datahub-project · mkamalas · Aug 16, 2023 · Aug 16, 2023 · Aug 16, 2023 · Aug 18, 2023
diff --git a/...ql-core/src/main/java/com/linkedin/datahub/graphql/exception/DataHubGraphQLErrorCode.java b/...ql-core/src/main/java/com/linkedin/datahub/graphql/exception/DataHubGraphQLErrorCode.java
@@ -4,6 +4,7 @@ public enum DataHubGraphQLErrorCode {
  BAD_REQUEST(400),
  UNAUTHORIZED(403),
  NOT_FOUND(404),
+ UNAUTHORIZED_TAG_ERROR(405),
  SERVER_ERROR(500);
 
  private final int _code;

diff --git a/...-core/src/main/java/com/linkedin/datahub/graphql/exception/TagAuthorizationException.java b/...-core/src/main/java/com/linkedin/datahub/graphql/exception/TagAuthorizationException.java
@@ -0,0 +1,16 @@
+package com.linkedin.datahub.graphql.exception;
+
+
+/**
+ * Exception thrown when update fails due to ASSOCIATE_TAG privilege.
+ */
+public class TagAuthorizationException extends DataHubGraphQLException {
+
+ public TagAuthorizationException(String message) {
+ super(message, DataHubGraphQLErrorCode.UNAUTHORIZED_TAG_ERROR);
+ }
+
+ public TagAuthorizationException(String message, Throwable cause) {
+ super(message, DataHubGraphQLErrorCode.UNAUTHORIZED_TAG_ERROR);
+ }
+}
diff --git a/...phql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java b/...phql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagResolver.java
@@ -6,6 +6,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.generated.TagAssociationInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -35,6 +36,10 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
  }
 
+ if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+ throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+ }
+
  return CompletableFuture.supplyAsync(() -> {
  LabelUtils.validateResourceAndLabel(
  tagUrn,

diff --git a/...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java b/...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/AddTagsResolver.java
@@ -7,6 +7,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.AddTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -43,6 +44,12 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
  }
 
+ tagUrns.forEach((tagUrn) -> {
+ if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+ throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+ }
+ });
+
  LabelUtils.validateResourceAndLabel(
  tagUrns,
  targetUrn,

diff --git a/...ore/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java b/...ore/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchAddTagsResolver.java
@@ -4,6 +4,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.BatchAddTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -45,7 +46,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  return CompletableFuture.supplyAsync(() -> {
 
  // First, validate the batch
- validateTags(tagUrns);
+ validateTags(tagUrns, context);
 
  if (resources.size() == 1 && resources.get(0).getSubResource() != null) {
  return handleAddTagsToSingleSchemaField(context, resources, tagUrns);
@@ -117,9 +118,13 @@ private Boolean attemptBatchAddTagsWithSiblings(
  }
  }
 
- private void validateTags(List<Urn> tagUrns) {
+ private void validateTags(List<Urn> tagUrns, QueryContext context) {
  for (Urn tagUrn : tagUrns) {
  LabelUtils.validateLabel(tagUrn, Constants.TAG_ENTITY_NAME, _entityService);
+
+ if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+ throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+ }
  }
  }
 

diff --git a/.../src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java b/.../src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/BatchRemoveTagsResolver.java
@@ -4,6 +4,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.BatchRemoveTagsInput;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -37,6 +38,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  return CompletableFuture.supplyAsync(() -> {
 
  // First, validate the batch
+ validateTags(tagUrns, context);
+
+ // Next, validate the batch
  validateInputResources(resources, context);
 
  try {
@@ -50,6 +54,14 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  });
  }
 
+ private void validateTags(List<Urn> tagUrns, QueryContext context) {
+ for (Urn tagUrn : tagUrns) {
+ if (!LabelUtils.isAuthorizedToAssociateTag(context, tagUrn)) {
+ throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+ }
+ }
+ }
+
  private void validateInputResources(List<ResourceRefInput> resources, QueryContext context) {
  for (ResourceRefInput resource : resources) {
  validateInputResource(resource, context);

diff --git a/...l-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java b/...l-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/RemoveTagResolver.java
@@ -5,6 +5,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.datahub.graphql.QueryContext;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
+import com.linkedin.datahub.graphql.exception.TagAuthorizationException;
 import com.linkedin.datahub.graphql.generated.ResourceRefInput;
 import com.linkedin.datahub.graphql.generated.TagAssociationInput;
 import com.linkedin.datahub.graphql.resolvers.mutate.util.LabelUtils;
@@ -33,6 +34,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
  if (!LabelUtils.isAuthorizedToUpdateTags(environment.getContext(), targetUrn, input.getSubResource())) {
  throw new AuthorizationException("Unauthorized to perform this action. Please contact your DataHub administrator.");
  }
+ if (!LabelUtils.isAuthorizedToAssociateTag(environment.getContext(), tagUrn)) {
+ throw new TagAuthorizationException("Only users granted permission to this tag can assign or remove it");
+ }
 
  return CompletableFuture.supplyAsync(() -> {
  LabelUtils.validateResourceAndLabel(

diff --git a/...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java b/...hql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/mutate/util/LabelUtils.java
@@ -201,6 +201,21 @@ public static boolean isAuthorizedToUpdateTags(@Nonnull QueryContext context, Ur
  orPrivilegeGroups);
  }
 
+ public static boolean isAuthorizedToAssociateTag(@Nonnull QueryContext context, Urn targetUrn) {
+
+ // Decide whether the current principal should be allowed to associate the tag
+ final DisjunctivePrivilegeGroup orPrivilegeGroups = new DisjunctivePrivilegeGroup(ImmutableList.of(
+ new ConjunctivePrivilegeGroup(ImmutableList.of(PoliciesConfig.ASSOCIATE_TAGS_PRIVILEGE.getType()))
+ ));
+
+ return AuthorizationUtils.isAuthorized(
+ context.getAuthorizer(),
+ context.getActorUrn(),
+ targetUrn.getEntityType(),
+ targetUrn.toString(),
+ orPrivilegeGroups);
+ }
+
  public static boolean isAuthorizedToUpdateTerms(@Nonnull QueryContext context, Urn targetUrn, String subResource) {
 
  Boolean isTargetingSchema = subResource != null && subResource.length() > 0;

diff --git a/datahub-graphql-core/src/main/resources/entity.graphql b/datahub-graphql-core/src/main/resources/entity.graphql
@@ -8200,6 +8200,10 @@ enum PolicyMatchCondition {
  Whether the field matches the value
  """
  EQUALS
+ """
+ Whether the field does not the value
+ """
+ NOT_EQUALS
 }
 
 """

diff --git a/datahub-web-react/src/app/entity/shared/utils.ts b/datahub-web-react/src/app/entity/shared/utils.ts
@@ -145,6 +145,13 @@ export const handleBatchError = (urns, e, defaultMessage) => {
  duration: 3,
  };
  }
+ if (urns.length > 1 && getGraphqlErrorCode(e) === 405) {
+ return {
+ content:
+ 'Only users granted permission to this tag can assign or remove it. The bulk edit being performed will not be saved. ',
+ duration: 3,
+ };
+ }
  return defaultMessage;
 };
 

diff --git a/datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx b/datahub-web-react/src/app/permissions/policy/PolicyDetailsModal.tsx
@@ -3,9 +3,14 @@ import { Link } from 'react-router-dom';
 import { Button, Divider, Modal, Tag, Typography } from 'antd';
 import styled from 'styled-components';
 import { useEntityRegistry } from '../../useEntityRegistry';
-import { Maybe, Policy, PolicyState, PolicyType } from '../../../types.generated';
+import { Maybe, Policy, PolicyMatchCondition, PolicyState, PolicyType } from '../../../types.generated';
 import { useAppConfig } from '../../useAppConfig';
-import { convertLegacyResourceFilter, getFieldValues, mapResourceTypeToDisplayName } from './policyUtils';
+import {
+ convertLegacyResourceFilter,
+ getFieldCondition,
+ getFieldValues,
+ mapResourceTypeToDisplayName,
+} from './policyUtils';
 import AvatarsGroup from '../AvatarsGroup';
 
 type PrivilegeOptionType = {
@@ -69,6 +74,7 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
  const resources = convertLegacyResourceFilter(policy?.resources);
  const resourceTypes = getFieldValues(resources?.filter, 'RESOURCE_TYPE') || [];
  const resourceEntities = getFieldValues(resources?.filter, 'RESOURCE_URN') || [];
+ const policyMatchCondition = getFieldCondition(resources?.filter, 'RESOURCE_URN');
  const domains = getFieldValues(resources?.filter, 'DOMAIN') || [];
 
  const {
@@ -157,6 +163,13 @@ export default function PolicyDetailsModal({ policy, visible, onClose, privilege
  );
  })) || <PoliciesTag>All</PoliciesTag>}
  </div>
+ <div>
+ <Typography.Title level={5}>Asset Condition</Typography.Title>
+ <ThinDivider />
+ <PoliciesTag>
+ {policyMatchCondition === PolicyMatchCondition.NotEquals ? 'Excludes' : 'Includes'}
+ </PoliciesTag>
+ </div>
  <div>
  <Typography.Title level={5}>Assets</Typography.Title>
  <ThinDivider />