-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate rules into elasticsearch result #15734
base: main
Are you sure you want to change the base?
Integrate rules into elasticsearch result #15734
Conversation
Hi there 👋 Thanks for your contribution! The OpenMetadata team will review the PR shortly! Once it has been labeled as Let us know if you need any help! |
return searchSourceBuilder; | ||
} | ||
|
||
private BoolQueryBuilder createQueryBuilderBasedOnRule(SpelNode ast) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO it would be better if we codify for each expression/rule to return the search condition for it.
Example if the condition says isOwner() only allow, then we should return the condition.getSearchCondition(SecurityContext) -> return 'owner.name=%s'.format(SecurityContext.getUsername() or owner.name=(getTeams(SecurityContext.getUsername())
BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery(); | ||
var keyword = ast2keyword(ast); | ||
|
||
if (ast.getChildCount() == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The complexity involved enforcing these on the search side is
- Hierarchy of Rule processing
- We process Deny rules first before the allow rules
- Enforcing the Resource side attribute conditions example Allow Edit only if the table contains certain tags
@HesamoddinMonfared Thanks for taking this up. Lets visit the goals of this integration
who will build the conditions, the delegation should be part of the rule itself . i.e each rule should have method to equivalent to returning true or false . Example isOwner() takes the security context and returns true or false if the user who logged in is a owner of the asset or part of the team that is owner of the asset. Condition evaluation
|
I worked on applying rules to search results.
The current implementation is for elasticsearch only.
The implementation has been tested with different rules, policies and roles and the results show the correctness.