map((Object rule) -> convertRule((org.openmetadata.catalog.entity.policies.accessControl.Rule)
-        // rule))
-        //          .forEach(newRules::register);
-        //      // Atomic swap of rules.
         policyToRules.put(policy.getId(), rules);
         LOG.info("Loaded new set of {} rules for policy {}:{}", rules.size(), policy.getName(), policy.getId());
       }
@@ -130,7 +123,7 @@ public class PolicyEvaluator {
         .build();
   }
 
-  public void update(Policy policy) throws IOException {
+  public void update(Policy policy) {
     policyToRules.put(policy.getId(), getRules(policy));
   }
 
@@ -138,14 +131,19 @@ public class PolicyEvaluator {
     policyToRules.remove(po.getId());
   }
 
-  public Rules getRules(Policy policy) throws IOException {
+  public Rules getRules(Policy policy) {
     Rules rules = new Rules();
     for (Object r : policy.getRules()) {
-      org.openmetadata.catalog.entity.policies.accessControl.Rule acRule =
-          JsonUtils.readValue(
-              JsonUtils.getJsonStructure(r).toString(),
-              org.openmetadata.catalog.entity.policies.accessControl.Rule.class);
-      if (acRule.getAllow()) {
+      org.openmetadata.catalog.entity.policies.accessControl.Rule acRule = null;
+      try {
+        acRule =
+            JsonUtils.readValue(
+                JsonUtils.getJsonStructure(r).toString(),
+                org.openmetadata.catalog.entity.policies.accessControl.Rule.class);
+      } catch (Exception e) {
+        LOG.warn("Failed to load a rule", e);
+      }
+      if (Boolean.TRUE.equals(acRule.getAllow())) {
         rules.register(convertRule(acRule));
       }
     }