Authorization with owner policies via groups does not work with REST auth enabled

[DSchmidtDev]

Describe the bug
We are currently running into an issue with policies for dataset owners and METADATA_SERVICE_AUTH enabled where the indirect membership via groups seems not to be resolved correctly and therefore the user is not able to view the dataset details.

The setup looks like the following:

• there is a dataset A
• dataset A does not have any usage or profiling information
• there is a policy P which allows owners of datasets to view all asset details
• group X is technical owner of dataset A
• user T is member of group X
• we have enabled METADATA_SERVICE_AUTH in our deployment

Now if the user T wants to access the entity he gets a 500 in the UI and gets no details as he has no permissions to view the asset.
In the GMS backend we get following error messages (just an extract of the most relevant lines):

ERROR c.l.m.filter.RestliLoggingFilter:38 - Rest.li error:
com.linkedin.restli.server.RestLiServiceException: User is unauthorized to query usage.
	at com.linkedin.metadata.resources.usage.UsageStats.queryRange(UsageStats.java:382)
[...]
ERROR c.l.common.callback.CallbackAdapter:90 - Failed to convert callback error, original exception follows:
com.linkedin.r2.message.rest.RestException: Received error 401 from server for URI http://localhost:8080/usageStats
[...]
ERROR c.l.d.g.r.d.DatasetStatsSummaryResolver:75 - Failed to load Usage Stats summary for resource urn:li:dataset:(urn:li:dataPlatform:kafka,A,PROD)
com.linkedin.r2.RemoteInvocationException: com.linkedin.data.template.RequiredFieldNotPresentException: Field "value" is required but it is not present
[...]
ERROR c.l.d.g.e.DataHubDataFetcherExceptionHandler:21 - Failed to execute DataFetcher
java.util.concurrent.CompletionException: java.lang.RuntimeException: Failed to load Usage Stats for resource urn:li:dataset:(urn:li:dataPlatform:kafka,A,PROD)

Things I tried:

• removing the privileges to view profile and view usage but it does not make a difference
• adding the user T explicitly as owner to the dataset A does not work
• Adding the user T explicitly to the policy works
• after disabling METADATA_SERVICE_AUTH it works

To Reproduce
Steps to reproduce the behavior:
see description of setup above

Expected behavior
I would expect that the authorization module would resolve the group permissions of the actor and allow the user to access the dataset details.
Or if he does not have the privileges to see usage stats they are not fetched from the backend and greyed out.

Versions

• DataHub v0.10.5.5
• Helm chart 0.2.182

[RyanHolstien]

Can you share the the policy configuration?

[DSchmidtDev]

@RyanHolstien yes, fetched the policy via graphql and looks like this. Does this help?

{
  "urn": "urn:li:dataHubPolicy:owner-policy",
  "type": "METADATA",
  "name": "Owner Policy",
  "state": "ACTIVE",
  "privileges": [
    "VIEW_ENTITY_PAGE",
    "EDIT_ENTITY_TAGS",
    "EDIT_ENTITY_GLOSSARY_TERMS",
    "EDIT_ENTITY_OWNERS",
    "EDIT_ENTITY_DOCS",
    "EDIT_ENTITY_DOC_LINKS",
    "EDIT_ENTITY_STATUS",
    "EDIT_DOMAINS_PRIVILEGE",
    "EDIT_DEPRECATION_PRIVILEGE",
    "EDIT_ENTITY_ASSERTIONS",
    "EDIT_ENTITY",
    "EDIT_DATASET_COL_TAGS",
    "EDIT_DATASET_COL_GLOSSARY_TERMS",
    "EDIT_DATASET_COL_DESCRIPTION",
    "EDIT_TAG_COLOR",
    "EDIT_GROUP_MEMBERS",
    "EDIT_USER_PROFILE",
    "EDIT_CONTACT_INFO",
    "MANAGE_ENTITY_TAGS_PRIVILEGE",
    "MANAGE_ENTITY_GLOSSARY_TERMS_PRIVILEGE",
    "MANAGE_DATASET_COL_GLOSSARY_TERMS_PRIVILEGE",
    "MANAGE_DATASET_COL_TAGS_PRIVILEGE",
    "EDIT_ENTITY_ASSERTIONS_PRIVILEGE",
    "VIEW_DATASET_USAGE",
    "VIEW_DATASET_PROFILE"
  ],
  "description": "Owners have privileges ONLY for assets they own.",
  "resources": {
    "type": null,
    "resources": null,
    "allResources": false,
    "filter": {
      "criteria": [],
      "__typename": "PolicyMatchFilter"
    }
  },
  "actors": {
    "users": [],
    "groups": [],
    "resourceOwners": true,
    "allUsers": false,
    "allGroups": false
  },
  "editable": true
}

[RyanHolstien]

Yes! Thank you, will reproduce and try to fix the issue.

[DSchmidtDev]

Great thanks. Need to add we have set REST_API_AUTHORIZATION_ENABLED to true in GMS. Thats the more important config than METADATA_SERVICE_AUTH I guess.

[siladitya2]

Hi,

I think I also encountered the same issue which blocked our work, I have already raised a PR with the fix.
Please review and merge the PR.

Thanks,
Siladitya