-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ingest): datamodel to ingest organisation role metadata for a dataset #8267
Conversation
* Provisioned users of a role | ||
*/ | ||
@Aspect = { | ||
"name": "externalRoleProvisionedUser" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will happen when the requirement to add groups comes along? How about other nested roles?
I'd rename this aspect to "actors", so that we can support users, groups, and nested roles
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have renamed to actors and now we have the ability to add groups under actors when we require
Hi @sheeru ! Thanks for the PR. A few things I want us to consider, in addition to those comments I've already left:
If this does not work, why not? The reason I ask is that the changes required to support this in DataHub are a bit more constrained.
Let me know if you have questions! Cheers |
Hi @jjoyce0510 / @shirshanka , Regarding the live lookup, currently our primary requirement is driven from UI. People can navigate to a dataset and view list of roles necessary to access that dataset. We can click on a dataset role and request access from that page. Also, PrivilegeType is defined as enum because, UI should be able to group the access types and show the roles under that group. Hence enum is preferred to handle the list of access types. Also, current requirement is to map users to datasets since user can login and request access to a dataset. In our organisation as well, we dont map roles to user groups for now. I think the livelookup and mapping of groups to roles can be added as part of phase2 of RFC. |
92d16e5
to
d1366ff
Compare
@jjoyce0510 Have addressed the comments and pls let me know if anything more is required.
Since we are accessing the dataset from UI, we will know who has logged in. We will compare if the current logged in user is present as part of provisioned users and we can determine if the user has access to a role and dataset. Attached in RFC for more details |
Thanks for attaching the RFC, I've taken a look at it. I am very curious to understand why the listing of roles is so important here, as opposed to showing simpler things: does the user have access or not, and how can the user request access? I'm imagining a flow where DataHub can simply redirect to an external URL where the role can be finally selected from a list of roles which have access. We'd likely support a pluggable backend component (in the GraphQL server) that accepts 2 inputs:
and returns a simple boolean which represents whether the user urn has access to the dataset urn. We'd also allow for plugging in a "request access url" which would be a custom url that is redirected to when the user clicks to request access. If we can have an approach like this, we have 2 major benefits:
So given these benefits, please help me to understand why the proposed approach will be better in the long term and applicable across multiple organizations who may use it... Also, few other responses on the thread:
We can easily group inside the UI even if we do not use enum. Please change to be a string for now. We can always add back an enum later once the Domain becomes more clear. My goal with this PR is to make it as easy as possible to extend beyond your use cases! Cheers |
} | ||
|
||
type Actor { | ||
provisionedUsers: [CorpUser!] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments please!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
import java.net.URISyntaxException; | ||
|
||
|
||
public final class RoleUrn extends Urn { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class is not necessary, feel free to remove!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
record Access { | ||
|
||
roles: array[RoleAssociation] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments please!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
record Access { | ||
|
||
roles: array[RoleAssociation] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's also make this field optional
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
"name": "AssociatedWith", | ||
"entityTypes": [ "role" ] | ||
} | ||
urn: RoleUrn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can just be "Urn", we recommend against using strongly-typed urns now. (they are legacy)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
/** | ||
* Provisioned users of a role | ||
*/ | ||
@Aspect = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not need to be an aspect itself, just the parent record
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
"name": "Has", | ||
"entityTypes": [ "corpuser" ] | ||
} | ||
provisionedUser: Urn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nitpick: rename to "user"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
/** | ||
* Link to access external access management | ||
*/ | ||
requesturl: optional string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Camel case: requestUrl
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
/** | ||
* Can be READ, ADMIN, WRITE | ||
*/ | ||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making this a string
/** | ||
* List of provisioned users of a role | ||
*/ | ||
provisionedUsers: array[RoleProvisionedUser] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's just name this more simply: users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@Aspect = { | ||
"name": "roleProvisionedUser" | ||
} | ||
record RoleProvisionedUser { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's rename more simply: RoleUser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the current approach, I left some naming comments. Let's consider the above comment about the requirements and pros / cons first ^
@@ -85,7 +85,8 @@ public class DatasetType implements SearchableEntityType<Dataset, String>, Brows | |||
SIBLINGS_ASPECT_NAME, | |||
EMBED_ASPECT_NAME, | |||
DATA_PRODUCTS_ASPECT_NAME, | |||
BROWSE_PATHS_V2_ASPECT_NAME | |||
BROWSE_PATHS_V2_ASPECT_NAME, | |||
ACCESS_DATASET_ASPECT_NAME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indenting is inconsistent it seems!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
roles: [RoleAssociation!] | ||
} | ||
|
||
type Role implements Entity{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Entity {
add a space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
type Actor { | ||
provisionedUsers: [CorpUser!] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's name this users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
type Actor { | ||
provisionedUsers: [CorpUser!] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Why are we have a RoleProvisionedUser object in the GMS Backend layer but we have a list of resolved users here.
My expectation is to see:
users: [RoleUser!]!
...
type RoleUser {
// The user attached to the role
user: CorpUser!
}
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Done
Hi @jjoyce0510
In our proposed approach, user can be clear about what role he has and what elevated roles he can apply. By clicking the request, we can directly redirect to IAM page for requesting the required role.
|
@@ -16,6 +16,7 @@ public class EntityTypeMapper { | |||
static final Map<EntityType, String> ENTITY_TYPE_TO_NAME = | |||
ImmutableMap.<EntityType, String>builder() | |||
.put(EntityType.DATASET, "dataset") | |||
.put(EntityType.ROLE, "externalRoleMetadata") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be "role"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup. Done
@jjoyce0510 The flow was specifically designed based on the user needs so they can raise for appropriate role from Datahub itself to save time. The search doesnt end at Datahub, it just begins and user go to IAM role or Notebooks depending on their access. Please note that this is one of the step as part of Data Discovery which we are trying to solve as part of Datahub. |
datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/GmsGraphQLEngine.java
Show resolved
Hide resolved
Once this is green, we will merge. I will take over and fix some of the naming issues that now exist. |
(Approved for run - hoping to merge this tomorrow morning PST) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for the hard work here.
Cheers
John
Although this change is great and solves important problems, we see some limitations:
Our organisation is working on a data model with more potential feature support, and fortunately it does not seem to conflict with the above change so far 🍀. If anyone wishes we are keen to align with more details 😊 |
The aim of this feature is to enable users to view the required roles (Roles/Policies defined in Access Management System of an organisation) for accessing a dataset in that organisation. Also, should be able to request for the appropriate roles from the Datahub frontend to the organisation via urls.
Will attach details RFC document
Checklist