fix(auth): admin role missing privileges (#13337)

2025-12-12 10:35:51 +00:00 · 2025-04-28 11:42:41 +05:30 · 2025-04-28 11:42:41 +05:30 · 1de63cc817
commit 1de63cc817
parent 894655622d
2 changed files with 25 additions and 1 deletions
--- a/.github/scripts/check_policies.py
+++ b/.github/scripts/check_policies.py
@ -13,10 +13,22 @@ without_info = []

 metadata_privileges = set()
 platform_privileges = set()
+root_user_platform_policy_privileges = set()
+root_user_all_privileges = set()
+admin_role_platform_privileges = set()
+admin_role_all_privileges = set()
 for policy in all_policies:
    urn = policy["urn"]
    if urn == "urn:li:dataHubPolicy:0":
        root_user_platform_policy_privileges = policy["info"]["privileges"]
+        root_user_all_privileges.update(set(root_user_platform_policy_privileges))
+    elif urn == "urn:li:dataHubPolicy:1":
+        root_user_all_privileges.update(set(policy["info"]["privileges"]))
+    elif urn == "urn:li:dataHubPolicy:admin-platform-policy":
+        admin_role_platform_privileges = policy["info"]["privileges"]
+        admin_role_all_privileges.update(set(admin_role_platform_privileges))
+    elif urn == "urn:li:dataHubPolicy:admin-metadata-policy":
+        admin_role_all_privileges.update(set(policy["info"]["privileges"]))
    elif urn == "urn:li:dataHubPolicy:editor-platform-policy":
        editor_platform_policy_privileges = policy["info"]["privileges"]
    elif urn == "urn:li:dataHubPolicy:7":
@ -54,6 +66,16 @@ diff_policies = set(platform_privileges).difference(
 )
 assert len(diff_policies) == 0, f"Missing privileges for root user are {diff_policies}"

+diff_root_user_admin_role = set(
+    root_user_platform_policy_privileges
+).difference(set(admin_role_platform_privileges))
+assert len(diff_root_user_admin_role) == 0, f"Missing privileges for admin role are {diff_root_user_admin_role}"
+
+diff_root_user_admin_role_all = set(
+    root_user_all_privileges
+).difference(set(admin_role_all_privileges))
+assert len(diff_root_user_admin_role_all) == 0, f"Missing privileges for admin role are {diff_root_user_admin_role_all}"
+
 # All users privileges checks
 assert "MANAGE_POLICIES" not in all_user_platform_policy_privileges
 assert "MANAGE_USERS_AND_GROUPS" not in all_user_platform_policy_privileges
--- a/metadata-service/war/src/main/resources/boot/policies.json
+++ b/metadata-service/war/src/main/resources/boot/policies.json
@ -193,7 +193,9 @@
        "MANAGE_STRUCTURED_PROPERTIES",
        "VIEW_STRUCTURED_PROPERTIES_PAGE",
        "MANAGE_DOCUMENTATION_FORMS",
-        "MANAGE_FEATURES"
+        "MANAGE_FEATURES",
+        "MANAGE_SYSTEM_OPERATIONS",
+        "GET_PLATFORM_EVENTS"
      ],
      "displayName": "Admins - Platform Policy",
      "description": "Admins have all platform privileges.",