yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-09-03 06:13:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(logs): add actor urn on unauthorised (#12030)

Browse Source
This commit is contained in:
Aseem Bansal 2024-12-06 16:57:07 +05:30 committed by GitHub
parent 2fe21329fa
commit eef2077a55
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
View File

@ -98,11 +98,12 @@ public class AuthenticationFilter implements Filter {
} }
if (authentication != null) { if (authentication != null) {
String actorUrnStr = authentication.getActor().toUrnStr();
// Successfully authenticated. // Successfully authenticated.
log.debug( log.debug(
String.format( "Successfully authenticated request for Actor with type: {}, id: {}",
"Successfully authenticated request for Actor with type: %s, id: %s", authentication.getActor().getType(),
authentication.getActor().getType(), authentication.getActor().getId())); authentication.getActor().getId());
AuthenticationContext.setAuthentication(authentication); AuthenticationContext.setAuthentication(authentication);
chain.doFilter(request, response); chain.doFilter(request, response);
} else { } else {
@ -110,7 +111,9 @@ public class AuthenticationFilter implements Filter {
log.debug( log.debug(
"Failed to authenticate request. Received 'null' Authentication value from authenticator chain."); "Failed to authenticate request. Received 'null' Authentication value from authenticator chain.");
((HttpServletResponse) response) ((HttpServletResponse) response)
.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized to perform this action."); .sendError(
HttpServletResponse.SC_UNAUTHORIZED,
"Unauthorized to perform this action due to expired auth.");
return; return;
} }
AuthenticationContext.remove(); AuthenticationContext.remove();

6
metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
View File

@ -138,7 +138,9 @@ public class AuthServiceController {
} }
log.info("Attempting to generate session token for user {}", userId.asText()); log.info("Attempting to generate session token for user {}", userId.asText());
final String actorId = AuthenticationContext.getAuthentication().getActor().getId(); Authentication authentication = AuthenticationContext.getAuthentication();
final String actorId = authentication.getActor().getId();
final String actorUrn = authentication.getActor().toUrnStr();
return CompletableFuture.supplyAsync( return CompletableFuture.supplyAsync(
() -> { () -> {
// 1. Verify that only those authorized to generate a token (datahub system) are able to. // 1. Verify that only those authorized to generate a token (datahub system) are able to.
@ -164,7 +166,7 @@ public class AuthServiceController {
} }
throw HttpClientErrorException.create( throw HttpClientErrorException.create(
HttpStatus.UNAUTHORIZED, HttpStatus.UNAUTHORIZED,
"Unauthorized to perform this action.", actorUrn + " unauthorized to perform this action.",
new HttpHeaders(), new HttpHeaders(),
null, null,
null); null);

6
metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/AspectResource.java
View File

@ -281,12 +281,13 @@ public class AspectResource extends CollectionResourceTaskTemplate<String, Versi
boolean asyncBool) boolean asyncBool)
throws URISyntaxException { throws URISyntaxException {
Authentication authentication = AuthenticationContext.getAuthentication(); Authentication authentication = AuthenticationContext.getAuthentication();
String actorUrnStr = authentication.getActor().toUrnStr();
Set<String> entityTypes = metadataChangeProposals.stream() Set<String> entityTypes = metadataChangeProposals.stream()
.map(MetadataChangeProposal::getEntityType) .map(MetadataChangeProposal::getEntityType)
.collect(Collectors.toSet()); .collect(Collectors.toSet());
final OperationContext opContext = OperationContext.asSession( final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(), systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_INGEST_PROPOSAL, entityTypes), _authorizer, authentication, true); ACTION_INGEST_PROPOSAL, entityTypes), _authorizer, authentication, true);
// Ingest Authorization Checks // Ingest Authorization Checks
@ -299,9 +300,8 @@ public class AspectResource extends CollectionResourceTaskTemplate<String, Versi
.map(ex -> String.format("HttpStatus: %s Urn: %s", ex.getSecond(), ex.getFirst().getEntityUrn())) .map(ex -> String.format("HttpStatus: %s Urn: %s", ex.getSecond(), ex.getFirst().getEntityUrn()))
.collect(Collectors.joining(", ")); .collect(Collectors.joining(", "));
throw new RestLiServiceException( throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to modify entity: " + errorMessages); HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to modify entity: " + errorMessages);
} }
String actorUrnStr = authentication.getActor().toUrnStr();
final AuditStamp auditStamp = final AuditStamp auditStamp =
new AuditStamp().setTime(_clock.millis()).setActor(Urn.createFromString(actorUrnStr)); new AuditStamp().setTime(_clock.millis()).setActor(Urn.createFromString(actorUrnStr));

8
metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/EntityResource.java
View File

@ -274,7 +274,7 @@ public class EntityResource extends CollectionResourceTaskTemplate<String, Entit
String actorUrnStr = authentication.getActor().toUrnStr(); String actorUrnStr = authentication.getActor().toUrnStr();
final Urn urn = com.datahub.util.ModelUtils.getUrnFromSnapshotUnion(entity.getValue()); final Urn urn = com.datahub.util.ModelUtils.getUrnFromSnapshotUnion(entity.getValue());
final OperationContext opContext = OperationContext.asSession( final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(), systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_INGEST, urn.getEntityType()), authorizer, authentication, true); ACTION_INGEST, urn.getEntityType()), authorizer, authentication, true);
if (!isAPIAuthorizedEntityUrns( if (!isAPIAuthorizedEntityUrns(
@ -282,7 +282,7 @@ public class EntityResource extends CollectionResourceTaskTemplate<String, Entit
CREATE, CREATE,
List.of(urn))) { List.of(urn))) {
throw new RestLiServiceException( throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entity " + urn); HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entity " + urn);
} }
try { try {
@ -320,7 +320,7 @@ public class EntityResource extends CollectionResourceTaskTemplate<String, Entit
.map(Entity::getValue) .map(Entity::getValue)
.map(com.datahub.util.ModelUtils::getUrnFromSnapshotUnion).collect(Collectors.toList()); .map(com.datahub.util.ModelUtils::getUrnFromSnapshotUnion).collect(Collectors.toList());
final OperationContext opContext = OperationContext.asSession( final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr,
getContext(), ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())), getContext(), ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())),
authorizer, authentication, true); authorizer, authentication, true);
@ -328,7 +328,7 @@ public class EntityResource extends CollectionResourceTaskTemplate<String, Entit
opContext, opContext,
CREATE, urns)) { CREATE, urns)) {
throw new RestLiServiceException( throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities."); HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entities.");
} }
for (Entity entity : entities) { for (Entity entity : entities) {

5
metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/usage/UsageStats.java
View File

@ -104,9 +104,10 @@ public class UsageStats extends SimpleResourceTemplate<UsageAggregation> {
() -> { () -> {
final Authentication auth = AuthenticationContext.getAuthentication(); final Authentication auth = AuthenticationContext.getAuthentication();
String actorUrnStr = auth.getActor().toUrnStr();
Set<Urn> urns = Arrays.stream(buckets).sequential().map(UsageAggregation::getResource).collect(Collectors.toSet()); Set<Urn> urns = Arrays.stream(buckets).sequential().map(UsageAggregation::getResource).collect(Collectors.toSet());
final OperationContext opContext = OperationContext.asSession( final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(auth.getActor().toUrnStr(), getContext(), systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())), _authorizer, ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())), _authorizer,
auth, true); auth, true);
@ -115,7 +116,7 @@ public class UsageStats extends SimpleResourceTemplate<UsageAggregation> {
UPDATE, UPDATE,
urns)) { urns)) {
throw new RestLiServiceException( throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities."); HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entities.");
} }
for (UsageAggregation agg : buckets) { for (UsageAggregation agg : buckets) {