OpenMetadata icon indicating copy to clipboard operation
OpenMetadata copied to clipboard
verified publisher icon open-metadata

Integrate rules into elasticsearch result

Open HesamoddinMonfared opened this issue 1 year ago • 2 comments

I worked on applying rules to search results. The current implementation is for elasticsearch only.

The implementation has been tested with different rules, policies and roles and the results show the correctness.

HesamoddinMonfared avatar Mar 27 '24 16:03 HesamoddinMonfared

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

github-actions[bot] avatar Mar 27 '24 16:03 github-actions[bot]

@HesamoddinMonfared Thanks for taking this up. Lets visit the goals of this integration

  1. Users who doesn't have view access to certain data assets shouldn't be able to see it as part of the search results
  2. We are not going to worry about the Edit Access conditions as they will be taken care by the APIs itself
  3. Complexity of View conditions Processing 4. A team can set a condition that only their team members should be able to view all of it assets 5. A team can set a condition that only their team members should be able to view all of it assets except if it contains certain tags 6. Admin can set a condition at Org level, any data in a domain should only viewable by users with-in that domain except for assets that are part of Data Products

who will build the conditions, the delegation should be part of the rule itself . i.e each rule should have method to equivalent to returning true or false . Example isOwner() takes the security context and returns true or false if the user who logged in is a owner of the asset or part of the team that is owner of the asset. Similarly it should return a condition that can be applied to search query instead of this logic outside. This way any new conditions added can be implemented methodically rather adding this logic in another place which can easily introduce gaps

Condition evaluation

  1. Go through hierarchy of the conditions similar to what we are doing in authorizer.
  2. Process the Deny rule first
  3. All of these rules should have an operator with AND, if there are multiple rules at the same state we should look at the condition specified for that rule

harshach avatar Mar 27 '24 16:03 harshach