Fix #3067: Service Creation should only be done by Bots or admins and Update should only done by owners

catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/services/dashboard/DashboardServiceResource.java

@@ -313,7 +313,7 @@ public class DashboardServiceResource {
       @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreateDashboardService update)
       throws IOException, ParseException {
     DashboardService service = getService(update, securityContext);
-    SecurityUtil.checkAdminRoleOrPermissions(authorizer, securityContext, dao.getOriginalOwner(service));
+    SecurityUtil.checkAdminOrBotOrOwner(authorizer, securityContext, dao.getOriginalOwner(service));
     PutResponse<DashboardService> response = dao.createOrUpdate(uriInfo, service, true);
     addHref(uriInfo, response.getEntity());
     return response.toResponse();

catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/services/database/DatabaseServiceResource.java

@@ -334,7 +334,7 @@ public class DatabaseServiceResource {
       @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreateDatabaseService update)
       throws IOException, ParseException {
     DatabaseService service = getService(update, securityContext);
-    SecurityUtil.checkAdminRoleOrPermissions(authorizer, securityContext, dao.getOriginalOwner(service));
+    SecurityUtil.checkAdminOrBotOrOwner(authorizer, securityContext, dao.getOriginalOwner(service));
     PutResponse<DatabaseService> response = dao.createOrUpdate(uriInfo, service, true);
     addHref(uriInfo, decryptOrNullify(securityContext, response.getEntity()));
     return response.toResponse();

catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/services/messaging/MessagingServiceResource.java

@@ -320,7 +320,7 @@ public class MessagingServiceResource {
       @Valid CreateMessagingService update)
       throws IOException, ParseException {
     MessagingService service = getService(update, securityContext);
-    SecurityUtil.checkAdminRoleOrPermissions(authorizer, securityContext, dao.getOriginalOwner(service));
+    SecurityUtil.checkAdminOrBotOrOwner(authorizer, securityContext, dao.getOriginalOwner(service));
     PutResponse<MessagingService> response = dao.createOrUpdate(uriInfo, service, true);
     addHref(uriInfo, response.getEntity());
     return response.toResponse();

catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/services/pipeline/PipelineServiceResource.java

@@ -316,7 +316,7 @@ public class PipelineServiceResource {
       @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreatePipelineService update)
       throws IOException, ParseException {
     PipelineService service = getService(update, securityContext);
-    SecurityUtil.checkAdminRoleOrPermissions(authorizer, securityContext, dao.getOriginalOwner(service));
+    SecurityUtil.checkAdminOrBotOrOwner(authorizer, securityContext, dao.getOriginalOwner(service));
     PutResponse<PipelineService> response = dao.createOrUpdate(uriInfo, service, true);
     addHref(uriInfo, response.getEntity());
     return response.toResponse();

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/Authorizer.java

@@ -42,4 +42,6 @@ public interface Authorizer {
   boolean isAdmin(AuthenticationContext ctx);
 
   boolean isBot(AuthenticationContext ctx);
+
+  boolean isOwner(AuthenticationContext ctx, EntityReference entityReference);
 }

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/DefaultAuthorizer.java

@@ -240,6 +240,22 @@ public class DefaultAuthorizer implements Authorizer {
     }
   }
 
+  @Override
+  public boolean isOwner(AuthenticationContext ctx, EntityReference owner) {
+    validateAuthenticationContext(ctx);
+    String userName = SecurityUtil.getUserName(ctx);
+    EntityUtil.Fields fields = new EntityUtil.Fields(UserResource.ALLOWED_FIELDS, FIELDS_PARAM);
+    try {
+      User user = userRepository.getByName(null, userName, fields);
+      if (owner == null) {
+        return false;
+      }
+      return isOwnedByUser(user, owner);
+    } catch (IOException | EntityNotFoundException | ParseException ex) {
+      return false;
+    }
+  }
+
   private void validateAuthenticationContext(AuthenticationContext ctx) {
     if (ctx == null || ctx.getPrincipal() == null) {
       throw new AuthenticationException("No principal in AuthenticationContext");

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/NoopAuthorizer.java

@@ -71,6 +71,11 @@ public class NoopAuthorizer implements Authorizer {
     return true;
   }
 
+  @Override
+  public boolean isOwner(AuthenticationContext ctx, EntityReference entityReference) {
+    return true;
+  }
+
   private void addAnonymousUser() {
     EntityUtil.Fields fields = new EntityUtil.Fields(UserResource.ALLOWED_FIELDS, FIELDS_PARAM);
     String username = "anonymous";

catalog-rest-service/src/main/java/org/openmetadata/catalog/security/SecurityUtil.java

@@ -57,6 +57,17 @@ public final class SecurityUtil {
     }
   }
 
+  public static void checkAdminOrBotOrOwner(
+      Authorizer authorizer, SecurityContext securityContext, EntityReference ownerReference) {
+    Principal principal = securityContext.getUserPrincipal();
+    AuthenticationContext authenticationCtx = SecurityUtil.getAuthenticationContext(principal);
+    if (!authorizer.isAdmin(authenticationCtx)
+        && !authorizer.isBot(authenticationCtx)
+        && !authorizer.isOwner(authenticationCtx, ownerReference)) {
+      throw new AuthorizationException(noPermission(principal));
+    }
+  }
+
   public static void checkAdminRoleOrPermissions(
       Authorizer authorizer, SecurityContext securityContext, EntityReference entityReference) {
     Principal principal = securityContext.getUserPrincipal();