From 6b135d515f13f072cc3c592643a46236535968ba Mon Sep 17 00:00:00 2001 From: ChiragMadan1 Date: Tue, 30 Jul 2024 16:50:09 +0530 Subject: [PATCH] Grant permissions to governance workflow client --- .../policies/bootstrap_entity_policies.json | 24 ++++++++++++------- .../v2/preprocessor/AuthPolicyValidator.java | 6 +++-- .../repository/util/AccessControlUtils.java | 1 + 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/addons/policies/bootstrap_entity_policies.json b/addons/policies/bootstrap_entity_policies.json index 38a6b86e80..16a87c1f39 100644 --- a/addons/policies/bootstrap_entity_policies.json +++ b/addons/policies/bootstrap_entity_policies.json @@ -2120,7 +2120,8 @@ [ "admin", "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2185,7 +2186,8 @@ [ "admin", "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2221,7 +2223,8 @@ [ "admin", "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2441,7 +2444,8 @@ "policyUsers": [ "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2551,7 +2555,8 @@ "policyUsers": [ "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2587,7 +2592,8 @@ "policyUsers": [ "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2622,7 +2628,8 @@ "policyUsers": [ "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], @@ -2657,7 +2664,8 @@ "policyUsers": [ "service-account-atlan-argo", - "service-account-atlan-backend" + "service-account-atlan-backend", + "atlan-governance-workflows" ], "policyGroups": [], diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java index 3c5814d0a7..b54a45588b 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java @@ -307,8 +307,10 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy, //only allow argo & backend if (!RequestContext.get().isSkipAuthorizationCheck()) { String userName = RequestContext.getCurrentUser(); - validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && !BACKEND_SERVICE_USER_NAME.equals(userName), - "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh"); + validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && + !BACKEND_SERVICE_USER_NAME.equals(userName) && + !GOVERNANCE_WORKFLOWS_SERVICE_USER_NAME.equals(userName), + "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh"); } } } diff --git a/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java b/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java index c2c04b8d4e..68ee5318ed 100644 --- a/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java +++ b/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java @@ -114,6 +114,7 @@ public final class AccessControlUtils { public static final String CONN_NAME_PATTERN = "connection_admins_%s"; public static final String ARGO_SERVICE_USER_NAME = "service-account-atlan-argo"; public static final String BACKEND_SERVICE_USER_NAME = "service-account-atlan-backend"; + public static final String GOVERNANCE_WORKFLOWS_SERVICE_USER_NAME = "atlan-governance-workflows"; public static final String INSTANCE_DOMAIN_KEY = "instance";