From bfb8ca0adc3afc69e269476013147d68b8ed6183 Mon Sep 17 00:00:00 2001
From: Aseem Bansal <asmbansal2@gmail.com>
Date: Wed, 4 Dec 2024 20:26:06 +0530
Subject: [PATCH 1/3] fix(logs): add actor urn on unauthorised

---
 .../authentication/filter/AuthenticationFilter.java   | 11 +++++++----
 .../auth/authentication/AuthServiceController.java    |  2 +-
 .../metadata/resources/entity/AspectResource.java     |  6 +++---
 .../metadata/resources/entity/EntityResource.java     |  8 ++++----
 .../linkedin/metadata/resources/usage/UsageStats.java |  5 +++--
 5 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java b/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
index 0a54677eb6149b..34fa05284108d6 100644
--- a/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
+++ b/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
@@ -96,13 +96,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
           .sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized to perform this action.");
       return;
     }
+    String actorUrnStr = authentication.getActor().toUrnStr();
 
     if (authentication != null) {
       // Successfully authenticated.
       log.debug(
-          String.format(
-              "Successfully authenticated request for Actor with type: %s, id: %s",
-              authentication.getActor().getType(), authentication.getActor().getId()));
+          "Successfully authenticated request for Actor with type: {}, id: {}",
+          authentication.getActor().getType(),
+          authentication.getActor().getId());
       AuthenticationContext.setAuthentication(authentication);
       chain.doFilter(request, response);
     } else {
@@ -110,7 +111,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
       log.debug(
           "Failed to authenticate request. Received 'null' Authentication value from authenticator chain.");
       ((HttpServletResponse) response)
-          .sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized to perform this action.");
+          .sendError(
+              HttpServletResponse.SC_UNAUTHORIZED,
+              actorUrnStr + " unauthorized to perform this action.");
       return;
     }
     AuthenticationContext.remove();
diff --git a/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java b/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
index de2582af00a932..b67f815f6c2940 100644
--- a/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
+++ b/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
@@ -164,7 +164,7 @@ CompletableFuture<ResponseEntity<String>> generateSessionTokenForUser(
           }
           throw HttpClientErrorException.create(
               HttpStatus.UNAUTHORIZED,
-              "Unauthorized to perform this action.",
+              actorId + " unauthorized to perform this action.",
               new HttpHeaders(),
               null,
               null);
diff --git a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/AspectResource.java b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/AspectResource.java
index a8b9c34ab66ae6..6033ead36f10ec 100644
--- a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/AspectResource.java
+++ b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/AspectResource.java
@@ -281,12 +281,13 @@ private Task<String> ingestProposals(
           boolean asyncBool)
   throws URISyntaxException {
     Authentication authentication = AuthenticationContext.getAuthentication();
+    String actorUrnStr = authentication.getActor().toUrnStr();
 
     Set<String> entityTypes = metadataChangeProposals.stream()
                                                      .map(MetadataChangeProposal::getEntityType)
                                                      .collect(Collectors.toSet());
     final OperationContext opContext = OperationContext.asSession(
-              systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(),
+              systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
                     ACTION_INGEST_PROPOSAL, entityTypes), _authorizer, authentication, true);
 
     // Ingest Authorization Checks
@@ -299,9 +300,8 @@ private Task<String> ingestProposals(
                  .map(ex -> String.format("HttpStatus: %s Urn: %s", ex.getSecond(), ex.getFirst().getEntityUrn()))
                  .collect(Collectors.joining(", "));
         throw new RestLiServiceException(
-                 HttpStatus.S_403_FORBIDDEN, "User is unauthorized to modify entity: " + errorMessages);
+                 HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to modify entity: " + errorMessages);
     }
-    String actorUrnStr = authentication.getActor().toUrnStr();
     final AuditStamp auditStamp =
         new AuditStamp().setTime(_clock.millis()).setActor(Urn.createFromString(actorUrnStr));
 
diff --git a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/EntityResource.java b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/EntityResource.java
index 6c5576f2e5d9f4..0c374c29cf958a 100644
--- a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/EntityResource.java
+++ b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/entity/EntityResource.java
@@ -274,7 +274,7 @@ public Task<Void> ingest(
     String actorUrnStr = authentication.getActor().toUrnStr();
     final Urn urn = com.datahub.util.ModelUtils.getUrnFromSnapshotUnion(entity.getValue());
     final OperationContext opContext = OperationContext.asSession(
-            systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(),
+            systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
                     ACTION_INGEST, urn.getEntityType()), authorizer, authentication, true);
 
     if (!isAPIAuthorizedEntityUrns(
@@ -282,7 +282,7 @@ public Task<Void> ingest(
             CREATE,
             List.of(urn))) {
       throw new RestLiServiceException(
-          HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entity " + urn);
+          HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entity " + urn);
     }
 
     try {
@@ -320,7 +320,7 @@ public Task<Void> batchIngest(
             .map(Entity::getValue)
             .map(com.datahub.util.ModelUtils::getUrnFromSnapshotUnion).collect(Collectors.toList());
     final OperationContext opContext = OperationContext.asSession(
-            systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(),
+            systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr,
                     getContext(), ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())),
             authorizer, authentication, true);
 
@@ -328,7 +328,7 @@ public Task<Void> batchIngest(
             opContext,
             CREATE, urns)) {
       throw new RestLiServiceException(
-          HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities.");
+          HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr +  " is unauthorized to edit entities.");
     }
 
     for (Entity entity : entities) {
diff --git a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/usage/UsageStats.java b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/usage/UsageStats.java
index a0c3d460951605..426eff20c9c6eb 100644
--- a/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/usage/UsageStats.java
+++ b/metadata-service/restli-servlet-impl/src/main/java/com/linkedin/metadata/resources/usage/UsageStats.java
@@ -104,9 +104,10 @@ public Task<Void> batchIngest(@ActionParam(PARAM_BUCKETS) @Nonnull UsageAggregat
         () -> {
 
           final Authentication auth = AuthenticationContext.getAuthentication();
+          String actorUrnStr = auth.getActor().toUrnStr();
           Set<Urn> urns = Arrays.stream(buckets).sequential().map(UsageAggregation::getResource).collect(Collectors.toSet());
           final OperationContext opContext = OperationContext.asSession(
-                  systemOperationContext, RequestContext.builder().buildRestli(auth.getActor().toUrnStr(), getContext(),
+                  systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
                           ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())), _authorizer,
                   auth, true);
 
@@ -115,7 +116,7 @@ public Task<Void> batchIngest(@ActionParam(PARAM_BUCKETS) @Nonnull UsageAggregat
                   UPDATE,
                   urns)) {
             throw new RestLiServiceException(
-                HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities.");
+                HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entities.");
           }
 
           for (UsageAggregation agg : buckets) {

From 94dadfd79df3f01548e38e8f0a55eb60afd6615a Mon Sep 17 00:00:00 2001
From: Aseem Bansal <asmbansal2@gmail.com>
Date: Wed, 4 Dec 2024 20:28:19 +0530
Subject: [PATCH 2/3] add actor urn not id

---
 .../datahub/auth/authentication/AuthServiceController.java  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java b/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
index b67f815f6c2940..5d4542cf0826e8 100644
--- a/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
+++ b/metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java
@@ -138,7 +138,9 @@ CompletableFuture<ResponseEntity<String>> generateSessionTokenForUser(
     }
 
     log.info("Attempting to generate session token for user {}", userId.asText());
-    final String actorId = AuthenticationContext.getAuthentication().getActor().getId();
+    Authentication authentication = AuthenticationContext.getAuthentication();
+    final String actorId = authentication.getActor().getId();
+    final String actorUrn = authentication.getActor().toUrnStr();
     return CompletableFuture.supplyAsync(
         () -> {
           // 1. Verify that only those authorized to generate a token (datahub system) are able to.
@@ -164,7 +166,7 @@ CompletableFuture<ResponseEntity<String>> generateSessionTokenForUser(
           }
           throw HttpClientErrorException.create(
               HttpStatus.UNAUTHORIZED,
-              actorId + " unauthorized to perform this action.",
+              actorUrn + " unauthorized to perform this action.",
               new HttpHeaders(),
               null,
               null);

From 6568e25c7b9cd51bbfed697fa593357e86b81d8a Mon Sep 17 00:00:00 2001
From: Aseem Bansal <asmbansal2@gmail.com>
Date: Wed, 4 Dec 2024 21:22:04 +0530
Subject: [PATCH 3/3] fix logging

---
 .../auth/authentication/filter/AuthenticationFilter.java      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java b/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
index 34fa05284108d6..30f98180f80180 100644
--- a/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
+++ b/metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java
@@ -96,9 +96,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
           .sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized to perform this action.");
       return;
     }
-    String actorUrnStr = authentication.getActor().toUrnStr();
 
     if (authentication != null) {
+      String actorUrnStr = authentication.getActor().toUrnStr();
       // Successfully authenticated.
       log.debug(
           "Successfully authenticated request for Actor with type: {}, id: {}",
@@ -113,7 +113,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
       ((HttpServletResponse) response)
           .sendError(
               HttpServletResponse.SC_UNAUTHORIZED,
-              actorUrnStr + " unauthorized to perform this action.");
+              "Unauthorized to perform this action due to expired auth.");
       return;
     }
     AuthenticationContext.remove();