Skip to content

Commit

Permalink
fix(manage-tokens): fix manage access token policy (#10853)
Browse files Browse the repository at this point in the history
  • Loading branch information
david-leifker authored and yoonhyejin committed Jul 16, 2024
1 parent 5a51fb3 commit 75c5721
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import static com.linkedin.metadata.Constants.*;
import static com.linkedin.metadata.authorization.ApiOperation.DELETE;
import static com.linkedin.metadata.authorization.ApiOperation.MANAGE;
import static com.linkedin.metadata.authorization.PoliciesConfig.MANAGE_ACCESS_TOKENS;

import com.datahub.authorization.AuthUtil;
import com.datahub.authorization.ConjunctivePrivilegeGroup;
Expand Down Expand Up @@ -52,9 +53,11 @@ public static boolean canManagePolicies(@Nonnull QueryContext context) {

public static boolean canGeneratePersonalAccessToken(@Nonnull QueryContext context) {
return AuthUtil.isAuthorized(
context.getAuthorizer(),
context.getActorUrn(),
PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE);
context.getAuthorizer(),
context.getActorUrn(),
PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE)
|| AuthUtil.isAuthorized(
context.getAuthorizer(), context.getActorUrn(), MANAGE_ACCESS_TOKENS);
}

public static boolean canManageTokens(@Nonnull QueryContext context) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -971,6 +971,38 @@ public class PoliciesConfig {
ApiOperation.EXISTS,
API_PRIVILEGE_MAP.get(ApiGroup.ENTITY).get(ApiOperation.EXISTS))
.build())
.put(
// regular entity level permissions + MANAGE_ACCESS_TOKENS
Constants.ACCESS_TOKEN_ENTITY_NAME,
ImmutableMap.<ApiOperation, Disjunctive<Conjunctive<Privilege>>>builder()
.put(
ApiOperation.CREATE,
Disjunctive.disjoint(
MANAGE_ACCESS_TOKENS, CREATE_ENTITY_PRIVILEGE, EDIT_ENTITY_PRIVILEGE))
.put(
ApiOperation.READ,
Disjunctive.disjoint(
MANAGE_ACCESS_TOKENS,
VIEW_ENTITY_PAGE_PRIVILEGE,
GET_ENTITY_PRIVILEGE,
EDIT_ENTITY_PRIVILEGE,
DELETE_ENTITY_PRIVILEGE))
.put(
ApiOperation.UPDATE,
Disjunctive.disjoint(MANAGE_ACCESS_TOKENS, EDIT_ENTITY_PRIVILEGE))
.put(
ApiOperation.DELETE,
Disjunctive.disjoint(MANAGE_ACCESS_TOKENS, DELETE_ENTITY_PRIVILEGE))
.put(
ApiOperation.EXISTS,
Disjunctive.disjoint(
MANAGE_ACCESS_TOKENS,
EXISTS_ENTITY_PRIVILEGE,
EDIT_ENTITY_PRIVILEGE,
DELETE_ENTITY_PRIVILEGE,
VIEW_ENTITY_PAGE_PRIVILEGE,
SEARCH_PRIVILEGE))
.build())
.build();

/**
Expand Down

0 comments on commit 75c5721

Please sign in to comment.