From e67d8acb5b1c1fba31c307372c2c2bb47982d64e Mon Sep 17 00:00:00 2001 From: David Leifker Date: Thu, 4 Jul 2024 11:11:37 -0500 Subject: [PATCH] fix(manage-tokens): fix manage access token policy --- .../authorization/AuthorizationUtils.java | 9 ++++-- .../authorization/PoliciesConfig.java | 32 +++++++++++++++++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java index fa09a0fded5fb..b9b4e4f4ef292 100644 --- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java +++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java @@ -5,6 +5,7 @@ import static com.linkedin.metadata.Constants.*; import static com.linkedin.metadata.authorization.ApiOperation.DELETE; import static com.linkedin.metadata.authorization.ApiOperation.MANAGE; +import static com.linkedin.metadata.authorization.PoliciesConfig.MANAGE_ACCESS_TOKENS; import com.datahub.authorization.AuthUtil; import com.datahub.authorization.ConjunctivePrivilegeGroup; @@ -52,9 +53,11 @@ public static boolean canManagePolicies(@Nonnull QueryContext context) { public static boolean canGeneratePersonalAccessToken(@Nonnull QueryContext context) { return AuthUtil.isAuthorized( - context.getAuthorizer(), - context.getActorUrn(), - PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE); + context.getAuthorizer(), + context.getActorUrn(), + PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE) + || AuthUtil.isAuthorized( + context.getAuthorizer(), context.getActorUrn(), MANAGE_ACCESS_TOKENS); } public static boolean canManageTokens(@Nonnull QueryContext context) { diff --git a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java index a4fcb65687353..c20b287a47141 100644 --- a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java +++ b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java @@ -971,6 +971,38 @@ public class PoliciesConfig { ApiOperation.EXISTS, API_PRIVILEGE_MAP.get(ApiGroup.ENTITY).get(ApiOperation.EXISTS)) .build()) + .put( + // regular entity level permissions + MANAGE_ACCESS_TOKENS + Constants.ACCESS_TOKEN_ENTITY_NAME, + ImmutableMap.>>builder() + .put( + ApiOperation.CREATE, + Disjunctive.disjoint( + MANAGE_ACCESS_TOKENS, CREATE_ENTITY_PRIVILEGE, EDIT_ENTITY_PRIVILEGE)) + .put( + ApiOperation.READ, + Disjunctive.disjoint( + MANAGE_ACCESS_TOKENS, + VIEW_ENTITY_PAGE_PRIVILEGE, + GET_ENTITY_PRIVILEGE, + EDIT_ENTITY_PRIVILEGE, + DELETE_ENTITY_PRIVILEGE)) + .put( + ApiOperation.UPDATE, + Disjunctive.disjoint(MANAGE_ACCESS_TOKENS, EDIT_ENTITY_PRIVILEGE)) + .put( + ApiOperation.DELETE, + Disjunctive.disjoint(MANAGE_ACCESS_TOKENS, DELETE_ENTITY_PRIVILEGE)) + .put( + ApiOperation.EXISTS, + Disjunctive.disjoint( + MANAGE_ACCESS_TOKENS, + EXISTS_ENTITY_PRIVILEGE, + EDIT_ENTITY_PRIVILEGE, + DELETE_ENTITY_PRIVILEGE, + VIEW_ENTITY_PAGE_PRIVILEGE, + SEARCH_PRIVILEGE)) + .build()) .build(); /**