diff --git a/catalog-rest-service/src/main/java/org/openmetadata/catalog/CatalogApplication.java b/catalog-rest-service/src/main/java/org/openmetadata/catalog/CatalogApplication.java index eac55d5bd78..67d2f4b8962 100644 --- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/CatalogApplication.java +++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/CatalogApplication.java @@ -101,7 +101,7 @@ public class CatalogApplication extends Application { validateMigrations(jdbi, catalogConfig.getMigrationConfiguration()); // Register Authorizer - registerAuthorizer(catalogConfig, environment, jdbi); + registerAuthorizer(catalogConfig, environment); // Unregister dropwizard default exception mappers ((DefaultServerFactory) catalogConfig.getServerFactory()).setRegisterDefaultExceptionMappers(false); @@ -178,7 +178,7 @@ public class CatalogApplication extends Application { } } - private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment, Jdbi jdbi) + private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment) throws NoSuchMethodException, ClassNotFoundException, IllegalAccessException, InvocationTargetException, InstantiationException, IOException { AuthorizerConfiguration authorizerConf = catalogConfig.getAuthorizerConfiguration(); diff --git a/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java b/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java index b7f89e02893..29e3323623e 100644 --- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java +++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java @@ -72,8 +72,6 @@ public class UserRepository extends EntityRepository { Set roleIds = listOrEmpty(user.getRoles()).stream().map(EntityReference::getId).collect(Collectors.toSet()); // Get default role set up globally. daoCollection.roleDAO().getDefaultRolesIds().forEach(roleIdStr -> roleIds.add(UUID.fromString(roleIdStr))); - // Get default roles from the teams that the user belongs to. - getTeamDefaultRoles(user).forEach(roleRef -> roleIds.add(roleRef.getId())); // Assign roles. List rolesRef = new ArrayList<>(roleIds.size()); @@ -93,7 +91,7 @@ public class UserRepository extends EntityRepository { defaultRoles.addAll(team.getDefaultRoles()); } } - return defaultRoles; + return defaultRoles.stream().distinct().collect(Collectors.toList()); } @Override @@ -183,7 +181,9 @@ public class UserRepository extends EntityRepository { /* Add all the roles that user has been assigned, to User entity */ private List getRoles(User user) throws IOException { List roleIds = findTo(user.getId(), Entity.USER, Relationship.HAS, Entity.ROLE); - return EntityUtil.populateEntityReferences(roleIds, Entity.ROLE); + List roles = EntityUtil.populateEntityReferences(roleIds, Entity.ROLE); + roles.addAll(getTeamDefaultRoles(user)); + return roles.stream().distinct().collect(Collectors.toList()); // Remove duplicates } /* Add all the teams that user belongs to User entity */ diff --git a/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java b/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java index 3da6c25934a..d4236023734 100644 --- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java +++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java @@ -126,7 +126,6 @@ public class DefaultAuthorizer implements Authorizer { if (entityReference == null) { // In some cases there is no specific entity being acted upon. Eg: Lineage. return RoleEvaluator.getInstance().hasPermissions(user.getRoles(), null, operation); - // return policyEvaluator.hasPermission(user, null, operation); } Object entity = Entity.getEntity(entityReference, new Fields(List.of("tags", FIELD_OWNER)), Include.NON_DELETED); diff --git a/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/policyevaluator/PolicyEvaluator.java b/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/policyevaluator/PolicyEvaluator.java index feaa318acc2..0e2b186e866 100644 --- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/policyevaluator/PolicyEvaluator.java +++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/policyevaluator/PolicyEvaluator.java @@ -82,13 +82,6 @@ public class PolicyEvaluator { policies = policyRepository.getAccessControlPolicies(); for (final Policy policy : policies) { Rules rules = getRules(policy); - // policy.getRules().stream() - // // Add rules only if they are enabled. - // .filter(t -> ((org.openmetadata.catalog.entity.policies.accessControl.Rule) t).getEnabled()) - // .map((Object rule) -> convertRule((org.openmetadata.catalog.entity.policies.accessControl.Rule) - // rule)) - // .forEach(newRules::register); - // // Atomic swap of rules. policyToRules.put(policy.getId(), rules); LOG.info("Loaded new set of {} rules for policy {}:{}", rules.size(), policy.getName(), policy.getId()); } @@ -130,7 +123,7 @@ public class PolicyEvaluator { .build(); } - public void update(Policy policy) throws IOException { + public void update(Policy policy) { policyToRules.put(policy.getId(), getRules(policy)); } @@ -138,14 +131,19 @@ public class PolicyEvaluator { policyToRules.remove(po.getId()); } - public Rules getRules(Policy policy) throws IOException { + public Rules getRules(Policy policy) { Rules rules = new Rules(); for (Object r : policy.getRules()) { - org.openmetadata.catalog.entity.policies.accessControl.Rule acRule = - JsonUtils.readValue( - JsonUtils.getJsonStructure(r).toString(), - org.openmetadata.catalog.entity.policies.accessControl.Rule.class); - if (acRule.getAllow()) { + org.openmetadata.catalog.entity.policies.accessControl.Rule acRule = null; + try { + acRule = + JsonUtils.readValue( + JsonUtils.getJsonStructure(r).toString(), + org.openmetadata.catalog.entity.policies.accessControl.Rule.class); + } catch (Exception e) { + LOG.warn("Failed to load a rule", e); + } + if (Boolean.TRUE.equals(acRule.getAllow())) { rules.register(convertRule(acRule)); } }