OpenMetadata
OpenMetadata copied to clipboard
open-metadata
Backend: Policy Rules are not working as expected
Affected module Does it impact the UI, backend or Ingestion Framework? Backend
Describe the bug A clear and concise description of what the bug is.
- I have two users one is an admin and another one is a normal user. Admin use has created on role
DataConsumerwhich has a policy with one rule. The rule is something like this, the user can perform all the operations on the bot entity.
{
"name": "BotRule",
"effect": "allow",
"resources": [
"bot"
],
"operations": [
"All"
],
"description": ""
}
Issue: Now as a normal user if I try to create a bot user it throws an error.
https://user-images.githubusercontent.com/59080942/187124032-4bc6cb65-866c-40ad-9d7b-ecada6f198b9.mov
- If we don't have viewAll permission then the user is not able to view his own profile.
https://user-images.githubusercontent.com/59080942/187124584-7d197dac-8d64-45d2-8f39-ac201f670e7a.mov
@sureshms in this case bot creation is guarded by admin only (authorizeAdmin). We either say certain operations are admin only and remove from policies or allow configuring throw the policies. https://github.com/open-metadata/OpenMetadata/blob/main/catalog-rest-service/src/main/java/org/openmetadata/catalog/resources/EntityResource.java#L109 Right now creation process is only limited to admin or bots. This will be a problem for TestSuite or TestCase creation and similarly above
@Sachin-chaurasiya and @harshach, this is fixed with recent changes made to Roles and Policies. @Sachin-chaurasiya can you please double check this works and close the issue?
@Sachin-chaurasiya and @harshach, this is fixed with recent changes made to Roles and Policies. @Sachin-chaurasiya can you please double check this works and close the issue?
Sure @sureshms, I will verify and update it here.
@sureshms , I have tried with the latest build and it's not working as expected.
https://user-images.githubusercontent.com/59080942/199092580-3d961afc-a4e7-4fcb-8148-75b097f13543.mov
Rule
{
"name": "BotRule",
"description": "Description.",
"effect": "allow",
"operations": [
"All"
],
"resources": [
"bot",
"user"
]
}
Request : PUT http://localhost:8585/api/v1/users Payload :
{
"description": "description.",
"name": "sachinchaurasiyachotey87",
"displayName": "Sachin Chaurasiya",
"email": "[email protected]",
"isAdmin": false,
"isBot": true,
"authenticationMechanism": {
"authType": "JWT",
"config": {
"JWTTokenExpiry": "OneHour"
}
},
"botName": "sachinchaurasiyachotey87"
}
Response:
{
"code": 403,
"message": "Principal: CatalogPrincipal{name='sachin'} is not admin"
}
@Sachin-chaurasiya bots are a special type of users that can only be created by the Admins. Similarly, a user of type admin can only be created by the Admin.
Try creating other type of entities (which were not allowed in the previous release).
@Sachin-chaurasiya bots are a special type of users that can only be created by the Admins. Similarly, a user of type admin can only be created by the Admin.
Try creating other type of entities (which were not allowed in the previous release).
I have tried for glossary and tags, both are working based on the rules.
@harshach @sureshms , so for bots and users should we make changes on the UI side to only allow the admin to create and update the entity?
@Sachin-chaurasiya yes. that sounds good to me
Thanks, @harshach , I will make that changes.