Class PolicyEvaluator
java.lang.Object
org.openmetadata.service.security.policyevaluator.PolicyEvaluator
PolicyEvaluator for
metadata operations based on OpenMetadata's internal Policy
format to make access decisions.
Policy Evaluation uses the following:
Policywhich is a collection of `Allow` and `Deny` rulesRule.- PolicyEvaluator gets
OperationContextwith information about the operation,ResourceContextwith information about the resource on which the operations is being performed, andSubjectContextwith information about the user performing the operation. - First, all the Deny rules are applied and if there is rule match, then the operation is denied.
- Second, all the Allow rules are applied and if there is rule match, then the operation is allowed.
- All operations that don't a match rule are not allowed.
-
Method Summary
Modifier and TypeMethodDescriptionstatic ResourcePermissiongetPermission(@NonNull SubjectContext subjectContext, String resourceType) Returns a list of operations that a user can perform on the given resource/entity typestatic ResourcePermissiongetPermission(@NonNull SubjectContext subjectContext, ResourceContextInterface resourceContext) static ResourcePermissiongetResourcePermission(String resource, Permission.Access access) Get list of resources with all their permissions set to given Accessstatic List<ResourcePermission>Get list of resources with all their permissions set to given Accessstatic voidhasPermission(@NonNull SubjectContext subjectContext, @NonNull ResourceContextInterface resourceContext, @NonNull OperationContext operationContext) Checks if the policy has rules that give permission to perform an operation on the given entity.static Map<String,ResourcePermission> Initialize a map of Resource name to ResourcePermission with for each resource permission for all operations set as NOT_ALLOWstatic List<ResourcePermission>listPermission(@NonNull List<EntityReference> policies) Returns a list of operations that a user can perform on all the resources.static List<ResourcePermission>listPermission(@NonNull SubjectContext subjectContext) Returns a list of operations that a user can perform on all the resources.static List<Permission>trimPermissions(List<Permission> permissions) Removes the redundant permissions from the list.static ResourcePermissiontrimResourcePermission(ResourcePermission resourcePermission) static List<ResourcePermission>trimResourcePermissions(List<ResourcePermission> resourcePermissions)
-
Method Details
-
hasPermission
public static void hasPermission(@NonNull @NonNull SubjectContext subjectContext, @NonNull @NonNull ResourceContextInterface resourceContext, @NonNull @NonNull OperationContext operationContext) Checks if the policy has rules that give permission to perform an operation on the given entity. -
listPermission
public static List<ResourcePermission> listPermission(@NonNull @NonNull SubjectContext subjectContext) Returns a list of operations that a user can perform on all the resources. -
listPermission
public static List<ResourcePermission> listPermission(@NonNull @NonNull List<EntityReference> policies) Returns a list of operations that a user can perform on all the resources. -
getPermission
public static ResourcePermission getPermission(@NonNull @NonNull SubjectContext subjectContext, String resourceType) Returns a list of operations that a user can perform on the given resource/entity type -
getPermission
public static ResourcePermission getPermission(@NonNull @NonNull SubjectContext subjectContext, ResourceContextInterface resourceContext) -
getResourcePermissions
Get list of resources with all their permissions set to given Access -
getResourcePermission
Get list of resources with all their permissions set to given Access -
initResourcePermissions
Initialize a map of Resource name to ResourcePermission with for each resource permission for all operations set as NOT_ALLOW -
trimPermissions
Removes the redundant permissions from the list. -
trimResourcePermission
-
trimResourcePermissions
public static List<ResourcePermission> trimResourcePermissions(List<ResourcePermission> resourcePermissions)
-