feat(auth) - Manage Children Glossary term authorization check for Ow…

…ner, Domain, Remove link (#11337)

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/GmsGraphQLEngine.java

@@ -1192,13 +1192,15 @@ private void configureMutationResolvers(final RuntimeWiring.Builder builder) {
  .dataFetcher(
  "updateDescription",
  new UpdateDescriptionResolver(entityService, this.entityClient))
- .dataFetcher("addOwner", new AddOwnerResolver(entityService))
- .dataFetcher("addOwners", new AddOwnersResolver(entityService))
- .dataFetcher("batchAddOwners", new BatchAddOwnersResolver(entityService))
- .dataFetcher("removeOwner", new RemoveOwnerResolver(entityService))
- .dataFetcher("batchRemoveOwners", new BatchRemoveOwnersResolver(entityService))
+ .dataFetcher("addOwner", new AddOwnerResolver(entityService, entityClient))
+ .dataFetcher("addOwners", new AddOwnersResolver(entityService, entityClient))
+ .dataFetcher(
+ "batchAddOwners", new BatchAddOwnersResolver(entityService, entityClient))
+ .dataFetcher("removeOwner", new RemoveOwnerResolver(entityService, entityClient))
+ .dataFetcher(
+ "batchRemoveOwners", new BatchRemoveOwnersResolver(entityService, entityClient))
  .dataFetcher("addLink", new AddLinkResolver(entityService, this.entityClient))
- .dataFetcher("removeLink", new RemoveLinkResolver(entityService))
+ .dataFetcher("removeLink", new RemoveLinkResolver(entityService, entityClient))
  .dataFetcher("addGroupMembers", new AddGroupMembersResolver(this.groupService))
  .dataFetcher("removeGroupMembers", new RemoveGroupMembersResolver(this.groupService))
  .dataFetcher("createGroup", new CreateGroupResolver(this.groupService))
@@ -1212,7 +1214,8 @@ private void configureMutationResolvers(final RuntimeWiring.Builder builder) {
  .dataFetcher("deleteDomain", new DeleteDomainResolver(entityClient))
  .dataFetcher(
  "setDomain", new SetDomainResolver(this.entityClient, this.entityService))
- .dataFetcher("batchSetDomain", new BatchSetDomainResolver(this.entityService))
+ .dataFetcher(
+ "batchSetDomain", new BatchSetDomainResolver(this.entityService, entityClient))
  .dataFetcher(
  "updateDeprecation",
  new UpdateDeprecationResolver(this.entityClient, this.entityService))

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/domain/SetDomainResolver.java

@@ -44,7 +44,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
  if (!DomainUtils.isAuthorizedToUpdateDomainsForEntity(
- environment.getContext(), entityUrn)) {
+ environment.getContext(), entityUrn, _entityClient)) {
  throw new AuthorizationException(
  "Unauthorized to perform this action. Please contact your DataHub administrator.");
  }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/domain/UnsetDomainResolver.java

@@ -43,7 +43,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
  if (!DomainUtils.isAuthorizedToUpdateDomainsForEntity(
- environment.getContext(), entityUrn)) {
+ environment.getContext(), entityUrn, _entityClient)) {
  throw new AuthorizationException(
  "Unauthorized to perform this action. Please contact your DataHub administrator.");
  }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/AddRelatedTermsResolver.java

@@ -46,8 +46,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
- final Urn parentUrn = GlossaryUtils.getParentUrn(urn, context, _entityClient);
- if (GlossaryUtils.canManageChildrenEntities(context, parentUrn, _entityClient)) {
+ if (GlossaryUtils.canUpdateGlossaryEntity(urn, context, _entityClient)) {
  try {
  final TermRelationshipType relationshipType = input.getRelationshipType();
  final List<Urn> termUrns =

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/DeleteGlossaryEntityResolver.java

@@ -29,11 +29,10 @@ public CompletableFuture<Boolean> get(final DataFetchingEnvironment environment)
  throws Exception {
  final QueryContext context = environment.getContext();
  final Urn entityUrn = Urn.createFromString(environment.getArgument("urn"));
- final Urn parentNodeUrn = GlossaryUtils.getParentUrn(entityUrn, context, _entityClient);
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
- if (GlossaryUtils.canManageChildrenEntities(context, parentNodeUrn, _entityClient)) {
+ if (GlossaryUtils.canUpdateGlossaryEntity(entityUrn, context, _entityClient)) {
  if (!_entityService.exists(context.getOperationContext(), entityUrn, true)) {
  throw new RuntimeException(String.format("This urn does not exist: %s", entityUrn));
  }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/glossary/RemoveRelatedTermsResolver.java

@@ -42,8 +42,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
- final Urn parentUrn = GlossaryUtils.getParentUrn(urn, context, _entityClient);
- if (GlossaryUtils.canManageChildrenEntities(context, parentUrn, _entityClient)) {
+ if (GlossaryUtils.canUpdateGlossaryEntity(urn, context, _entityClient)) {
  try {
  final TermRelationshipType relationshipType = input.getRelationshipType();
  final List<Urn> termUrnsToRemove =

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddLinkResolver.java

@@ -11,7 +11,6 @@
 import com.linkedin.datahub.graphql.resolvers.mutate.util.GlossaryUtils;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LinkUtils;
 import com.linkedin.entity.client.EntityClient;
-import com.linkedin.metadata.Constants;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -36,7 +35,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  Urn targetUrn = Urn.createFromString(input.getResourceUrn());
 
  if (!LinkUtils.isAuthorizedToUpdateLinks(context, targetUrn)
- && !canUpdateGlossaryEntityLinks(targetUrn, context)) {
+ && !GlossaryUtils.canUpdateGlossaryEntity(targetUrn, context, _entityClient)) {
  throw new AuthorizationException(
  "Unauthorized to perform this action. Please contact your DataHub administrator.");
  }
@@ -70,18 +69,4 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  this.getClass().getSimpleName(),
  "get");
  }
-
- // Returns whether this is a glossary entity and whether you can edit this glossary entity with
- // the
- // Manage all children or Manage direct children privileges
- private boolean canUpdateGlossaryEntityLinks(Urn targetUrn, QueryContext context) {
- final boolean isGlossaryEntity =
- targetUrn.getEntityType().equals(Constants.GLOSSARY_TERM_ENTITY_NAME)
- || targetUrn.getEntityType().equals(Constants.GLOSSARY_NODE_ENTITY_NAME);
- if (!isGlossaryEntity) {
- return false;
- }
- final Urn parentNodeUrn = GlossaryUtils.getParentUrn(targetUrn, context, _entityClient);
- return GlossaryUtils.canManageChildrenEntities(context, parentNodeUrn, _entityClient);
- }
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddOwnerResolver.java

@@ -11,6 +11,7 @@
 import com.linkedin.datahub.graphql.generated.OwnerInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.OwnerUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -23,6 +24,7 @@
 public class AddOwnerResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -41,7 +43,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  }
 
  OwnerInput ownerInput = ownerInputBuilder.build();
- OwnerUtils.validateAuthorizedToUpdateOwners(context, targetUrn);
+ OwnerUtils.validateAuthorizedToUpdateOwners(context, targetUrn, _entityClient);
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddOwnersResolver.java

@@ -11,6 +11,7 @@
 import com.linkedin.datahub.graphql.generated.OwnerInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.OwnerUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -24,6 +25,7 @@
 public class AddOwnersResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -35,7 +37,8 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {
- OwnerUtils.validateAuthorizedToUpdateOwners(environment.getContext(), targetUrn);
+ OwnerUtils.validateAuthorizedToUpdateOwners(
+ environment.getContext(), targetUrn, _entityClient);
 
  OwnerUtils.validateAddOwnerInput(
  context.getOperationContext(), owners, targetUrn, _entityService);

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddOwnersResolver.java

@@ -11,6 +11,7 @@
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.OwnerUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -27,6 +28,7 @@
 public class BatchAddOwnersResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -80,7 +82,7 @@ private void validateInputResource(
  "Malformed input provided: owners cannot be applied to subresources.");
  }
 
- OwnerUtils.validateAuthorizedToUpdateOwners(context, resourceUrn);
+ OwnerUtils.validateAuthorizedToUpdateOwners(context, resourceUrn, _entityClient);
  LabelUtils.validateResource(
  opContext,
  resourceUrn,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveOwnersResolver.java

@@ -10,6 +10,7 @@
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.OwnerUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -24,6 +25,7 @@
 public class BatchRemoveOwnersResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -72,7 +74,7 @@ private void validateInputResource(ResourceRefInput resource, QueryContext conte
  "Malformed input provided: owners cannot be removed from subresources.");
  }
 
- OwnerUtils.validateAuthorizedToUpdateOwners(context, resourceUrn);
+ OwnerUtils.validateAuthorizedToUpdateOwners(context, resourceUrn, _entityClient);
  LabelUtils.validateResource(
  context.getOperationContext(),
  resourceUrn,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchSetDomainResolver.java

@@ -11,6 +11,7 @@
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.DomainUtils;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -28,6 +29,7 @@
 public class BatchSetDomainResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -74,7 +76,7 @@ private void validateInputResources(List<ResourceRefInput> resources, QueryConte
 
  private void validateInputResource(ResourceRefInput resource, QueryContext context) {
  final Urn resourceUrn = UrnUtils.getUrn(resource.getResourceUrn());
- if (!DomainUtils.isAuthorizedToUpdateDomainsForEntity(context, resourceUrn)) {
+ if (!DomainUtils.isAuthorizedToUpdateDomainsForEntity(context, resourceUrn, _entityClient)) {
  throw new AuthorizationException(
  "Unauthorized to perform this action. Please contact your DataHub administrator.");
  }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveLinkResolver.java

@@ -8,7 +8,9 @@
 import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.RemoveLinkInput;
+import com.linkedin.datahub.graphql.resolvers.mutate.util.GlossaryUtils;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LinkUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -21,6 +23,7 @@
 public class RemoveLinkResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -31,7 +34,8 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  String linkUrl = input.getLinkUrl();
  Urn targetUrn = Urn.createFromString(input.getResourceUrn());
 
- if (!LinkUtils.isAuthorizedToUpdateLinks(context, targetUrn)) {
+ if (!LinkUtils.isAuthorizedToUpdateLinks(context, targetUrn)
+ && !GlossaryUtils.canUpdateGlossaryEntity(targetUrn, context, _entityClient)) {
  throw new AuthorizationException(
  "Unauthorized to perform this action. Please contact your DataHub administrator.");
  }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveOwnerResolver.java

@@ -10,6 +10,7 @@
 import com.linkedin.datahub.graphql.generated.RemoveOwnerInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.OwnerUtils;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.entity.EntityService;
 import graphql.schema.DataFetcher;
 import graphql.schema.DataFetchingEnvironment;
@@ -22,6 +23,7 @@
 public class RemoveOwnerResolver implements DataFetcher<CompletableFuture<Boolean>> {
 
  private final EntityService _entityService;
+ private final EntityClient _entityClient;
 
  @Override
  public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throws Exception {
@@ -36,7 +38,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  ? null
  : Urn.createFromString(input.getOwnershipTypeUrn());
 
- OwnerUtils.validateAuthorizedToUpdateOwners(context, targetUrn);
+ OwnerUtils.validateAuthorizedToUpdateOwners(context, targetUrn, _entityClient);
 
  return GraphQLConcurrencyUtils.supplyAsync(
  () -> {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/UpdateNameResolver.java

@@ -87,8 +87,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
 
  private Boolean updateGlossaryTermName(
  Urn targetUrn, UpdateNameInput input, QueryContext context) {
- final Urn parentNodeUrn = GlossaryUtils.getParentUrn(targetUrn, context, _entityClient);
- if (GlossaryUtils.canManageChildrenEntities(context, parentNodeUrn, _entityClient)) {
+ if (GlossaryUtils.canUpdateGlossaryEntity(targetUrn, context, _entityClient)) {
  try {
  GlossaryTermInfo glossaryTermInfo =
  (GlossaryTermInfo)
@@ -123,8 +122,7 @@ private Boolean updateGlossaryTermName(
 
  private Boolean updateGlossaryNodeName(
  Urn targetUrn, UpdateNameInput input, QueryContext context) {
- final Urn parentNodeUrn = GlossaryUtils.getParentUrn(targetUrn, context, _entityClient);
- if (GlossaryUtils.canManageChildrenEntities(context, parentNodeUrn, _entityClient)) {
+ if (GlossaryUtils.canUpdateGlossaryEntity(targetUrn, context, _entityClient)) {
  try {
  GlossaryNodeInfo glossaryNodeInfo =
  (GlossaryNodeInfo)

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/DomainUtils.java

@@ -60,7 +60,12 @@ public class DomainUtils {
  private DomainUtils() {}
 
  public static boolean isAuthorizedToUpdateDomainsForEntity(
- @Nonnull QueryContext context, Urn entityUrn) {
+ @Nonnull QueryContext context, Urn entityUrn, EntityClient entityClient) {
+
+ if (GlossaryUtils.canUpdateGlossaryEntity(entityUrn, context, entityClient)) {
+ return true;
+ }
+
  final DisjunctivePrivilegeGroup orPrivilegeGroups =
  new DisjunctivePrivilegeGroup(
  ImmutableList.of(

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/GlossaryUtils.java

@@ -36,6 +36,21 @@ public static boolean canManageGlossaries(@Nonnull QueryContext context) {
  context.getOperationContext(), PoliciesConfig.MANAGE_GLOSSARIES_PRIVILEGE);
  }
 
+ // Returns whether this is a glossary entity and whether you can edit this glossary entity with
+ // the
+ // Manage all children or Manage direct children privileges
+ public static boolean canUpdateGlossaryEntity(
+ Urn targetUrn, QueryContext context, EntityClient entityClient) {
+ final boolean isGlossaryEntity =
+ targetUrn.getEntityType().equals(Constants.GLOSSARY_TERM_ENTITY_NAME)
+ || targetUrn.getEntityType().equals(Constants.GLOSSARY_NODE_ENTITY_NAME);
+ if (!isGlossaryEntity) {
+ return false;
+ }
+ final Urn parentNodeUrn = GlossaryUtils.getParentUrn(targetUrn, context, entityClient);
+ return GlossaryUtils.canManageChildrenEntities(context, parentNodeUrn, entityClient);
+ }
+
  /**
  * Returns true if the current user is able to create, delete, or move Glossary Terms and Nodes
  * under a parent Node. They can do this with either the global MANAGE_GLOSSARIES privilege, or if

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/OwnerUtils.java

@@ -20,6 +20,7 @@
 import com.linkedin.datahub.graphql.generated.OwnerInput;
 import com.linkedin.datahub.graphql.generated.OwnershipType;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
+import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.Constants;
 import com.linkedin.metadata.authorization.PoliciesConfig;
 import com.linkedin.metadata.entity.EntityService;
@@ -195,7 +196,12 @@ private static void removeOwnersIfExists(
  }
 
  public static void validateAuthorizedToUpdateOwners(
- @Nonnull QueryContext context, Urn resourceUrn) {
+ @Nonnull QueryContext context, Urn resourceUrn, EntityClient entityClient) {
+
+ if (GlossaryUtils.canUpdateGlossaryEntity(resourceUrn, context, entityClient)) {
+ return;
+ }
+
  final DisjunctivePrivilegeGroup orPrivilegeGroups =
  new DisjunctivePrivilegeGroup(
  ImmutableList.of(