Minor: Domain only access policy prevents bots from listing (#19017)

* Minor: Domain only access policy prevents bots listing * Minor: Domain only access policy prevents bots listing * Add Entity Type condition to limit the scope of NOT IN --------- Co-authored-by: mohitdeuex <mohit.y@deuexsolutions.com>
2026-01-06 04:26:57 +00:00 · 2024-12-12 01:49:05 -08:00 · 2024-12-12 01:49:05 -08:00 · e04e2defa1
commit e04e2defa1
parent f4ff43c24c
3 changed files with 26 additions and 10 deletions
--- a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java
@ -14,6 +14,8 @@ import org.openmetadata.service.resources.databases.DatasourceConfig;
 import org.openmetadata.service.util.FullyQualifiedName;

 public class ListFilter extends Filter<ListFilter> {
+  public static final String NULL_PARAM = "null";
+
  public ListFilter() {
    this(Include.NON_DELETED);
  }
@ -116,12 +118,24 @@ public class ListFilter extends Filter<ListFilter> {

  private String getDomainCondition(String tableName) {
    String domainId = getQueryParam("domainId");
-    return domainId == null
-        ? ""
-        : String.format(
-            "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
-                + "relation=10))",
-            nullOrEmpty(tableName) ? "id" : String.format("%s.id", tableName), domainId);
+    String entityIdColumn = nullOrEmpty(tableName) ? "id" : (tableName + ".id");
+    if (domainId == null) {
+      return "";
+    } else if (NULL_PARAM.equals(domainId)) {
+      String entityType = getQueryParam("entityType");
+      String entityTypeCondition =
+          nullOrEmpty(entityType)
+              ? ""
+              : String.format("AND entity_relationship.toEntity='%s'", entityType);
+      return String.format(
+          "(%s NOT IN (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' %s AND relation=10))",
+          entityIdColumn, entityTypeCondition);
+    } else {
+      return String.format(
+          "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
+              + "relation=10))",
+          entityIdColumn, domainId);
+    }
  }

  public String getApiCollectionCondition(String apiEndpoint) {
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java
@ -171,7 +171,7 @@ public abstract class EntityResource<T extends EntityInterface, K extends Entity
    authorizer.authorize(securityContext, operationContext, resourceContext);

    // Add Domain Filter
-    EntityUtil.addDomainQueryParam(securityContext, filter);
+    EntityUtil.addDomainQueryParam(securityContext, filter, entityType);

    // List
    ResultList<T> resultList;
--- a/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java
@ -17,6 +17,7 @@ import static org.openmetadata.common.utils.CommonUtil.listOrEmpty;
 import static org.openmetadata.common.utils.CommonUtil.nullOrEmpty;
 import static org.openmetadata.schema.type.Include.ALL;
 import static org.openmetadata.schema.type.Include.NON_DELETED;
+import static org.openmetadata.service.jdbi3.ListFilter.NULL_PARAM;
 import static org.openmetadata.service.jdbi3.RoleRepository.DOMAIN_ONLY_ACCESS_ROLE;
 import static org.openmetadata.service.security.DefaultAuthorizer.getSubjectContext;

@ -688,7 +689,8 @@ public final class EntityUtil {
    return result.stream().toList();
  }

-  public static void addDomainQueryParam(SecurityContext securityContext, ListFilter filter) {
+  public static void addDomainQueryParam(
+      SecurityContext securityContext, ListFilter filter, String entityType) {
    SubjectContext subjectContext = getSubjectContext(securityContext);
    // If the User is admin then no need to add domainId in the query param
    // Also if there are domain restriction on the subject context via role
@ -697,8 +699,8 @@ public final class EntityUtil {
        filter.addQueryParam(
            "domainId", getCommaSeparatedIdsFromRefs(subjectContext.getUserDomains()));
      } else {
-        // TODO: Hack :(
-        filter.addQueryParam("domainId", "null");
+        filter.addQueryParam("domainId", NULL_PARAM);
+        filter.addQueryParam("entityType", entityType);
      }
    }
  }