Package com.datahub.authorization

Class AuthUtil

java.lang.Object
com.datahub.authorization.AuthUtil
public class AuthUtil extends Object
Notes: This class is an attempt to unify privilege checks across APIs.

Public: The intent is that the public interface uses the typical abstractions for Urns, ApiOperation, ApiGroup, and entity type strings

Private functions can use the more specific Privileges, Disjunctive/Conjunctive interfaces required for the policy engine and authorizer

isAPI...() functions are intended for OpenAPI and Rest.li since they are governed by an enable flag. GraphQL is always enabled and should use is...() functions.

  • Field Details

    • VIEW_RESTRICTED_ENTITY_TYPES

      public static final Set<String> VIEW_RESTRICTED_ENTITY_TYPES
      This should generally follow the policy creation UI with a few exceptions for users, groups, containers, etc so that the platform still functions as expected.

  • Method Details

    • isAPIAuthorized

      public static List<com.linkedin.util.Pair<com.linkedin.mxe.MetadataChangeProposal,Integer>> isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.models.registry.EntityRegistry entityRegistry, @Nonnull Collection<com.linkedin.mxe.MetadataChangeProposal> mcps)
      OpenAPI/Rest.li Methods

    • isAPIAuthorizedUrns

      public static Map<com.linkedin.util.Pair<com.linkedin.events.metadata.ChangeType,com.linkedin.common.urn.Urn>,Integer> isAPIAuthorizedUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull Collection<com.linkedin.util.Pair<com.linkedin.events.metadata.ChangeType,com.linkedin.common.urn.Urn>> changeTypeUrns)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.search.SearchResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.search.ScrollResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.query.AutoCompleteResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.browse.BrowseResult result)

    • isAPIAuthorizedUrns

      public static boolean isAPIAuthorizedUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAPIAuthorizedEntityUrns

      public static boolean isAPIAuthorizedEntityUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull String entityType)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull String entityType)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege, @Nullable EntitySpec resource)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege)

    • canViewEntity

      public static boolean canViewEntity(@Nonnull String actor, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.common.urn.Urn urn)
      GraphQL Methods

    • canViewEntity

      public static boolean canViewEntity(@Nonnull String actor, @Nonnull Authorizer authorizer, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull String actor, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation)

    • isAuthorizedEntityType

      public static boolean isAuthorizedEntityType(@Nonnull String actor, @Nonnull Authorizer authorizer, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAuthorizedEntityUrns

      public static boolean isAuthorizedEntityUrns(@Nonnull Authorizer authorizer, @Nonnull String actor, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorizedUrns

      public static boolean isAuthorizedUrns(@Nonnull Authorizer authorizer, @Nonnull String actor, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String actor, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String actor, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege, @Nullable EntitySpec entitySpec)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String actor, @Nonnull DisjunctivePrivilegeGroup privilegeGroup, @Nullable EntitySpec resourceSpec)

    • lookupAPIPrivilege

      public static com.linkedin.metadata.authorization.Disjunctive<com.linkedin.metadata.authorization.Conjunctive<com.linkedin.metadata.authorization.PoliciesConfig.Privilege>> lookupAPIPrivilege(@Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nullable String entityType)
      Based on an API group and operation return privileges. Broad level privileges that are not specific to an Entity/Aspect.
      Parameters:
      apiGroup -
      apiOperation -
      Returns:

    • buildDisjunctivePrivilegeGroup

      public static DisjunctivePrivilegeGroup buildDisjunctivePrivilegeGroup(@Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nullable String entityType)