Skip to content

Commit

Permalink
feat(auth): Add roles to policy engine validation logic
Browse files Browse the repository at this point in the history
  • Loading branch information
pedro93 committed Nov 5, 2023
1 parent 81daae8 commit 27710ae
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 30 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ public class AuthorizedActors {
String privilege;
List<Urn> users;
List<Urn> groups;
List<Urn> roles;
boolean allUsers;
boolean allGroups;
}
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ public AuthorizedActors authorizedActors(

final List<Urn> authorizedUsers = new ArrayList<>();
final List<Urn> authorizedGroups = new ArrayList<>();
final List<Urn> authorizedRoles = new ArrayList<>();
boolean allUsers = false;
boolean allGroups = false;

Expand All @@ -151,6 +152,7 @@ public AuthorizedActors authorizedActors(
// Step 3: For each matching policy, add actors that are authorized.
authorizedUsers.addAll(matchingActors.getUsers());
authorizedGroups.addAll(matchingActors.getGroups());
authorizedRoles.add(matchingActors.getRoles());
if (matchingActors.allUsers()) {
allUsers = true;
}
Expand All @@ -160,7 +162,7 @@ public AuthorizedActors authorizedActors(
}

// Step 4: Return all authorized users and groups.
return new AuthorizedActors(privilege, authorizedUsers, authorizedGroups, allUsers, allGroups);
return new AuthorizedActors(privilege, authorizedUsers, authorizedGroups, authorizedRoles, allUsers, allGroups);
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import com.linkedin.identity.RoleMembership;
import com.linkedin.metadata.Constants;
import com.linkedin.metadata.authorization.PoliciesConfig;
import com.linkedin.pegasus2avro.common.AccessLevel;
import com.linkedin.policy.DataHubActorFilter;
import com.linkedin.policy.DataHubPolicyInfo;
import com.linkedin.policy.DataHubResourceFilter;
Expand All @@ -32,7 +33,10 @@
import java.util.stream.Stream;
import javax.annotation.Nullable;

import lombok.AccessLevel;
import lombok.AllArgsConstructor;
import lombok.RequiredArgsConstructor;
import lombok.Value;
import lombok.extern.slf4j.Slf4j;

import static com.linkedin.metadata.Constants.*;
Expand Down Expand Up @@ -75,6 +79,7 @@ public PolicyActors getMatchingActors(
final Optional<ResolvedEntitySpec> resource) {
final List<Urn> users = new ArrayList<>();
final List<Urn> groups = new ArrayList<>();
final List<Urn> roles = new ArrayList<>();
boolean allUsers = false;
boolean allGroups = false;
if (policyMatchesResource(policy, resource)) {
Expand All @@ -96,6 +101,9 @@ public PolicyActors getMatchingActors(
if (actorFilter.getGroups() != null) {
groups.addAll(actorFilter.getGroups());
}
if (actorFilter.getRoles() != null) {
roles.addAll(actorFilter.getRoles());
}

// 2. Fetch Actors based on resource ownership.
if (actorFilter.isResourceOwners() && resource.isPresent()) {
Expand All @@ -104,7 +112,7 @@ public PolicyActors getMatchingActors(
groups.addAll(groupOwners(owners));
}
}
return new PolicyActors(users, groups, allUsers, allGroups);
return new PolicyActors(users, groups, roles, allUsers, allGroups);
}

private boolean isPolicyApplicable(
Expand Down Expand Up @@ -438,34 +446,14 @@ public boolean isGranted() {
/**
* Class used to represent all valid users of a policy.
*/
@Value
@AllArgsConstructor(access = AccessLevel.PUBLIC)
public static class PolicyActors {
final List<Urn> _users;
final List<Urn> _groups;
final Boolean _allUsers;
final Boolean _allGroups;

public PolicyActors(final List<Urn> users, final List<Urn> groups, final Boolean allUsers, final Boolean allGroups) {
_users = users;
_groups = groups;
_allUsers = allUsers;
_allGroups = allGroups;
}

public List<Urn> getUsers() {
return _users;
}

public List<Urn> getGroups() {
return _groups;
}

public Boolean allUsers() {
return _allUsers;
}

public Boolean allGroups() {
return _allGroups;
}
List<Urn> users;
List<Urn> groups;
List<Urn> roles;
Boolean allUsers;
Boolean allGroups;
}

private List<Urn> userOwners(final Set<String> owners) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package com.datahub.authorization;

import com.datahub.authentication.Authentication;
import com.datastax.oss.driver.shaded.guava.common.collect.ImmutableList;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
Expand Down Expand Up @@ -1041,6 +1042,7 @@ public void testGetMatchingActorsResourceMatch() throws Exception {
Urn.createFromString("urn:li:corpuser:user2"))));
actorFilter.setGroups(new UrnArray(ImmutableList.of(Urn.createFromString("urn:li:corpGroup:group1"),
Urn.createFromString("urn:li:corpGroup:group2"))));
actorFilter.setRoles(new UrnArray(ImmutableList.of(Urn.createFromString("urn:li:role:Admin"))));
dataHubPolicyInfo.setActors(actorFilter);

final DataHubResourceFilter resourceFilter = new DataHubResourceFilter();
Expand Down Expand Up @@ -1068,6 +1070,8 @@ public void testGetMatchingActorsResourceMatch() throws Exception {
Urn.createFromString("urn:li:corpGroup:group2"), Urn.createFromString(AUTHORIZED_GROUP) // Resource Owner
));

assertEquals(actors.getRoles(), ImmutableList.of(Urn.createFromString("urn:li:role:Admin")));

// Verify aspect client called, entity client not called.
verify(_entityClient, times(0)).batchGetV2(eq(CORP_USER_ENTITY_NAME), eq(Collections.singleton(authorizedUserUrn)),
eq(null), any());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public AuthorizationResult authorize(@Nonnull AuthorizationRequest request) {

@Override
public AuthorizedActors authorizedActors(String privilege, Optional<EntitySpec> resourceSpec) {
return new AuthorizedActors("ALL", null, null, true, true);
return new AuthorizedActors("ALL", null, null, null, true, true);
}
}

0 comments on commit 27710ae

Please sign in to comment.