2023-11-01 15:41:02 -04:00
|
|
|
import pytest
|
|
|
|
|
import tenacity
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
from tests.privileges.utils import (
|
|
|
|
|
assign_role,
|
|
|
|
|
assign_user_to_group,
|
2024-08-07 15:53:36 -05:00
|
|
|
clear_polices,
|
2024-01-31 14:42:40 +05:30
|
|
|
create_group,
|
|
|
|
|
create_user,
|
|
|
|
|
create_user_policy,
|
|
|
|
|
remove_group,
|
|
|
|
|
remove_policy,
|
2024-08-07 15:53:36 -05:00
|
|
|
remove_secret,
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_user,
|
|
|
|
|
set_base_platform_privileges_policy_status,
|
|
|
|
|
set_view_dataset_sensitive_info_policy_status,
|
|
|
|
|
set_view_entity_profile_privileges_policy_status,
|
|
|
|
|
)
|
|
|
|
|
from tests.utils import (
|
|
|
|
|
get_admin_credentials,
|
|
|
|
|
get_frontend_session,
|
|
|
|
|
get_frontend_url,
|
|
|
|
|
get_sleep_info,
|
|
|
|
|
login_as,
|
|
|
|
|
wait_for_writes_to_sync,
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
|
2023-12-06 15:07:50 +05:30
|
|
|
pytestmark = pytest.mark.no_cypress_suite1
|
|
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
sleep_sec, sleep_times = get_sleep_info()
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
|
2024-09-27 11:31:25 -05:00
|
|
|
@pytest.fixture(scope="module")
|
|
|
|
|
def admin_session(auth_session):
|
2023-11-01 15:41:02 -04:00
|
|
|
yield get_frontend_session()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture(scope="module", autouse=True)
|
|
|
|
|
def privileges_and_test_user_setup(admin_session):
|
|
|
|
|
"""Fixture to execute setup before and tear down after all tests are run"""
|
|
|
|
|
# Disable 'All users' privileges
|
|
|
|
|
set_base_platform_privileges_policy_status("INACTIVE", admin_session)
|
|
|
|
|
set_view_dataset_sensitive_info_policy_status("INACTIVE", admin_session)
|
|
|
|
|
set_view_entity_profile_privileges_policy_status("INACTIVE", admin_session)
|
|
|
|
|
# Sleep for eventual consistency
|
|
|
|
|
wait_for_writes_to_sync()
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
# Create a new user
|
2023-11-01 15:41:02 -04:00
|
|
|
admin_session = create_user(admin_session, "user", "user")
|
|
|
|
|
|
|
|
|
|
yield
|
|
|
|
|
|
|
|
|
|
# Remove test user
|
|
|
|
|
remove_user(admin_session, "urn:li:corpuser:user")
|
|
|
|
|
|
2024-08-07 15:53:36 -05:00
|
|
|
# Remove secret
|
|
|
|
|
remove_secret(admin_session, "urn:li:dataHubSecret:TestSecretName")
|
|
|
|
|
|
|
|
|
|
# Remove test policies
|
|
|
|
|
clear_polices(admin_session)
|
|
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
# Restore All users privileges
|
|
|
|
|
set_base_platform_privileges_policy_status("ACTIVE", admin_session)
|
|
|
|
|
set_view_dataset_sensitive_info_policy_status("ACTIVE", admin_session)
|
|
|
|
|
set_view_entity_profile_privileges_policy_status("ACTIVE", admin_session)
|
|
|
|
|
|
|
|
|
|
# Sleep for eventual consistency
|
|
|
|
|
wait_for_writes_to_sync()
|
|
|
|
|
|
|
|
|
|
|
2023-11-03 13:00:15 -04:00
|
|
|
@tenacity.retry(
|
|
|
|
|
stop=tenacity.stop_after_attempt(sleep_times), wait=tenacity.wait_fixed(sleep_sec)
|
|
|
|
|
)
|
2024-01-31 14:42:40 +05:30
|
|
|
def _ensure_cant_perform_action(session, json, assertion_key):
|
|
|
|
|
action_response = session.post(f"{get_frontend_url()}/api/v2/graphql", json=json)
|
2023-11-03 13:00:15 -04:00
|
|
|
action_response.raise_for_status()
|
|
|
|
|
action_data = action_response.json()
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
assert action_data["errors"][0]["extensions"]["code"] == 403, action_data["errors"][
|
|
|
|
|
0
|
|
|
|
|
]
|
2023-11-03 13:00:15 -04:00
|
|
|
assert action_data["errors"][0]["extensions"]["type"] == "UNAUTHORIZED"
|
2024-01-31 14:42:40 +05:30
|
|
|
assert action_data["data"][assertion_key] is None
|
2023-11-03 13:00:15 -04:00
|
|
|
|
|
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
@tenacity.retry(
|
|
|
|
|
stop=tenacity.stop_after_attempt(10), wait=tenacity.wait_fixed(sleep_sec)
|
|
|
|
|
)
|
|
|
|
|
def _ensure_can_create_secret(session, json, urn):
|
|
|
|
|
create_secret_success = session.post(
|
2024-01-31 14:42:40 +05:30
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=json
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
create_secret_success.raise_for_status()
|
|
|
|
|
secret_data = create_secret_success.json()
|
|
|
|
|
|
|
|
|
|
assert secret_data
|
|
|
|
|
assert secret_data["data"]
|
|
|
|
|
assert secret_data["data"]["createSecret"]
|
|
|
|
|
assert secret_data["data"]["createSecret"] == urn
|
2024-01-31 14:42:40 +05:30
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
@tenacity.retry(
|
|
|
|
|
stop=tenacity.stop_after_attempt(10), wait=tenacity.wait_fixed(sleep_sec)
|
|
|
|
|
)
|
|
|
|
|
def _ensure_can_create_ingestion_source(session, json):
|
|
|
|
|
create_ingestion_success = session.post(
|
2024-01-31 14:42:40 +05:30
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=json
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
create_ingestion_success.raise_for_status()
|
|
|
|
|
ingestion_data = create_ingestion_success.json()
|
|
|
|
|
|
|
|
|
|
assert ingestion_data
|
|
|
|
|
assert ingestion_data["data"]
|
|
|
|
|
assert ingestion_data["data"]["createIngestionSource"]
|
|
|
|
|
assert ingestion_data["data"]["createIngestionSource"] is not None
|
|
|
|
|
|
|
|
|
|
return ingestion_data["data"]["createIngestionSource"]
|
2024-01-31 14:42:40 +05:30
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
@tenacity.retry(
|
2023-11-03 13:00:15 -04:00
|
|
|
stop=tenacity.stop_after_attempt(10), wait=tenacity.wait_fixed(sleep_sec)
|
2023-11-01 15:41:02 -04:00
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
def _ensure_can_create_access_token(session, json):
|
|
|
|
|
create_access_token_success = session.post(
|
2024-01-31 14:42:40 +05:30
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=json
|
|
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
create_access_token_success.raise_for_status()
|
|
|
|
|
ingestion_data = create_access_token_success.json()
|
2023-11-01 15:41:02 -04:00
|
|
|
|
2023-11-03 13:00:15 -04:00
|
|
|
assert ingestion_data
|
|
|
|
|
assert ingestion_data["data"]
|
|
|
|
|
assert ingestion_data["data"]["createAccessToken"]
|
|
|
|
|
assert ingestion_data["data"]["createAccessToken"]["accessToken"] is not None
|
|
|
|
|
assert ingestion_data["data"]["createAccessToken"]["__typename"] == "AccessToken"
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
|
2023-11-09 00:23:17 -05:00
|
|
|
@tenacity.retry(
|
|
|
|
|
stop=tenacity.stop_after_attempt(10), wait=tenacity.wait_fixed(sleep_sec)
|
|
|
|
|
)
|
|
|
|
|
def _ensure_can_create_user_policy(session, json):
|
|
|
|
|
response = session.post(f"{get_frontend_url()}/api/v2/graphql", json=json)
|
|
|
|
|
response.raise_for_status()
|
|
|
|
|
res_data = response.json()
|
|
|
|
|
|
|
|
|
|
assert res_data
|
|
|
|
|
assert res_data["data"]
|
|
|
|
|
assert res_data["data"]["createPolicy"] is not None
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
return res_data["data"]["createPolicy"]
|
2023-11-09 00:23:17 -05:00
|
|
|
|
|
|
|
|
|
2023-11-01 15:41:02 -04:00
|
|
|
def test_privilege_to_create_and_manage_secrets():
|
|
|
|
|
(admin_user, admin_pass) = get_admin_credentials()
|
|
|
|
|
admin_session = login_as(admin_user, admin_pass)
|
|
|
|
|
user_session = login_as("user", "user")
|
|
|
|
|
secret_urn = "urn:li:dataHubSecret:TestSecretName"
|
|
|
|
|
|
|
|
|
|
# Verify new user can't create secrets
|
2024-01-31 14:42:40 +05:30
|
|
|
create_secret = {
|
2023-11-01 15:41:02 -04:00
|
|
|
"query": """mutation createSecret($input: CreateSecretInput!) {\n
|
|
|
|
|
createSecret(input: $input)\n}""",
|
|
|
|
|
"variables": {
|
2024-01-31 14:42:40 +05:30
|
|
|
"input": {
|
|
|
|
|
"name": "TestSecretName",
|
|
|
|
|
"value": "Test Secret Value",
|
|
|
|
|
"description": "Test Secret Description",
|
|
|
|
|
}
|
2023-11-01 15:41:02 -04:00
|
|
|
},
|
|
|
|
|
}
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_secret, "createSecret")
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
# Assign privileges to the new user to manage secrets
|
2024-01-31 14:42:40 +05:30
|
|
|
policy_urn = create_user_policy(
|
|
|
|
|
"urn:li:corpuser:user", ["MANAGE_SECRETS"], admin_session
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
# Verify new user can create and manage secrets
|
|
|
|
|
# Create a secret
|
|
|
|
|
_ensure_can_create_secret(user_session, create_secret, secret_urn)
|
|
|
|
|
|
|
|
|
|
# Remove a secret
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_secret = {
|
2023-11-01 15:41:02 -04:00
|
|
|
"query": """mutation deleteSecret($urn: String!) {\n
|
|
|
|
|
deleteSecret(urn: $urn)\n}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {"urn": secret_urn},
|
2023-11-01 15:41:02 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_secret_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=remove_secret
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
remove_secret_response.raise_for_status()
|
|
|
|
|
secret_data = remove_secret_response.json()
|
|
|
|
|
|
|
|
|
|
assert secret_data
|
|
|
|
|
assert secret_data["data"]
|
|
|
|
|
assert secret_data["data"]["deleteSecret"]
|
|
|
|
|
assert secret_data["data"]["deleteSecret"] == secret_urn
|
|
|
|
|
|
|
|
|
|
# Remove the policy
|
|
|
|
|
remove_policy(policy_urn, admin_session)
|
|
|
|
|
|
|
|
|
|
# Ensure user can't create secret after policy is removed
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_secret, "createSecret")
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_privilege_to_create_and_manage_ingestion_source():
|
|
|
|
|
(admin_user, admin_pass) = get_admin_credentials()
|
|
|
|
|
admin_session = login_as(admin_user, admin_pass)
|
|
|
|
|
user_session = login_as("user", "user")
|
|
|
|
|
|
|
|
|
|
# Verify new user can't create ingestion source
|
2024-01-31 14:42:40 +05:30
|
|
|
create_ingestion_source = {
|
2023-11-01 15:41:02 -04:00
|
|
|
"query": """mutation createIngestionSource($input: UpdateIngestionSourceInput!) {\n
|
|
|
|
|
createIngestionSource(input: $input)\n}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {
|
|
|
|
|
"input": {
|
|
|
|
|
"type": "snowflake",
|
|
|
|
|
"name": "test",
|
|
|
|
|
"config": {
|
|
|
|
|
"recipe": """{\"source\":{\"type\":\"snowflake\",\"config\":{
|
2023-11-03 13:00:15 -04:00
|
|
|
\"account_id\":null,
|
|
|
|
|
\"include_table_lineage\":true,
|
|
|
|
|
\"include_view_lineage\":true,
|
|
|
|
|
\"include_tables\":true,
|
|
|
|
|
\"include_views\":true,
|
|
|
|
|
\"profiling\":{\"enabled\":true,\"profile_table_level_only\":true},
|
|
|
|
|
\"stateful_ingestion\":{\"enabled\":true}}}}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"executorId": "default",
|
|
|
|
|
"debugMode": False,
|
|
|
|
|
"extraArgs": [],
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
2023-11-01 15:41:02 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(
|
|
|
|
|
user_session, create_ingestion_source, "createIngestionSource"
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
# Assign privileges to the new user to manage ingestion source
|
|
|
|
|
policy_urn = create_user_policy(
|
|
|
|
|
"urn:li:corpuser:user", ["MANAGE_INGESTION"], admin_session
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
# Verify new user can create and manage ingestion source(edit, delete)
|
2024-01-31 14:42:40 +05:30
|
|
|
ingestion_source_urn = _ensure_can_create_ingestion_source(
|
|
|
|
|
user_session, create_ingestion_source
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
|
|
|
|
|
# Edit ingestion source
|
2024-01-31 14:42:40 +05:30
|
|
|
update_ingestion_source = {
|
2023-11-01 15:41:02 -04:00
|
|
|
"query": """mutation updateIngestionSource($urn: String!, $input: UpdateIngestionSourceInput!) {\n
|
|
|
|
|
updateIngestionSource(urn: $urn, input: $input)\n}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {
|
|
|
|
|
"urn": ingestion_source_urn,
|
|
|
|
|
"input": {
|
|
|
|
|
"type": "snowflake",
|
|
|
|
|
"name": "test updated",
|
|
|
|
|
"config": {
|
|
|
|
|
"recipe": """{\"source\":{\"type\":\"snowflake\",\"config\":{
|
2023-11-03 13:00:15 -04:00
|
|
|
\"account_id\":null,
|
|
|
|
|
\"include_table_lineage\":true,
|
|
|
|
|
\"include_view_lineage\":true,
|
|
|
|
|
\"include_tables\":true,
|
|
|
|
|
\"include_views\":true,
|
|
|
|
|
\"profiling\":{\"enabled\":true,\"profile_table_level_only\":true},
|
|
|
|
|
\"stateful_ingestion\":{\"enabled\":true}}}}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"executorId": "default",
|
|
|
|
|
"debugMode": False,
|
|
|
|
|
"extraArgs": [],
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-11-01 15:41:02 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
update_ingestion_success = user_session.post(
|
2024-01-31 14:42:40 +05:30
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=update_ingestion_source
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
update_ingestion_success.raise_for_status()
|
|
|
|
|
ingestion_data = update_ingestion_success.json()
|
|
|
|
|
|
|
|
|
|
assert ingestion_data
|
|
|
|
|
assert ingestion_data["data"]
|
|
|
|
|
assert ingestion_data["data"]["updateIngestionSource"]
|
|
|
|
|
assert ingestion_data["data"]["updateIngestionSource"] == ingestion_source_urn
|
|
|
|
|
|
|
|
|
|
# Delete ingestion source
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_ingestion_source = {
|
2023-11-01 15:41:02 -04:00
|
|
|
"query": """mutation deleteIngestionSource($urn: String!) {\n
|
|
|
|
|
deleteIngestionSource(urn: $urn)\n}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {"urn": ingestion_source_urn},
|
2023-11-01 15:41:02 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_ingestion_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=remove_ingestion_source
|
|
|
|
|
)
|
2023-11-01 15:41:02 -04:00
|
|
|
remove_ingestion_response.raise_for_status()
|
|
|
|
|
ingestion_data = remove_ingestion_response.json()
|
|
|
|
|
|
|
|
|
|
assert ingestion_data
|
|
|
|
|
assert ingestion_data["data"]
|
|
|
|
|
assert ingestion_data["data"]["deleteIngestionSource"]
|
|
|
|
|
assert ingestion_data["data"]["deleteIngestionSource"] == ingestion_source_urn
|
|
|
|
|
|
|
|
|
|
# Remove the policy
|
|
|
|
|
remove_policy(policy_urn, admin_session)
|
|
|
|
|
|
|
|
|
|
# Ensure that user can't create ingestion source after policy is removed
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(
|
|
|
|
|
user_session, create_ingestion_source, "createIngestionSource"
|
|
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
|
|
|
|
|
|
2024-07-04 15:16:14 +05:30
|
|
|
def test_privilege_to_create_and_revoke_personal_access_tokens():
|
2023-11-03 13:00:15 -04:00
|
|
|
(admin_user, admin_pass) = get_admin_credentials()
|
|
|
|
|
admin_session = login_as(admin_user, admin_pass)
|
|
|
|
|
user_session = login_as("user", "user")
|
|
|
|
|
|
|
|
|
|
# Verify new user can't create access token
|
2024-01-31 14:42:40 +05:30
|
|
|
create_access_token = {
|
2023-11-03 13:00:15 -04:00
|
|
|
"query": """mutation createAccessToken($input: CreateAccessTokenInput!) {\n
|
|
|
|
|
createAccessToken(input: $input) {\n accessToken\n __typename\n }\n}\n""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {
|
|
|
|
|
"input": {
|
|
|
|
|
"actorUrn": "urn:li:corpuser:user",
|
|
|
|
|
"type": "PERSONAL",
|
|
|
|
|
"duration": "ONE_MONTH",
|
|
|
|
|
"name": "test",
|
|
|
|
|
"description": "test",
|
|
|
|
|
}
|
|
|
|
|
},
|
2023-11-03 13:00:15 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_access_token, "createAccessToken")
|
2023-11-03 13:00:15 -04:00
|
|
|
|
|
|
|
|
# Assign privileges to the new user to create and manage access tokens
|
2024-01-31 14:42:40 +05:30
|
|
|
policy_urn = create_user_policy(
|
2024-07-04 15:16:14 +05:30
|
|
|
"urn:li:corpuser:user", ["GENERATE_PERSONAL_ACCESS_TOKENS"], admin_session
|
2024-01-31 14:42:40 +05:30
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
|
|
|
|
|
# Verify new user can create and manage access token(create, revoke)
|
|
|
|
|
# Create a access token
|
|
|
|
|
_ensure_can_create_access_token(user_session, create_access_token)
|
|
|
|
|
|
2024-07-04 15:16:14 +05:30
|
|
|
wait_for_writes_to_sync()
|
|
|
|
|
|
2023-11-03 13:00:15 -04:00
|
|
|
# List access tokens first to get token id
|
2024-01-31 14:42:40 +05:30
|
|
|
list_access_tokens = {
|
2023-11-03 13:00:15 -04:00
|
|
|
"query": """query listAccessTokens($input: ListAccessTokenInput!) {\n
|
|
|
|
|
listAccessTokens(input: $input) {\n
|
|
|
|
|
start\n count\n total\n tokens {\n urn\n type\n
|
|
|
|
|
id\n name\n description\n actorUrn\n ownerUrn\n
|
|
|
|
|
createdAt\n expiresAt\n __typename\n }\n __typename\n }\n}\n""",
|
|
|
|
|
"variables": {
|
2024-01-31 14:42:40 +05:30
|
|
|
"input": {
|
|
|
|
|
"start": 0,
|
|
|
|
|
"count": 10,
|
|
|
|
|
"filters": [{"field": "ownerUrn", "values": ["urn:li:corpuser:user"]}],
|
|
|
|
|
}
|
|
|
|
|
},
|
2023-11-03 13:00:15 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
list_tokens_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=list_access_tokens
|
|
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
list_tokens_response.raise_for_status()
|
|
|
|
|
list_tokens_data = list_tokens_response.json()
|
|
|
|
|
|
|
|
|
|
assert list_tokens_data
|
|
|
|
|
assert list_tokens_data["data"]
|
|
|
|
|
assert list_tokens_data["data"]["listAccessTokens"]["tokens"][0]["id"] is not None
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
access_token_id = list_tokens_data["data"]["listAccessTokens"]["tokens"][0]["id"]
|
2023-11-03 13:00:15 -04:00
|
|
|
|
|
|
|
|
# Revoke access token
|
2024-01-31 14:42:40 +05:30
|
|
|
revoke_access_token = {
|
2023-11-03 13:00:15 -04:00
|
|
|
"query": "mutation revokeAccessToken($tokenId: String!) {\n revokeAccessToken(tokenId: $tokenId)\n}\n",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {"tokenId": access_token_id},
|
2023-11-03 13:00:15 -04:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
revoke_token_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=revoke_access_token
|
|
|
|
|
)
|
2023-11-03 13:00:15 -04:00
|
|
|
revoke_token_response.raise_for_status()
|
|
|
|
|
revoke_token_data = revoke_token_response.json()
|
|
|
|
|
|
|
|
|
|
assert revoke_token_data
|
|
|
|
|
assert revoke_token_data["data"]
|
|
|
|
|
assert revoke_token_data["data"]["revokeAccessToken"]
|
|
|
|
|
assert revoke_token_data["data"]["revokeAccessToken"] is True
|
|
|
|
|
|
|
|
|
|
# Remove the policy
|
|
|
|
|
remove_policy(policy_urn, admin_session)
|
|
|
|
|
|
|
|
|
|
# Ensure that user can't create access token after policy is removed
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_access_token, "createAccessToken")
|
2023-11-09 00:23:17 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_privilege_to_create_and_manage_policies():
|
|
|
|
|
(admin_user, admin_pass) = get_admin_credentials()
|
|
|
|
|
admin_session = login_as(admin_user, admin_pass)
|
|
|
|
|
user_session = login_as("user", "user")
|
|
|
|
|
|
|
|
|
|
# Verify new user can't create a policy
|
|
|
|
|
create_policy = {
|
2023-12-13 12:19:49 +05:30
|
|
|
"query": """mutation createPolicy($input: PolicyUpdateInput!) {
|
|
|
|
|
createPolicy(input: $input)
|
|
|
|
|
}""",
|
2023-11-09 00:23:17 -05:00
|
|
|
"variables": {
|
|
|
|
|
"input": {
|
|
|
|
|
"type": "PLATFORM",
|
|
|
|
|
"name": "Policy Name",
|
|
|
|
|
"description": "Policy Description",
|
|
|
|
|
"state": "ACTIVE",
|
2024-01-31 14:42:40 +05:30
|
|
|
"resources": {"filter": {"criteria": []}},
|
2023-11-09 00:23:17 -05:00
|
|
|
"privileges": ["MANAGE_POLICIES"],
|
|
|
|
|
"actors": {
|
|
|
|
|
"users": [],
|
|
|
|
|
"resourceOwners": False,
|
|
|
|
|
"allUsers": True,
|
|
|
|
|
"allGroups": False,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_policy, "createPolicy")
|
2023-11-09 00:23:17 -05:00
|
|
|
|
|
|
|
|
# Assign privileges to the new user to create and manage policies
|
2024-01-31 14:42:40 +05:30
|
|
|
admin_policy_urn = create_user_policy(
|
|
|
|
|
"urn:li:corpuser:user", ["MANAGE_POLICIES"], admin_session
|
|
|
|
|
)
|
2023-11-09 00:23:17 -05:00
|
|
|
|
|
|
|
|
# Verify new user can create and manage policy(create, edit, delete)
|
|
|
|
|
# Create a policy
|
|
|
|
|
user_policy_urn = _ensure_can_create_user_policy(user_session, create_policy)
|
|
|
|
|
|
|
|
|
|
# Edit a policy
|
2024-01-31 14:42:40 +05:30
|
|
|
edit_policy = {
|
2023-11-09 00:23:17 -05:00
|
|
|
"query": """mutation updatePolicy($urn: String!, $input: PolicyUpdateInput!) {\n
|
|
|
|
|
updatePolicy(urn: $urn, input: $input) }""",
|
|
|
|
|
"variables": {
|
|
|
|
|
"urn": user_policy_urn,
|
|
|
|
|
"input": {
|
|
|
|
|
"type": "PLATFORM",
|
|
|
|
|
"state": "INACTIVE",
|
|
|
|
|
"name": "Policy Name test",
|
|
|
|
|
"description": "Policy Description updated",
|
|
|
|
|
"privileges": ["MANAGE_POLICIES"],
|
|
|
|
|
"actors": {
|
|
|
|
|
"users": [],
|
|
|
|
|
"groups": None,
|
|
|
|
|
"resourceOwners": False,
|
|
|
|
|
"allUsers": True,
|
|
|
|
|
"allGroups": False,
|
|
|
|
|
"resourceOwnersTypes": None,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
2024-01-31 14:42:40 +05:30
|
|
|
edit_policy_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=edit_policy
|
|
|
|
|
)
|
2023-11-09 00:23:17 -05:00
|
|
|
edit_policy_response.raise_for_status()
|
|
|
|
|
res_data = edit_policy_response.json()
|
|
|
|
|
|
|
|
|
|
assert res_data
|
|
|
|
|
assert res_data["data"]
|
|
|
|
|
assert res_data["data"]["updatePolicy"] == user_policy_urn
|
|
|
|
|
|
|
|
|
|
# Delete a policy
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_user_policy = {
|
2023-11-09 00:23:17 -05:00
|
|
|
"query": "mutation deletePolicy($urn: String!) {\n deletePolicy(urn: $urn)\n}\n",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {"urn": user_policy_urn},
|
2023-11-09 00:23:17 -05:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_policy_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=remove_user_policy
|
|
|
|
|
)
|
2023-11-09 00:23:17 -05:00
|
|
|
remove_policy_response.raise_for_status()
|
|
|
|
|
res_data = remove_policy_response.json()
|
|
|
|
|
|
|
|
|
|
assert res_data
|
|
|
|
|
assert res_data["data"]
|
|
|
|
|
assert res_data["data"]["deletePolicy"] == user_policy_urn
|
|
|
|
|
|
|
|
|
|
# Remove the user privilege by admin
|
|
|
|
|
remove_policy(admin_policy_urn, admin_session)
|
|
|
|
|
|
|
|
|
|
# Ensure that user can't create a policy after privilege is removed by admin
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_policy, "createPolicy")
|
2024-01-19 11:48:12 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_privilege_from_group_role_can_create_and_manage_secret():
|
|
|
|
|
(admin_user, admin_pass) = get_admin_credentials()
|
|
|
|
|
admin_session = login_as(admin_user, admin_pass)
|
|
|
|
|
user_session = login_as("user", "user")
|
2024-02-26 19:36:45 +05:30
|
|
|
secret_urn = "urn:li:dataHubSecret:TestName"
|
2024-01-19 11:48:12 +00:00
|
|
|
|
|
|
|
|
# Verify new user can't create secrets
|
|
|
|
|
create_secret = {
|
|
|
|
|
"query": """mutation createSecret($input: CreateSecretInput!) {\n
|
|
|
|
|
createSecret(input: $input)\n}""",
|
|
|
|
|
"variables": {
|
2024-01-31 14:42:40 +05:30
|
|
|
"input": {
|
2024-02-26 19:36:45 +05:30
|
|
|
"name": "TestName",
|
2024-01-31 14:42:40 +05:30
|
|
|
"value": "Test Secret Value",
|
|
|
|
|
"description": "Test Secret Description",
|
2024-01-19 11:48:12 +00:00
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
}
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_secret, "createSecret")
|
2024-01-19 11:48:12 +00:00
|
|
|
|
|
|
|
|
# Create group and grant it the admin role.
|
|
|
|
|
group_urn = create_group(admin_session, "Test Group")
|
|
|
|
|
|
|
|
|
|
# Assign admin role to group
|
2024-01-31 14:42:40 +05:30
|
|
|
assign_role(admin_session, "urn:li:dataHubRole:Admin", [group_urn])
|
2024-01-19 11:48:12 +00:00
|
|
|
|
|
|
|
|
# Assign user to group
|
|
|
|
|
assign_user_to_group(admin_session, group_urn, ["urn:li:corpuser:user"])
|
|
|
|
|
|
|
|
|
|
# Verify new user with admin group can create and manage secrets
|
|
|
|
|
# Create a secret
|
|
|
|
|
_ensure_can_create_secret(user_session, create_secret, secret_urn)
|
|
|
|
|
|
|
|
|
|
# Remove a secret
|
|
|
|
|
remove_secret = {
|
|
|
|
|
"query": """mutation deleteSecret($urn: String!) {\n
|
|
|
|
|
deleteSecret(urn: $urn)\n}""",
|
2024-01-31 14:42:40 +05:30
|
|
|
"variables": {"urn": secret_urn},
|
2024-01-19 11:48:12 +00:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 14:42:40 +05:30
|
|
|
remove_secret_response = user_session.post(
|
|
|
|
|
f"{get_frontend_url()}/api/v2/graphql", json=remove_secret
|
|
|
|
|
)
|
2024-01-19 11:48:12 +00:00
|
|
|
remove_secret_response.raise_for_status()
|
|
|
|
|
secret_data = remove_secret_response.json()
|
|
|
|
|
|
|
|
|
|
assert secret_data
|
|
|
|
|
assert secret_data["data"]
|
|
|
|
|
assert secret_data["data"]["deleteSecret"]
|
|
|
|
|
assert secret_data["data"]["deleteSecret"] == secret_urn
|
|
|
|
|
|
|
|
|
|
# Delete group which removes the user's admin capabilities
|
|
|
|
|
remove_group(admin_session, group_urn)
|
|
|
|
|
|
|
|
|
|
# Ensure user can't create secret after policy is removed
|
2024-01-31 14:42:40 +05:30
|
|
|
_ensure_cant_perform_action(user_session, create_secret, "createSecret")
|
