Add support for default role (#2631)

- Add default field to role - Amend GET /roles to query default roles - Assign default role to new users being created
2026-01-05 20:17:07 +00:00 · 2022-02-06 15:28:15 -08:00 · 2022-02-06 15:28:15 -08:00 · bfcd97ed0b
commit bfcd97ed0b
parent 546c92d9a6
10 changed files with 156 additions and 8 deletions
--- a/bootstrap/sql/mysql/v004__create_db_connection_info.sql
+++ b/bootstrap/sql/mysql/v004__create_db_connection_info.sql
@ -0,0 +1,7 @@
+-- Set default as false for all existing roles, to avoid unintended manipulation of roles during migration.
+UPDATE role_entity
+SET json = JSON_SET(json, '$.default', FALSE);
+
+ALTER TABLE role_entity
+ADD COLUMN `default` BOOLEAN GENERATED ALWAYS AS (JSON_EXTRACT(json, '$.default')),
+ADD INDEX(`default`);
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/Entity.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/Entity.java
@ -211,6 +211,7 @@ public final class Entity {
  }

  public static <T> EntityRepository<T> getEntityRepositoryForClass(@NonNull Class<T> clazz) {
+    @SuppressWarnings("unchecked")
    EntityRepository<T> entityRepository = (EntityRepository<T>) CLASS_ENTITY_REPOSITORY_MAP.get(clazz);
    if (entityRepository == null) {
      throw new UnhandledServerException(
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/CollectionDAO.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/CollectionDAO.java
@ -991,6 +991,12 @@ public interface CollectionDAO {
      return "name";
    }

+    @SqlQuery("SELECT id FROM role_entity WHERE `default` = TRUE")
+    List<String> getDefaultRolesIds();
+
+    @SqlQuery("SELECT json FROM role_entity WHERE `default` = TRUE")
+    List<String> getDefaultRoles();
+
    @Override
    default EntityReference getEntityReference(Role entity) {
      return new RoleEntityInterface(entity).getEntityReference();
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/RoleRepository.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/RoleRepository.java
@ -16,7 +16,9 @@ package org.openmetadata.catalog.jdbi3;
 import static org.openmetadata.catalog.util.EntityUtil.toBoolean;

 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.security.GeneralSecurityException;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@ -35,6 +37,8 @@ import org.openmetadata.catalog.type.EntityReference;
 import org.openmetadata.catalog.type.PolicyType;
 import org.openmetadata.catalog.util.EntityInterface;
 import org.openmetadata.catalog.util.EntityUtil.Fields;
+import org.openmetadata.catalog.util.JsonUtils;
+import org.openmetadata.catalog.util.ResultList;

@Slf4j
 public class RoleRepository extends EntityRepository<Role> {
@ -187,6 +191,34 @@ public class RoleRepository extends EntityRepository<Role> {
            Relationship.CONTAINS.ordinal());
  }

+  public ResultList<Role> getDefaultRolesResultList(Fields fields)
+      throws GeneralSecurityException, UnsupportedEncodingException {
+    List<Role> roles = getDefaultRoles(fields);
+    return new ResultList<>(roles, null, null, roles.size());
+  }
+
+  private List<Role> getDefaultRoles(Fields fields) {
+    List<Role> roles =
+        daoCollection.roleDAO().getDefaultRoles().stream()
+            .map(
+                json -> {
+                  try {
+                    return setFields(JsonUtils.readValue(json, Role.class), fields);
+                  } catch (IOException e) {
+                    LOG.warn("Could not parse Role from json {}", json);
+                  }
+                  return null;
+                })
+            .collect(Collectors.toList());
+    if (roles.size() > 1) {
+      LOG.warn(
+          "{} roles {}, are registered as default. There SHOULD be only one role marked as default.",
+          roles.size(),
+          roles.stream().map(Role::getName).collect(Collectors.toList()));
+    }
+    return roles;
+  }
+
  @Override
  public EntityUpdater getUpdater(Role original, Role updated, Operation operation) {
    return new RoleUpdater(original, updated, operation);
@ -308,5 +340,10 @@ public class RoleRepository extends EntityRepository<Role> {
    public RoleUpdater(Role original, Role updated, Operation operation) {
      super(original, updated, operation);
    }
+
+    @Override
+    public void entitySpecificUpdate() throws IOException {
+      recordChange("default", original.getEntity().getDefault(), updated.getEntity().getDefault());
+    }
  }
 }
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/jdbi3/UserRepository.java
@ -25,9 +25,12 @@ import java.net.URI;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
+import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
 import org.jdbi.v3.sqlobject.transaction.Transaction;
 import org.openmetadata.catalog.Entity;
@ -138,11 +141,15 @@ public class UserRepository extends EntityRepository<User> {
  }

  public List<EntityReference> validateRoles(List<UUID> roleIds) throws IOException {
-    if (roleIds == null) {
-      return Collections.emptyList(); // Return an empty roles list
+    // Populate default roles.
+    Set<UUID> roleIdsSet =
+        daoCollection.roleDAO().getDefaultRolesIds().stream().map(UUID::fromString).collect(Collectors.toSet());
+    if (roleIds != null) {
+      roleIdsSet.addAll(new HashSet<>(roleIds));
    }
+
    List<EntityReference> validatedRoles = new ArrayList<>();
-    for (UUID roleId : roleIds) {
+    for (UUID roleId : roleIdsSet) {
      validatedRoles.add(daoCollection.roleDAO().findEntityReferenceById(roleId));
    }
    return validatedRoles;
@ -195,7 +202,6 @@ public class UserRepository extends EntityRepository<User> {
  }

  private void assignTeams(User user, List<EntityReference> teams) {
-    // Query - add team to the user
    teams = Optional.ofNullable(teams).orElse(Collections.emptyList());
    for (EntityReference team : teams) {
      daoCollection
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/teams/RoleResource.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/teams/RoleResource.java
@ -124,6 +124,9 @@ public class RoleResource {
  public ResultList<Role> list(
      @Context UriInfo uriInfo,
      @Context SecurityContext securityContext,
+      @Parameter(description = "List only default role(s)", schema = @Schema(type = "boolean", example = "true"))
+          @QueryParam("default")
+          boolean defaultParam,
      @Parameter(
              description = "Fields requested in the returned resource",
              schema = @Schema(type = "string", example = FIELDS))
@ -151,6 +154,11 @@ public class RoleResource {
    RestUtil.validateCursors(before, after);
    EntityUtil.Fields fields = new EntityUtil.Fields(FIELD_LIST, fieldsParam);

+    if (defaultParam) {
+      // The number of default roles is usually 1, and hence does not require pagination.
+      return dao.getDefaultRolesResultList(fields);
+    }
+
    ResultList<Role> roles;
    if (before != null) { // Reverse paging
      roles = dao.listBefore(uriInfo, fields, null, limitParam, before, include); // Ask for one extra entry
@ -342,7 +350,6 @@ public class RoleResource {
                      }))
          JsonPatch patch)
      throws IOException, ParseException {
-
    SecurityUtil.checkAdminOrBotRole(authorizer, securityContext);
    PatchResponse<Role> response =
        dao.patch(uriInfo, UUID.fromString(id), securityContext.getUserPrincipal().getName(), patch);
--- a/catalog-rest-service/src/main/resources/json/schema/entity/teams/role.json
+++ b/catalog-rest-service/src/main/resources/json/schema/entity/teams/role.json
@ -6,7 +6,7 @@
  "type": "object",
  "definitions": {
    "roleName": {
-      "description": "A unique name of the role.",
+      "description": "A unique name for the role.",
      "type": "string",
      "minLength": 1,
      "maxLength": 128
@ -59,6 +59,11 @@
    "users": {
      "description": "Users that have this role assigned.",
      "$ref": "../../type/entityReference.json#/definitions/entityReferenceList"
+    },
+    "default": {
+      "description": "If `true`, this role is set as default and will be assigned to all users.",
+      "type": "boolean",
+      "default": false
    }
  },
  "required": ["id", "name"],
--- a/catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/teams/RoleResourceTest.java
+++ b/catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/teams/RoleResourceTest.java
@ -16,15 +16,20 @@ package org.openmetadata.catalog.resources.teams;
 import static javax.ws.rs.core.Response.Status.FORBIDDEN;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.openmetadata.catalog.security.SecurityUtil.authHeaders;
 import static org.openmetadata.catalog.util.TestUtils.ADMIN_AUTH_HEADERS;
 import static org.openmetadata.catalog.util.TestUtils.TEST_AUTH_HEADERS;
+import static org.openmetadata.catalog.util.TestUtils.UpdateType.MINOR_UPDATE;
 import static org.openmetadata.catalog.util.TestUtils.assertListNotNull;
 import static org.openmetadata.catalog.util.TestUtils.assertResponse;

 import com.fasterxml.jackson.core.JsonProcessingException;
 import java.io.IOException;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Random;
+import javax.validation.constraints.Positive;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.client.HttpResponseException;
 import org.junit.jupiter.api.Test;
@ -38,9 +43,12 @@ import org.openmetadata.catalog.resources.EntityResourceTest;
 import org.openmetadata.catalog.resources.policies.PolicyResource;
 import org.openmetadata.catalog.resources.policies.PolicyResourceTest;
 import org.openmetadata.catalog.resources.teams.RoleResource.RoleList;
+import org.openmetadata.catalog.type.ChangeDescription;
 import org.openmetadata.catalog.type.EntityReference;
+import org.openmetadata.catalog.type.FieldChange;
 import org.openmetadata.catalog.util.EntityInterface;
 import org.openmetadata.catalog.util.JsonUtils;
+import org.openmetadata.catalog.util.ResultList;
 import org.openmetadata.catalog.util.TestUtils;

@Slf4j
@ -50,6 +58,40 @@ public class RoleResourceTest extends EntityResourceTest<Role, CreateRole> {
    super(Entity.ROLE, Role.class, RoleList.class, "roles", null, false, false, false, false);
  }

+  @Test
+  void get_queryDefaultRole(TestInfo test) throws IOException {
+    Role defaultRole = createRolesAndSetDefault(test, 7);
+    ResultList<Role> rolesResponse = listEntities(Map.of("default", "true"), ADMIN_AUTH_HEADERS);
+    assertEquals(1, rolesResponse.getData().size());
+    assertEquals(defaultRole.getId(), rolesResponse.getData().get(0).getId());
+  }
+
+  /**
+   * Creates the given number of roles and sets one of them as the default role.
+   *
+   * @return the default role
+   */
+  public Role createRolesAndSetDefault(TestInfo test, @Positive int numberOfRoles) throws IOException {
+    // Create a set of roles.
+    for (int i = 0; i < numberOfRoles; i++) {
+      CreateRole create = createRequest(test, i + 1);
+      createAndCheckRole(create, ADMIN_AUTH_HEADERS);
+    }
+
+    // Set one of the roles as default.
+    Role role =
+        getEntityByName(
+            getEntityName(test, new Random().nextInt(numberOfRoles)),
+            Collections.emptyMap(),
+            RoleResource.FIELDS,
+            ADMIN_AUTH_HEADERS);
+    String originalJson = JsonUtils.pojoToJson(role);
+    role.setDefault(true);
+    ChangeDescription change = getChangeDescription(role.getVersion());
+    change.getFieldsUpdated().add(new FieldChange().withName("default").withOldValue(false).withNewValue(true));
+    return patchEntityAndCheck(role, originalJson, ADMIN_AUTH_HEADERS, MINOR_UPDATE, change);
+  }
+
  @Test
  void post_validRoles_as_admin_200_OK(TestInfo test) throws IOException {
    // Create role with different optional fields
@ -79,7 +121,6 @@ public class RoleResourceTest extends EntityResourceTest<Role, CreateRole> {

  @Test
  void patch_roleAttributes_as_non_admin_403(TestInfo test) throws HttpResponseException, JsonProcessingException {
-    // Create table without any attributes
    Role role = createEntity(createRequest(test), ADMIN_AUTH_HEADERS);
    // Patching as a non-admin should is disallowed
    String originalJson = JsonUtils.pojoToJson(role);
--- a/catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/teams/UserResourceTest.java
+++ b/catalog-rest-service/src/test/java/org/openmetadata/catalog/resources/teams/UserResourceTest.java
@ -45,6 +45,7 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 import javax.json.JsonPatch;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.client.HttpResponseException;
@ -92,6 +93,34 @@ public class UserResourceTest extends EntityResourceTest<User, CreateUser> {
    // during first time login without being an admin
  }

+  @Test
+  void post_userWithDefaultRole(TestInfo test) throws IOException {
+    // Given no default role has been set, when a user is created, then no role should be assigned.
+    CreateUser create = createRequest(test, 1);
+    createUserAndCheckRoles(create, Collections.emptyList());
+
+    RoleResourceTest roleResourceTest = new RoleResourceTest();
+    Role defaultRole = roleResourceTest.createRolesAndSetDefault(test, 7);
+    List<Role> roles = roleResourceTest.listEntities(Collections.emptyMap(), ADMIN_AUTH_HEADERS).getData();
+    UUID nonDefaultRoleId = roles.stream().filter(role -> !role.getDefault()).findAny().orElseThrow().getId();
+    UUID defaultRoleId = defaultRole.getId();
+
+    // Given a default role has been set, when a user is created without any roles, then the default role should be
+    // assigned.
+    create = createRequest(test, 2);
+    createUserAndCheckRoles(create, Arrays.asList(defaultRoleId));
+
+    // Given a default role has been set, when a user is created with a non default role, then the default role should
+    // be assigned along with the non default role.
+    create = createRequest(test, 3).withRoles(List.of(nonDefaultRoleId));
+    createUserAndCheckRoles(create, Arrays.asList(nonDefaultRoleId, defaultRoleId));
+
+    // Given a default role has been set, when a user is created with both default and non-default role, then both
+    // roles should be assigned.
+    create = createRequest(test, 4).withRoles(List.of(nonDefaultRoleId, defaultRoleId));
+    createUserAndCheckRoles(create, Arrays.asList(nonDefaultRoleId, defaultRoleId));
+  }
+
  @Test
  void post_userWithoutEmail_400_badRequest(TestInfo test) {
    // Create user with mandatory email field null
@ -483,6 +512,15 @@ public class UserResourceTest extends EntityResourceTest<User, CreateUser> {
    // TODO deactivated user can't be made owner
  }

+  private void createUserAndCheckRoles(CreateUser create, List<UUID> expectedRolesIds) throws HttpResponseException {
+    User user = createEntity(create, ADMIN_AUTH_HEADERS);
+    user = getEntity(user.getId(), ADMIN_AUTH_HEADERS);
+    List<UUID> actualRolesIds =
+        user.getRoles().stream().map(EntityReference::getId).sorted().collect(Collectors.toList());
+    Collections.sort(expectedRolesIds);
+    assertEquals(expectedRolesIds, actualRolesIds);
+  }
+
  private User patchUser(UUID userId, String originalJson, User updated, Map<String, String> headers)
      throws JsonProcessingException, HttpResponseException {
    String updatedJson = JsonUtils.pojoToJson(updated);
--- a/ingestion-core/src/metadata/_version.py
+++ b/ingestion-core/src/metadata/_version.py
@ -7,5 +7,5 @@ Provides metadata version information.

 from incremental import Version

-__version__ = Version("metadata", 0, 9, 0, dev=0)
+__version__ = Version("metadata", 0, 9, 0, dev=1)
 __all__ = ["__version__"]