Fix #26863 certification tags leaking into tags field on LIST and missing appliedBy audit trail#26876
Merged
Fix #26863 certification tags leaking into tags field on LIST and missing appliedBy audit trail#26876
Conversation
…pliedBy audit trail - batchFetchTags() now filters out certification tags (matching the existing single-entity getTags() behavior), preventing cert tags from appearing in the tags field when entities are fetched via the LIST endpoint - applyCertification() propagates tagLabel.getAppliedBy() instead of null, preserving the audit trail of who applied the certification - updateCertification() sets appliedBy from updatingUser before calling applyCertification(), so the author is recorded on PATCH/PUT - applyCertificationBatch() includes appliedBy from the incoming tagLabel when building the batch TagLabel - Unit tests: batchFetchTagsFiltersCertificationTags, applyCertificationPropagatesAppliedBy, applyCertificationBatchPropagatesAppliedBy - Integration test: test_certificationTagNotLeakingIntoTagsField verifies both GET (single) and LIST (batch) paths exclude cert tags from tags field Fixes findings from Gitar bot review on #26826 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
yan-3005
added
safe to test
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes two certification-related issues in the backend tagging pipeline: (1) preventing certification tags from appearing in the regular tags field for LIST (batch) fetches, and (2) preserving appliedBy when applying/updating certifications so audit trails correctly record who applied them.
Changes:
- Filter out certification tags from
batchFetchTags()results to match single-entitygetTags()behavior. - Propagate/set
appliedBywhen applying certifications (single + batch) and during certification updates. - Add unit + integration tests covering both batch tag filtering and
appliedBypropagation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java | Filters cert tags out of batch tag fetches and propagates appliedBy in certification application/update flows. |
| openmetadata-service/src/test/java/org/openmetadata/service/jdbi3/EntityRepositoryCertificationTest.java | Adds unit tests for cert-tag filtering in batch fetch and appliedBy propagation in certification writes. |
| openmetadata-integration-tests/src/test/java/org/openmetadata/it/tests/TagResourceIT.java | Adds an integration test ensuring certification tags don’t leak into the tags field on both GET and LIST paths. |
openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java
Show resolved
Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java
Show resolved
Hide resolved
openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java
Show resolved
Hide resolved
…ry list copy - applyCertification/applyCertificationBatch: use entity.getUpdatedBy() instead of tagLabel.getAppliedBy() so the audit trail reflects the authenticated server-side user, preventing client-provided appliedBy from being trusted/spoofed - batchFetchTags: removeIf directly on the mutable list returned by populateTagLabel instead of defensively copying on every entity - Update unit tests to set updatedBy on the entity (not on the tagLabel) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
🟡 Playwright Results — all passed (21 flaky)✅ 3445 passed · ❌ 0 failed · 🟡 21 flaky · ⏭️ 223 skipped
🟡 21 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
- Rename applyCertificationPropagatesAppliedBy to applyCertificationUsesEntityUpdatedByAsAppliedBy - Rename applyCertificationBatchPropagatesAppliedBy to applyCertificationBatchUsesEntityUpdatedByAsAppliedBy Names now accurately reflect that entity.getUpdatedBy() (server-side) is the source of appliedBy, not the incoming tagLabel field - Run yarn ui-checkstyle and mvn spotless:apply to fix formatting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Jest test CoverageUI tests summary
|
…perator The `?` operator in `json::jsonb ? 'certification'` was interpreted by JDBI3 as a positional parameter, causing UnableToCreateStatementException during the v1125 certification migration on PostgreSQL. Escape with `??` so JDBI3 passes a literal `?` to the database driver. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Code Review ✅ ApprovedFixes certification tags leaking into the tags field on LIST operations and restores the missing appliedBy audit trail. No issues found. OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
yan-3005
changed the title
|
|
anuj-kumary
approved these changes
Mar 31, 2026
yan-3005
added a commit
that referenced
this pull request
Apr 1, 2026
…sing appliedBy audit trail (#26876) * Fix certification tags leaking into tags field on LIST and missing appliedBy audit trail - batchFetchTags() now filters out certification tags (matching the existing single-entity getTags() behavior), preventing cert tags from appearing in the tags field when entities are fetched via the LIST endpoint - applyCertification() propagates tagLabel.getAppliedBy() instead of null, preserving the audit trail of who applied the certification - updateCertification() sets appliedBy from updatingUser before calling applyCertification(), so the author is recorded on PATCH/PUT - applyCertificationBatch() includes appliedBy from the incoming tagLabel when building the batch TagLabel - Unit tests: batchFetchTagsFiltersCertificationTags, applyCertificationPropagatesAppliedBy, applyCertificationBatchPropagatesAppliedBy - Integration test: test_certificationTagNotLeakingIntoTagsField verifies both GET (single) and LIST (batch) paths exclude cert tags from tags field Fixes findings from Gitar bot review on #26826 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address Copilot review: use server-side updatedBy and avoid unnecessary list copy - applyCertification/applyCertificationBatch: use entity.getUpdatedBy() instead of tagLabel.getAppliedBy() so the audit trail reflects the authenticated server-side user, preventing client-provided appliedBy from being trusted/spoofed - batchFetchTags: removeIf directly on the mutable list returned by populateTagLabel instead of defensively copying on every entity - Update unit tests to set updatedBy on the entity (not on the tagLabel) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix certification column missing on all list/service views Now that batchFetchTags() correctly filters certification tags from the tags field (matching single-entity getTags() behavior), list views can no longer rely on cert tags leaking into tags as a fallback. Request the dedicated certification field explicitly instead. - Add TabSpecificField.CERTIFICATION to commonTableFields — fixes ServiceDetailsPage (all 12 fetch functions), SchemaTablesTab, DataModelsTable, and ServiceVersionPage.fetchDirectories in one shot - Fix ServiceVersionPage: 8 fetch functions (databases, topics, dashboards, pipelines, mlModels, containers, searchIndexes, collections) that manually specify OWNERS,TAGS — each updated to include CERTIFICATION - DatabaseSchemaTable: remove now-redundant explicit CERTIFICATION addition since commonTableFields already includes it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address Copilot review: rename misleading test names and fix lint - Rename applyCertificationPropagatesAppliedBy to applyCertificationUsesEntityUpdatedByAsAppliedBy - Rename applyCertificationBatchPropagatesAppliedBy to applyCertificationBatchUsesEntityUpdatedByAsAppliedBy Names now accurately reflect that entity.getUpdatedBy() (server-side) is the source of appliedBy, not the incoming tagLabel field - Run yarn ui-checkstyle and mvn spotless:apply to fix formatting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix JDBI3 positional param error for PostgreSQL JSONB key-existence operator The `?` operator in `json::jsonb ? 'certification'` was interpreted by JDBI3 as a positional parameter, causing UnableToCreateStatementException during the v1125 certification migration on PostgreSQL. Escape with `??` so JDBI3 passes a literal `?` to the database driver. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> (cherry picked from commit 2ef1420)
ulixius9
pushed a commit
that referenced
this pull request
Apr 6, 2026
…sing appliedBy audit trail (#26876) * Fix certification tags leaking into tags field on LIST and missing appliedBy audit trail - batchFetchTags() now filters out certification tags (matching the existing single-entity getTags() behavior), preventing cert tags from appearing in the tags field when entities are fetched via the LIST endpoint - applyCertification() propagates tagLabel.getAppliedBy() instead of null, preserving the audit trail of who applied the certification - updateCertification() sets appliedBy from updatingUser before calling applyCertification(), so the author is recorded on PATCH/PUT - applyCertificationBatch() includes appliedBy from the incoming tagLabel when building the batch TagLabel - Unit tests: batchFetchTagsFiltersCertificationTags, applyCertificationPropagatesAppliedBy, applyCertificationBatchPropagatesAppliedBy - Integration test: test_certificationTagNotLeakingIntoTagsField verifies both GET (single) and LIST (batch) paths exclude cert tags from tags field Fixes findings from Gitar bot review on #26826 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address Copilot review: use server-side updatedBy and avoid unnecessary list copy - applyCertification/applyCertificationBatch: use entity.getUpdatedBy() instead of tagLabel.getAppliedBy() so the audit trail reflects the authenticated server-side user, preventing client-provided appliedBy from being trusted/spoofed - batchFetchTags: removeIf directly on the mutable list returned by populateTagLabel instead of defensively copying on every entity - Update unit tests to set updatedBy on the entity (not on the tagLabel) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix certification column missing on all list/service views Now that batchFetchTags() correctly filters certification tags from the tags field (matching single-entity getTags() behavior), list views can no longer rely on cert tags leaking into tags as a fallback. Request the dedicated certification field explicitly instead. - Add TabSpecificField.CERTIFICATION to commonTableFields — fixes ServiceDetailsPage (all 12 fetch functions), SchemaTablesTab, DataModelsTable, and ServiceVersionPage.fetchDirectories in one shot - Fix ServiceVersionPage: 8 fetch functions (databases, topics, dashboards, pipelines, mlModels, containers, searchIndexes, collections) that manually specify OWNERS,TAGS — each updated to include CERTIFICATION - DatabaseSchemaTable: remove now-redundant explicit CERTIFICATION addition since commonTableFields already includes it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address Copilot review: rename misleading test names and fix lint - Rename applyCertificationPropagatesAppliedBy to applyCertificationUsesEntityUpdatedByAsAppliedBy - Rename applyCertificationBatchPropagatesAppliedBy to applyCertificationBatchUsesEntityUpdatedByAsAppliedBy Names now accurately reflect that entity.getUpdatedBy() (server-side) is the source of appliedBy, not the incoming tagLabel field - Run yarn ui-checkstyle and mvn spotless:apply to fix formatting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix JDBI3 positional param error for PostgreSQL JSONB key-existence operator The `?` operator in `json::jsonb ? 'certification'` was interpreted by JDBI3 as a positional parameter, causing UnableToCreateStatementException during the v1125 certification migration on PostgreSQL. Escape with `??` so JDBI3 passes a literal `?` to the database driver. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes findings from Gitar bot review on #26826
Describe your changes:
Fixes #26863
I worked on ... because ...
Type of change:
Checklist:
Fixes <issue-number>: <short explanation>