mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-07-31 05:04:39 +00:00
Fixes #4120 - Rework Roles and Policies - Default roles inherited team should be dynamically added (#4121)
This commit is contained in:
Suresh Srinivas
GitHub
parent
786cf75171
commit
73ac3b57a5
@ -101,7 +101,7 @@ public class CatalogApplication extends Application<CatalogApplicationConfig> {
|
|||||||
validateMigrations(jdbi, catalogConfig.getMigrationConfiguration());
|
validateMigrations(jdbi, catalogConfig.getMigrationConfiguration());
|
||||||
|
|
||||||
// Register Authorizer
|
// Register Authorizer
|
||||||
registerAuthorizer(catalogConfig, environment, jdbi);
|
registerAuthorizer(catalogConfig, environment);
|
||||||
|
|
||||||
// Unregister dropwizard default exception mappers
|
// Unregister dropwizard default exception mappers
|
||||||
((DefaultServerFactory) catalogConfig.getServerFactory()).setRegisterDefaultExceptionMappers(false);
|
((DefaultServerFactory) catalogConfig.getServerFactory()).setRegisterDefaultExceptionMappers(false);
|
||||||
@ -178,7 +178,7 @@ public class CatalogApplication extends Application<CatalogApplicationConfig> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment, Jdbi jdbi)
|
private void registerAuthorizer(CatalogApplicationConfig catalogConfig, Environment environment)
|
||||||
throws NoSuchMethodException, ClassNotFoundException, IllegalAccessException, InvocationTargetException,
|
throws NoSuchMethodException, ClassNotFoundException, IllegalAccessException, InvocationTargetException,
|
||||||
InstantiationException, IOException {
|
InstantiationException, IOException {
|
||||||
AuthorizerConfiguration authorizerConf = catalogConfig.getAuthorizerConfiguration();
|
AuthorizerConfiguration authorizerConf = catalogConfig.getAuthorizerConfiguration();
|
||||||
|
|||||||
@ -72,8 +72,6 @@ public class UserRepository extends EntityRepository<User> {
|
|||||||
Set<UUID> roleIds = listOrEmpty(user.getRoles()).stream().map(EntityReference::getId).collect(Collectors.toSet());
|
Set<UUID> roleIds = listOrEmpty(user.getRoles()).stream().map(EntityReference::getId).collect(Collectors.toSet());
|
||||||
// Get default role set up globally.
|
// Get default role set up globally.
|
||||||
daoCollection.roleDAO().getDefaultRolesIds().forEach(roleIdStr -> roleIds.add(UUID.fromString(roleIdStr)));
|
daoCollection.roleDAO().getDefaultRolesIds().forEach(roleIdStr -> roleIds.add(UUID.fromString(roleIdStr)));
|
||||||
// Get default roles from the teams that the user belongs to.
|
|
||||||
getTeamDefaultRoles(user).forEach(roleRef -> roleIds.add(roleRef.getId()));
|
|
||||||
|
|
||||||
// Assign roles.
|
// Assign roles.
|
||||||
List<EntityReference> rolesRef = new ArrayList<>(roleIds.size());
|
List<EntityReference> rolesRef = new ArrayList<>(roleIds.size());
|
||||||
@ -93,7 +91,7 @@ public class UserRepository extends EntityRepository<User> {
|
|||||||
defaultRoles.addAll(team.getDefaultRoles());
|
defaultRoles.addAll(team.getDefaultRoles());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return defaultRoles;
|
return defaultRoles.stream().distinct().collect(Collectors.toList());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -183,7 +181,9 @@ public class UserRepository extends EntityRepository<User> {
|
|||||||
/* Add all the roles that user has been assigned, to User entity */
|
/* Add all the roles that user has been assigned, to User entity */
|
||||||
private List<EntityReference> getRoles(User user) throws IOException {
|
private List<EntityReference> getRoles(User user) throws IOException {
|
||||||
List<String> roleIds = findTo(user.getId(), Entity.USER, Relationship.HAS, Entity.ROLE);
|
List<String> roleIds = findTo(user.getId(), Entity.USER, Relationship.HAS, Entity.ROLE);
|
||||||
return EntityUtil.populateEntityReferences(roleIds, Entity.ROLE);
|
List<EntityReference> roles = EntityUtil.populateEntityReferences(roleIds, Entity.ROLE);
|
||||||
|
roles.addAll(getTeamDefaultRoles(user));
|
||||||
|
return roles.stream().distinct().collect(Collectors.toList()); // Remove duplicates
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Add all the teams that user belongs to User entity */
|
/* Add all the teams that user belongs to User entity */
|
||||||
|
|||||||
@ -126,7 +126,6 @@ public class DefaultAuthorizer implements Authorizer {
|
|||||||
if (entityReference == null) {
|
if (entityReference == null) {
|
||||||
// In some cases there is no specific entity being acted upon. Eg: Lineage.
|
// In some cases there is no specific entity being acted upon. Eg: Lineage.
|
||||||
return RoleEvaluator.getInstance().hasPermissions(user.getRoles(), null, operation);
|
return RoleEvaluator.getInstance().hasPermissions(user.getRoles(), null, operation);
|
||||||
// return policyEvaluator.hasPermission(user, null, operation);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Object entity = Entity.getEntity(entityReference, new Fields(List.of("tags", FIELD_OWNER)), Include.NON_DELETED);
|
Object entity = Entity.getEntity(entityReference, new Fields(List.of("tags", FIELD_OWNER)), Include.NON_DELETED);
|
||||||
|
|||||||
@ -82,13 +82,6 @@ public class PolicyEvaluator {
|
|||||||
policies = policyRepository.getAccessControlPolicies();
|
policies = policyRepository.getAccessControlPolicies();
|
||||||
for (final Policy policy : policies) {
|
for (final Policy policy : policies) {
|
||||||
Rules rules = getRules(policy);
|
Rules rules = getRules(policy);
|
||||||
// policy.getRules().stream()
|
|
||||||
// // Add rules only if they are enabled.
|
|
||||||
// .filter(t -> ((org.openmetadata.catalog.entity.policies.accessControl.Rule) t).getEnabled())
|
|
||||||
// .map((Object rule) -> convertRule((org.openmetadata.catalog.entity.policies.accessControl.Rule)
|
|
||||||
// rule))
|
|
||||||
// .forEach(newRules::register);
|
|
||||||
// // Atomic swap of rules.
|
|
||||||
policyToRules.put(policy.getId(), rules);
|
policyToRules.put(policy.getId(), rules);
|
||||||
LOG.info("Loaded new set of {} rules for policy {}:{}", rules.size(), policy.getName(), policy.getId());
|
LOG.info("Loaded new set of {} rules for policy {}:{}", rules.size(), policy.getName(), policy.getId());
|
||||||
}
|
}
|
||||||
@ -130,7 +123,7 @@ public class PolicyEvaluator {
|
|||||||
.build();
|
.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
public void update(Policy policy) throws IOException {
|
public void update(Policy policy) {
|
||||||
policyToRules.put(policy.getId(), getRules(policy));
|
policyToRules.put(policy.getId(), getRules(policy));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -138,14 +131,19 @@ public class PolicyEvaluator {
|
|||||||
policyToRules.remove(po.getId());
|
policyToRules.remove(po.getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
public Rules getRules(Policy policy) throws IOException {
|
public Rules getRules(Policy policy) {
|
||||||
Rules rules = new Rules();
|
Rules rules = new Rules();
|
||||||
for (Object r : policy.getRules()) {
|
for (Object r : policy.getRules()) {
|
||||||
org.openmetadata.catalog.entity.policies.accessControl.Rule acRule =
|
org.openmetadata.catalog.entity.policies.accessControl.Rule acRule = null;
|
||||||
JsonUtils.readValue(
|
try {
|
||||||
JsonUtils.getJsonStructure(r).toString(),
|
acRule =
|
||||||
org.openmetadata.catalog.entity.policies.accessControl.Rule.class);
|
JsonUtils.readValue(
|
||||||
if (acRule.getAllow()) {
|
JsonUtils.getJsonStructure(r).toString(),
|
||||||
|
org.openmetadata.catalog.entity.policies.accessControl.Rule.class);
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.warn("Failed to load a rule", e);
|
||||||
|
}
|
||||||
|
if (Boolean.TRUE.equals(acRule.getAllow())) {
|
||||||
rules.register(convertRule(acRule));
|
rules.register(convertRule(acRule));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user