Skip to content

Commit

Permalink
fix(logs): add actor urn on unauthorised (datahub-project#12030)
Browse files Browse the repository at this point in the history
  • Loading branch information
anshbansal authored Dec 6, 2024
1 parent 2fe2132 commit eef2077
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -98,19 +98,22 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
}

if (authentication != null) {
String actorUrnStr = authentication.getActor().toUrnStr();
// Successfully authenticated.
log.debug(
String.format(
"Successfully authenticated request for Actor with type: %s, id: %s",
authentication.getActor().getType(), authentication.getActor().getId()));
"Successfully authenticated request for Actor with type: {}, id: {}",
authentication.getActor().getType(),
authentication.getActor().getId());
AuthenticationContext.setAuthentication(authentication);
chain.doFilter(request, response);
} else {
// Reject request
log.debug(
"Failed to authenticate request. Received 'null' Authentication value from authenticator chain.");
((HttpServletResponse) response)
.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized to perform this action.");
.sendError(
HttpServletResponse.SC_UNAUTHORIZED,
"Unauthorized to perform this action due to expired auth.");
return;
}
AuthenticationContext.remove();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,9 @@ CompletableFuture<ResponseEntity<String>> generateSessionTokenForUser(
}

log.info("Attempting to generate session token for user {}", userId.asText());
final String actorId = AuthenticationContext.getAuthentication().getActor().getId();
Authentication authentication = AuthenticationContext.getAuthentication();
final String actorId = authentication.getActor().getId();
final String actorUrn = authentication.getActor().toUrnStr();
return CompletableFuture.supplyAsync(
() -> {
// 1. Verify that only those authorized to generate a token (datahub system) are able to.
Expand All @@ -164,7 +166,7 @@ CompletableFuture<ResponseEntity<String>> generateSessionTokenForUser(
}
throw HttpClientErrorException.create(
HttpStatus.UNAUTHORIZED,
"Unauthorized to perform this action.",
actorUrn + " unauthorized to perform this action.",
new HttpHeaders(),
null,
null);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -281,12 +281,13 @@ private Task<String> ingestProposals(
boolean asyncBool)
throws URISyntaxException {
Authentication authentication = AuthenticationContext.getAuthentication();
String actorUrnStr = authentication.getActor().toUrnStr();

Set<String> entityTypes = metadataChangeProposals.stream()
.map(MetadataChangeProposal::getEntityType)
.collect(Collectors.toSet());
final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(),
systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_INGEST_PROPOSAL, entityTypes), _authorizer, authentication, true);

// Ingest Authorization Checks
Expand All @@ -299,9 +300,8 @@ private Task<String> ingestProposals(
.map(ex -> String.format("HttpStatus: %s Urn: %s", ex.getSecond(), ex.getFirst().getEntityUrn()))
.collect(Collectors.joining(", "));
throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to modify entity: " + errorMessages);
HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to modify entity: " + errorMessages);
}
String actorUrnStr = authentication.getActor().toUrnStr();
final AuditStamp auditStamp =
new AuditStamp().setTime(_clock.millis()).setActor(Urn.createFromString(actorUrnStr));

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -274,15 +274,15 @@ public Task<Void> ingest(
String actorUrnStr = authentication.getActor().toUrnStr();
final Urn urn = com.datahub.util.ModelUtils.getUrnFromSnapshotUnion(entity.getValue());
final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(), getContext(),
systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_INGEST, urn.getEntityType()), authorizer, authentication, true);

if (!isAPIAuthorizedEntityUrns(
opContext,
CREATE,
List.of(urn))) {
throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entity " + urn);
HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entity " + urn);
}

try {
Expand Down Expand Up @@ -320,15 +320,15 @@ public Task<Void> batchIngest(
.map(Entity::getValue)
.map(com.datahub.util.ModelUtils::getUrnFromSnapshotUnion).collect(Collectors.toList());
final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(authentication.getActor().toUrnStr(),
systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr,
getContext(), ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())),
authorizer, authentication, true);

if (!isAPIAuthorizedEntityUrns(
opContext,
CREATE, urns)) {
throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities.");
HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entities.");
}

for (Entity entity : entities) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,9 +104,10 @@ public Task<Void> batchIngest(@ActionParam(PARAM_BUCKETS) @Nonnull UsageAggregat
() -> {

final Authentication auth = AuthenticationContext.getAuthentication();
String actorUrnStr = auth.getActor().toUrnStr();
Set<Urn> urns = Arrays.stream(buckets).sequential().map(UsageAggregation::getResource).collect(Collectors.toSet());
final OperationContext opContext = OperationContext.asSession(
systemOperationContext, RequestContext.builder().buildRestli(auth.getActor().toUrnStr(), getContext(),
systemOperationContext, RequestContext.builder().buildRestli(actorUrnStr, getContext(),
ACTION_BATCH_INGEST, urns.stream().map(Urn::getEntityType).collect(Collectors.toList())), _authorizer,
auth, true);

Expand All @@ -115,7 +116,7 @@ public Task<Void> batchIngest(@ActionParam(PARAM_BUCKETS) @Nonnull UsageAggregat
UPDATE,
urns)) {
throw new RestLiServiceException(
HttpStatus.S_403_FORBIDDEN, "User is unauthorized to edit entities.");
HttpStatus.S_403_FORBIDDEN, "User " + actorUrnStr + " is unauthorized to edit entities.");
}

for (UsageAggregation agg : buckets) {
Expand Down

0 comments on commit eef2077

Please sign in to comment.