feat(auth) - New privilege for Associate tags

[mkamalas]

New privilege to restrict association of tags. We have some use-cases where only a specific group users are authorized to associate certain tags. Also added a resource exclusion capability so that policy can be created for all resources excluding a certain set of resources using NOT_EQUALS policy condition.

To mimic behavior before this change, we need to create a policy which authorizes all users to the new privilege ASSOCIATE TAGS all tag resources.

Checklist

• [ x] The PR conforms to DataHub's Contributing Guideline (particularly Commit Message Format)
• Links to related issues (if applicable)
• Tests for the changes have been added/updated (if applicable)
• [ x] Docs related to the changes have been added/updated (if applicable). If a new feature has been added a Usage Guide has been added for the same.
• For any breaking change/potential downtime/deprecation/big changes an entry has been made in Updating DataHub

Summary by CodeRabbit

• New Features

  • Introduced enhanced authorization checks for tag association and removal, ensuring only authorized users can perform these actions.
  • Added a new enumeration value NOT_EQUALS to improve filtering capabilities in policy conditions.
  • Introduced a new privilege "Associate Tags" for more granular permission management related to tag associations.

• Bug Fixes

  • Improved error handling for permission-related issues during bulk edits of tags, providing clearer feedback to users.

• Documentation

  • Updated documentation to reflect new privileges and conditions related to tag management and policy definitions.

[anshbansal]

HTTP 405 is well defined in general tech. Let's not override the standard HTTP codes

[mkamalas]

Reverted back the error code to 403 with different error message

[jjoyce0510]

Is this an urgent ask from your side?

We've not heard this request from anyone else yet, so it's unclear to me that we will deliver broad, generalizable value to the community in exchange the non-trivial complexity that this change introduces for the system.

Perhaps the use case behind the change can be elaborated upon so we can better understand? I understand WHAT the change is, but I don't fully understand the WHY. My hunch: There is a group of users who are able to apply specific tags across all entities - data stewards - in which case I'd recommend granting data stewards the ability to edit ANY tags for ANY asset - why does this not work?

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The recent changes enhance the authorization and tag management capabilities within the DataHub system. New checks ensure that only users with the appropriate privileges can associate or remove tags, reinforcing security and control. Additionally, a new condition, NOT_EQUALS, has been introduced for policy matches, expanding the logical capabilities of the policy engine. Overall, these updates improve user experience and ensure robust management of metadata.

Changes

Files	Change Summary
AddTagResolver.java, AddTagsResolver.java, BatchAddTagsResolver.java, RemoveTagResolver.java, BatchRemoveTagsResolver.java	Introduced new authorization checks to validate user permissions for tag associations, throwing AuthorizationException if unauthorized.
LabelUtils.java	Added isAuthorizedToAssociateTag method for checking user permissions when associating tags.
entity.graphql, PolicyMatchCondition.pdl, snapshot/com.linkedin.entity.entities.snapshot.json, snapshot/com.linkedin.platform.platform.snapshot.json	Added NOT_EQUALS condition to PolicyMatchCondition, enhancing filtering capabilities in policies.
policyUtils.ts, PolicyPrivilegeForm.tsx, PolicyDetailsModal.tsx	Updated to support new match conditions and flexible filtering logic in policy management.
policies.md, roles.md, tags.md	Documented new privilege "Associate Tags" for tag management capabilities.
PoliciesConfig.java	Added ASSOCIATE_TAGS_PRIVILEGE to manage tag associations in the policies configuration.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant TagService
    participant AuthService

    User->>AuthService: Request permission to associate tag
    AuthService-->>User: Permission granted
    User->>TagService: Associate tag with entity
    TagService-->>User: Tag associated successfully

Loading

sequenceDiagram
    participant User
    participant TagService
    participant AuthService

    User->>AuthService: Request permission to associate tag
    AuthService-->>User: Permission denied
    User->>TagService: Attempt to associate tag
    TagService-->>User: AuthorizationException thrown

Loading

Poem

🐰 In the meadow, tags do dance,
With new permissions, now's your chance!
A hop, a skip, to manage with glee,
Security's tight, as safe as can be.
"NOT_EQUALS" joins the tag parade,
In DataHub, a fair upgrade! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  -- I pushed a fix in commit <commit_id>, please review it.
  -- Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  -- @coderabbitai generate unit testing code for this file.
  -- @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  -- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  -- @coderabbitai read src/utils.ts and generate unit testing code.
  -- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  -- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Outside diff range, codebase verification and nitpick comments (1)

metadata-service/restli-api/src/main/snapshot/com.linkedin.platform.platform.snapshot.json (1)

5462-5465: Correct the documentation for NOT_EQUALS condition.

The documentation for the NOT_EQUALS condition in the JSON files is currently identical to EQUALS. It should be updated to accurately reflect its functionality, which is to ensure that a field does not match a given value, as indicated by its usage in PolicyEngine.java.

• File: metadata-service/restli-api/src/main/snapshot/com.linkedin.platform.platform.snapshot.json
• File: metadata-service/restli-api/src/main/snapshot/com.linkedin.entity.entities.snapshot.json

Analysis chain

Verify the documentation for NOT_EQUALS condition.

The NOT_EQUALS condition has been added to the PolicyMatchCondition enum. Ensure that the documentation accurately describes its functionality and that it is consistently applied across the codebase.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage and documentation of `NOT_EQUALS` condition across the codebase.

# Test: Search for `NOT_EQUALS` usage in the codebase. Expect: Consistent usage and documentation.
rg --type json --type js --type ts --type java 'NOT_EQUALS'

Length of output: 1274

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between d6e46b9 and c60d9ab.

Files selected for processing (21)

• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java (1 hunks)
• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java (1 hunks)
• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java (2 hunks)
• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java (2 hunks)
• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java (1 hunks)
• datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java (1 hunks)
• datahub-graphql-core/src/main/resources/entity.graphql (1 hunks)
• datahub-web-react/src/app/entity/shared/utils.ts (1 hunks)
• datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx (3 hunks)
• datahub-web-react/src/app/permissions/policy/PolicyPrivilegeForm.tsx (10 hunks)
• datahub-web-react/src/app/permissions/policy/policyUtils.ts (4 hunks)
• datahub-web-react/src/app/shared/tags/AddTagsTermsModal.tsx (4 hunks)
• docs/authorization/policies.md (2 hunks)
• docs/authorization/roles.md (1 hunks)
• docs/tags.md (1 hunks)
• metadata-models/src/main/pegasus/com/linkedin/policy/PolicyMatchCondition.pdl (1 hunks)
• metadata-service/auth-impl/src/main/java/com/datahub/authorization/PolicyEngine.java (2 hunks)
• metadata-service/restli-api/src/main/snapshot/com.linkedin.entity.entities.snapshot.json (1 hunks)
• metadata-service/restli-api/src/main/snapshot/com.linkedin.platform.platform.snapshot.json (1 hunks)
• metadata-service/war/src/main/resources/boot/policies.json (3 hunks)
• metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java (2 hunks)

Additional context used

LanguageTool

docs/authorization/roles.md

[duplication] ~132-~132: Possible typo: you repeated a word
Context: ...ark: | ❌ | The ability to to associate the tag to an entity. ...

(ENGLISH_WORD_REPEAT_RULE)

Additional comments not posted (34)

metadata-models/src/main/pegasus/com/linkedin/policy/PolicyMatchCondition.pdl (1)

11-15: Addition of NOT_EQUALS condition is appropriate.

The new NOT_EQUALS condition complements the existing EQUALS condition, enhancing the logical capabilities of the enum for policy matching.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java (1)

39-41: Authorization check for tag association is well-implemented.

The addition of this check ensures that only users with the appropriate permissions can remove tags, enhancing security.

Verify the implementation of LabelUtils.isAuthorizedToAssociateTag to ensure it correctly checks permissions.

Verification successful

---

Authorization check implementation is accurate.

The method isAuthorizedToAssociateTag correctly implements permission checks using privilege groups to ensure only authorized users can associate or remove tags.

• Located in datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of `isAuthorizedToAssociateTag`.

# Test: Search for the method implementation. Expect: Correct logic for permission checks.
ast-grep --lang java --pattern $'class LabelUtils {
  $$$
  boolean isAuthorizedToAssociateTag($_, $_) {
    $$$
  }
  $$$
}'

Length of output: 126

---

Script:

#!/bin/bash
# Description: Search for the method `isAuthorizedToAssociateTag` in Java files to verify its implementation.

# Test: Use ripgrep to find the method definition in Java files.
rg 'boolean isAuthorizedToAssociateTag\(' --glob '*.java' -A 5

Length of output: 1078

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java (1)

41-44: Authorization check for tag association is well-implemented.

This check ensures that only users with the appropriate permissions can add tags, aligning with security best practices.

Verify the implementation of LabelUtils.isAuthorizedToAssociateTag to ensure it correctly checks permissions.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java (1)

46-50: Authorization check for tag association looks good.

The addition of the authorization check for each tag enhances security by ensuring only authorized users can associate or remove tags.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java (2)

42-44: Tag validation order is appropriate.

Calling validateTags before other validations ensures that authorization checks are prioritized, enhancing security.

---

63-69: Modularization of authorization logic is effective.

The validateTags method encapsulates the authorization logic, improving code modularity and maintainability.

docs/tags.md (1)

20-20: Documentation update for "Associate Tags" privilege is clear.

The addition of the "Associate Tags" privilege in the documentation is well-explained and aligns with the introduced code changes.

datahub-web-react/src/app/entity/shared/utils.ts (1)

100-105: Approved: Enhanced error handling for permission issues.

The addition of a specific error message for permission-related errors improves user feedback. The existing comments clarify the need for this change.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java (2)

48-48: Approved: Context handling update in validateTags.

The update to use QueryContext instead of OperationContext aligns with the overall context handling strategy.

---

130-136: Approved: Enhanced authorization checks in validateTags.

The added authorization checks ensure that only users with the appropriate permissions can associate tags, enhancing security.

datahub-web-react/src/app/permissions/policy/policyUtils.ts (3)

88-92: Approved: Enhanced flexibility in createCriterion.

The addition of the condition parameter allows for more flexible criterion creation, improving policy management.

---

122-127: Approved: New getFieldCondition function.

The getFieldCondition function enhances the ability to retrieve conditions for specific fields, facilitating more dynamic policy evaluations.

---

137-143: Approved: Improved setFieldValues function.

The function now allows setting field values with a specified condition, enhancing the flexibility of policy evaluations.

datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx (3)

6-13: Imports look good.

The new imports for PolicyMatchCondition and getFieldCondition are appropriate for the added functionality.

---

75-79: Logic for capturing policy match condition looks good.

The use of getFieldCondition to determine the policyMatchCondition is appropriate.

---

168-173: Asset condition rendering logic is correct.

The rendering logic correctly displays "Excludes" or "Includes" based on the policyMatchCondition.

metadata-service/war/src/main/resources/boot/policies.json (1)

73-73: New privilege additions are consistent.

The addition of "ASSOCIATE_TAGS_PRIVILEGE" across multiple policies is consistent and aligns with the PR objectives.

Also applies to: 244-244, 329-329

datahub-web-react/src/app/shared/tags/AddTagsTermsModal.tsx (1)

283-283: Error handling updates are correct.

The replacement of urns with resources in error handling ensures accurate error messages.

Also applies to: 313-313, 343-343, 373-373

metadata-service/auth-impl/src/main/java/com/datahub/authorization/PolicyEngine.java (2)

248-253: LGTM! The NOT_EQUALS condition logic is well-implemented.

The use of allMatch ensures that none of the specified values match the resource's field values, which is correct for the NOT_EQUALS condition.

---

263-264: LGTM! The NOT_EQUALS condition handling is correct.

The method correctly returns the negation of the presence of the filter value within the field values set.

docs/authorization/policies.md (2)

175-175: LGTM! The "Associate Tags" privilege is correctly documented.

The addition aligns with the system's authorization capabilities and enhances tag management.

---

149-149: LGTM! The updated note on "Share Entity" privilege is clear and informative.

The clarification regarding its applicability to DataHub Cloud instances is well-placed.

datahub-web-react/src/app/permissions/policy/PolicyPrivilegeForm.tsx (8)

3-3: Import of Checkbox component.

The addition of the Checkbox component is necessary for the new resource exclusion feature.

---

12-12: Addition of PolicyMatchCondition import.

The PolicyMatchCondition is crucial for managing the match condition logic in resource filtering.

---

109-110: Initialize matchCondition state.

The matchCondition state is initialized using getFieldCondition, which aligns with the new logic for resource inclusion/exclusion.

---

Line range hint 186-200: Resource type selection logic.

The logic for selecting and deselecting resource types now includes PolicyMatchCondition.Equals, which is consistent with the new feature's requirements.

---

Line range hint 218-235: Resource selection logic update.

The onSelectResource and onDeselectResource functions now incorporate matchCondition, ensuring that the correct match condition is applied when resources are selected or deselected.

---

240-252: Update match condition in resources.

The updateMatchConditionInResources function updates the match condition based on the checkbox state, effectively toggling between Equals and NotEquals.

---

351-366: Dynamic resource text based on match condition.

The getResourceText function dynamically generates instructions based on the current matchCondition, enhancing user guidance.

---

535-583: Checkbox for resource exclusion.

The checkbox allows users to toggle resource exclusion, updating the matchCondition accordingly. This addition provides a clear and interactive way to manage resource policies.

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java (1)

261-274: New method isAuthorizedToAssociateTag.

The method correctly sets up a DisjunctivePrivilegeGroup with ASSOCIATE_TAGS_PRIVILEGE and calls AuthorizationUtils.isAuthorized. This enhances modularity by providing a specific check for tag association privileges.

metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java (2)

379-383: Addition of ASSOCIATE_TAGS_PRIVILEGE.

The new privilege is defined with a type, display name, and description, aligning with existing privilege declarations. This addition enhances the control over tag association.

---

573-573: Integration of ASSOCIATE_TAGS_PRIVILEGE into tag privileges.

The new privilege is correctly added to the list of tag privileges, ensuring it is considered in access control checks.

datahub-graphql-core/src/main/resources/entity.graphql (1)

9146-9149: Addition of NOT_EQUALS condition is well-implemented.

The new NOT_EQUALS condition in the PolicyMatchCondition enum is a useful addition, enhancing the expressiveness of policy match conditions. The documentation is clear and consistent with existing entries.

[coderabbitai]

Ensure consistent documentation for NOT_EQUALS.

The addition of the NOT_EQUALS symbol in the PolicyMatchCondition enum is consistent with the existing structure. However, the documentation for NOT_EQUALS is the same as EQUALS. It should be updated to reflect its actual purpose, which is to check if a field does not match a given value.

-  "NOT_EQUALS" : "Whether the field matches the value"
+  "NOT_EQUALS" : "Whether the field does not match the value"

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"symbols" : [ "EQUALS", "NOT_EQUALS" ],
	"symbolDocs" : {
	"EQUALS" : "Whether the field matches the value"
	"EQUALS" : "Whether the field matches the value",
	"NOT_EQUALS" : "Whether the field matches the value"
	"symbols" : [ "EQUALS", "NOT_EQUALS" ],
	"symbolDocs" : {
	"EQUALS" : "Whether the field matches the value",
	"NOT_EQUALS" : "Whether the field does not match the value"

[coderabbitai]

Fix the typo in the privilege description.

There is a duplicated word "to" in the description of the "Associate Tags" privilege.

- | Associate Tags                     | :heavy_check_mark: | :heavy_check_mark: | :x:                | The ability to to associate the tag to an entity.                                                |
+ | Associate Tags                     | :heavy_check_mark: | :heavy_check_mark: | :x:                | The ability to associate the tag to an entity.                                                   |

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	| Associate Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to to associate the tag to an entity. |
	| Associate Tags | :heavy_check_mark: | :heavy_check_mark: | :x: | The ability to associate the tag to an entity. |

Tools

LanguageTool

[duplication] ~132-~132: Possible typo: you repeated a word
Context: ...ark: | ❌ | The ability to to associate the tag to an entity. ...

(ENGLISH_WORD_REPEAT_RULE)

[mkamalas]

Is this an urgent ask from your side?

We've not heard this request from anyone else yet, so it's unclear to me that we will deliver broad, generalizable value to the community in exchange the non-trivial complexity that this change introduces for the system.

Perhaps the use case behind the change can be elaborated upon so we can better understand? I understand WHAT the change is, but I don't fully understand the WHY. My hunch: There is a group of users who are able to apply specific tags across all entities - data stewards - in which case I'd recommend granting data stewards the ability to edit ANY tags for ANY asset - why does this not work?

We have some use-cases where only a specific group users are authorized to associate certain tags. For all other tags, we want to allow all users to be able to associate the tags to ANY entity. Edit Tag privilege is a privilege which allows ANY tag to be associated to an entity. The entity can be specified or restricted by ownership. But, there is no way to restrict association by tags.

Also, there is only ways to specify policy by including resources but no way to specify policies by excluding resources.
So, added a resource exclusion capability so that policy can be created for all resources excluding a certain set of resources using NOT_EQUALS policy condition.

[rtekal]

@jjoyce0510 and @chriscollins3456

Meenakshi synced up the code with master again after validation. Could one of you please review and merge the PR. Thanks in advance.

[rtekal]

@anshbansal , @chriscollins3456 and @jjoyce0510
Can anyone review the PR please. The PR has been sync'ed to the main and re-tested.

Thanks and Regards.

[RyanHolstien]

Auth calls should come first before sending validation operations to the entity service, ideally done as soon as possible before any business logic occurs to short circuit.

[jjoyce0510]

This is introducing a non-trivial amount of new risk into this system by adding a lot of new complexity.

Is there consideration about priority of exclusion inclusion rules and conflicting rules?

[jjoyce0510]

Thanks for providing the detailed overview of the rationale behind associate Tags. I think it's safe to add this change, with the one caveat that the OpenAPI endpoints are not currently honoring this privilege - either that would need to be solved in this PR or a followup, I'll allow @david-leifker to chime in.

As for the exclusionary rules, I think this is a bit more concerning with larger implications. To date, we've fought long and hard to keep the policy system as simple as possible, to minimize the chance of user error when assigning privileges, by maintaining ONLY an inclusionary access model.

Exclusionary is a lot more risk because it means folks can do things by default. It is also not clear how to restrict privileges once it's been granted via an exclusionary policy has been defined - it's quite easy to accidentally grant broad access to many people without deeply understanding that you've done this.

I'm wondering if you folks are willing to drop this requirement, or to better understand why inclusionary access is not possible for your situation. This change will have security implications ALL users of DataHub across the globe, so it's quite important we get this one right.

[mkamalas]

Thanks for providing the detailed overview of the rationale behind associate Tags. I think it's safe to add this change, with the one caveat that the OpenAPI endpoints are not currently honoring this privilege - either that would need to be solved in this PR or a followup, I'll allow @david-leifker to chime in.

As for the exclusionary rules, I think this is a bit more concerning with larger implications. To date, we've fought long and hard to keep the policy system as simple as possible, to minimize the chance of user error when assigning privileges, by maintaining ONLY an inclusionary access model.

Exclusionary is a lot more risk because it means folks can do things by default. It is also not clear how to restrict privileges once it's been granted via an exclusionary policy has been defined - it's quite easy to accidentally grant broad access to many people without deeply understanding that you've done this.

I'm wondering if you folks are willing to drop this requirement, or to better understand why inclusionary access is not possible for your situation. This change will have security implications ALL users of DataHub across the globe, so it's quite important we get this one right.

In our organization, we want to allow all users to be able to create and associate tags for their own use cases. But, there are certain tags which are restricted. That is the reason we want to add this Exclusionary logic so that we can restrict access for these special tags alone. Would it be okay if we add this with a feature flag to reduce impact ?

[david-leifker]

I think we definitely need to add a test around the policy and new privilege added to the existing tests around the policy engine. Note that the policy engine will grant access if any of the policies match, which means the NOT_EQUAL condition would not be given precedence. It is not a deny condition, but the naming might be a bit confusing based on the NOT_EQUAL name.

Specifically, I am not sure this logic allows this use case

That is the reason we want to add this Exclusionary logic so that we can restrict access for these special tags alone. Would it be okay if we add this with a feature flag to reduce impact ?