Package com.datahub.authorization

Class AuthUtil

java.lang.Object
com.datahub.authorization.AuthUtil
public class AuthUtil extends Object
Notes: This class is an attempt to unify privilege checks across APIs.

Public: The intent is that the public interface uses the typical abstractions for Urns, ApiOperation, ApiGroup, and entity type strings

Private functions can use the more specific Privileges, Disjunctive/Conjunctive interfaces required for the policy engine and authorizer

isAPI...() functions are intended for OpenAPI and Rest.li since they are governed by an enable flag. GraphQL is always enabled and should use is...() functions.

  • Field Details

    • VIEW_RESTRICTED_ENTITY_TYPES

      public static final Set<String> VIEW_RESTRICTED_ENTITY_TYPES
      This should generally follow the policy creation UI with a few exceptions for users, groups, containers, etc so that the platform still functions as expected.

  • Method Details

    • isAPIAuthorized

      public static List<com.linkedin.util.Pair<com.linkedin.mxe.MetadataChangeProposal,Integer>> isAPIAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.models.registry.EntityRegistry entityRegistry, @Nonnull Collection<com.linkedin.mxe.MetadataChangeProposal> mcps)
      OpenAPI/Rest.li Methods

    • isAPIAuthorizedUrns

      public static Map<com.linkedin.util.Pair<com.linkedin.events.metadata.ChangeType,com.linkedin.common.urn.Urn>,Integer> isAPIAuthorizedUrns(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull Collection<com.linkedin.util.Pair<com.linkedin.events.metadata.ChangeType,com.linkedin.common.urn.Urn>> changeTypeUrns)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.search.SearchResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.search.ScrollResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.query.AutoCompleteResult result)

    • isAPIAuthorizedResult

      public static boolean isAPIAuthorizedResult(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.browse.BrowseResult result)

    • isAPIAuthorizedUrns

      public static boolean isAPIAuthorizedUrns(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAPIAuthorizedEntityUrns

      public static boolean isAPIAuthorizedEntityUrns(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull String entityType)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull String entityType)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAPIAuthorizedEntityType

      public static boolean isAPIAuthorizedEntityType(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege, @Nullable EntitySpec resource)

    • isAPIAuthorized

      public static boolean isAPIAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege)

    • canViewEntity

      public static boolean canViewEntity(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.common.urn.Urn urn)
      GraphQL Methods

    • canViewEntity

      public static boolean canViewEntity(@Nonnull AuthorizationSession session, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation)

    • isAuthorizedEntityType

      public static boolean isAuthorizedEntityType(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<String> entityTypes)

    • isAuthorizedEntityUrns

      public static boolean isAuthorizedEntityUrns(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorizedUrns

      public static boolean isAuthorizedUrns(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nonnull Collection<com.linkedin.common.urn.Urn> urns)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull AuthorizationSession session, @Nonnull com.linkedin.metadata.authorization.PoliciesConfig.Privilege privilege, @Nullable EntitySpec entitySpec)

    • isAuthorized

      public static boolean isAuthorized(@Nonnull AuthorizationSession session, @Nonnull DisjunctivePrivilegeGroup privilegeGroup, @Nullable EntitySpec resourceSpec)

    • lookupAPIPrivilege

      public static com.linkedin.metadata.authorization.Disjunctive<com.linkedin.metadata.authorization.Conjunctive<com.linkedin.metadata.authorization.PoliciesConfig.Privilege>> lookupAPIPrivilege(@Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nullable String entityType)
      Based on an API group and operation return privileges. Broad level privileges that are not specific to an Entity/Aspect.
      Parameters:
      apiGroup -
      apiOperation -
      Returns:

    • buildDisjunctivePrivilegeGroup

      public static DisjunctivePrivilegeGroup buildDisjunctivePrivilegeGroup(@Nonnull com.linkedin.metadata.authorization.ApiGroup apiGroup, @Nonnull com.linkedin.metadata.authorization.ApiOperation apiOperation, @Nullable String entityType)