Skip to content

Fixes #29467: expose Trigger in ingestionPipeline descriptor and require EditAll to kill#29530

Merged
manerow merged 3 commits into
mainfrom
fix/ingestionpipeline-permissions-29467
Jun 29, 2026
Merged

Fixes #29467: expose Trigger in ingestionPipeline descriptor and require EditAll to kill#29530
manerow merged 3 commits into
mainfrom
fix/ingestionpipeline-permissions-29467

Conversation

@manerow

@manerow manerow commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Fixes #29467

Describe your changes

Backend half of the ingestion-pipeline permission alignment. Two fixes in IngestionPipelineResource:

1. Expose Trigger in the ingestionPipeline resource descriptor. Since #28109 (1.12.9), POST /services/ingestionPipelines/trigger/{id} authorizes ingestionPipeline.Trigger, but Trigger was never added to the resource descriptor — so it could only be granted under All Resources (which over-grants, since the same op governs Apps, AI Automations, and Dynamic Agents). getEntitySpecificOperations() now includes MetadataOperation.TRIGGER, so the policy editor lists it under Ingestion Pipeline and admins can grant it scoped.

2. Require EditAll to kill a pipeline. POST /services/ingestionPipelines/kill/{id} ran through the standard read path (getInternalgetViewOperations), so it only required ingestionPipeline.ViewAll — a read-level permission for a disruptive action, and a mismatch with the UI which gates Kill on EditAll. killIngestion now authorizes MetadataOperation.EDIT_ALL up front. This adds the edit gate on top of the pre-existing view read (it does not relax anything); EditAll does not subsume view ops, which is why the read path's ViewAll is unchanged.

Note on Deploy: the deploy endpoint's DEPLOY operation only feeds limits.enforceLimits, never authorize() — its real RBAC check is EditAll via createOrUpdate. So no descriptor change is needed for Deploy and the UI should keep Deploy/Re-deploy on EditAll. Only Run and Kill were misaligned.

Type of change

  • Bug fix

Tests

Added to IngestionPipelineOwnerInheritanceIT (the IT introduced by #28109):

  • test_ingestionPipelineDescriptorExposesTriggerGET /v1/policies/resources returns the ingestionPipeline descriptor with Trigger in its operations.
  • test_killRequiresEditPermission — a ViewAll-only user can read a pipeline but is forbidden from killing it (fails without fix 2); a ViewAll+EditAll user can kill.

mvn spotless:apply applied; openmetadata-service compiles and openmetadata-integration-tests test-compiles clean.

Related

Greptile Summary

This PR closes two RBAC gaps in IngestionPipelineResource: it adds MetadataOperation.TRIGGER to the entity's descriptor so the permission can be granted scoped to Ingestion Pipeline in the policy editor, and it inserts an explicit EditAll authorization check at the entry of killIngestion to stop view-only users from calling the kill endpoint.

  • Descriptor fix: getEntitySpecificOperations() now returns TRIGGER alongside the existing entity-specific ops, making it visible in the policy editor without requiring an over-broad "All Resources" grant.
  • Kill permission fix: killIngestion now calls authorizer.authorize(…, EDIT_ALL, …) before getInternal(), so a ViewAll-only principal receives a 403 rather than reaching the orchestrator client.
  • Tests: Two new integration tests in IngestionPipelineOwnerInheritanceIT — one asserting the descriptor contains TRIGGER, one verifying the ViewAll/EditAll boundary using ForbiddenException-aware assertions.

Confidence Score: 5/5

Safe to merge — both changes are minimal additive authorization checks with no risk of relaxing existing access controls.

The backend change is a two-line addition to the descriptor and a three-line guard at the top of killIngestion. Neither path removes or weakens an existing check; the kill endpoint only gains a stricter gate. The integration tests directly exercise both scenarios (view-only to 403, edit to pass) and address the concerns raised in the previous review round.

No files require special attention.

Important Files Changed

Filename Overview
openmetadata-service/src/main/java/org/openmetadata/service/resources/services/ingestionpipelines/IngestionPipelineResource.java Two targeted RBAC fixes: adds MetadataOperation.TRIGGER to getEntitySpecificOperations() so it appears in the policy editor, and inserts an explicit EditAll authorize() call at the top of killIngestion() before the existing view-path check.
openmetadata-integration-tests/src/test/java/org/openmetadata/it/tests/IngestionPipelineOwnerInheritanceIT.java Adds two integration tests: one verifies the descriptor exposes Trigger, the other verifies view-only users receive 403 on kill while edit users pass. Previous review concerns (overly broad exception type, environment-dependent success) are addressed by using ForbiddenException.class and try/catch pattern.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant KillEndpoint as POST /kill/{id}
    participant Authorizer
    participant DB as Entity Store
    participant PSC as PipelineServiceClient

    Client->>KillEndpoint: "POST kill/{id}"
    Note over KillEndpoint: NEW: explicit EditAll check
    KillEndpoint->>Authorizer: authorize(EDIT_ALL, getResourceContextById(id))
    Authorizer-->>KillEndpoint: 403 if not EditAll
    Note over KillEndpoint: Pre-existing: getInternal ViewAll check
    KillEndpoint->>DB: getInternal (fetches + ViewAll auth)
    DB-->>KillEndpoint: IngestionPipeline
    KillEndpoint->>KillEndpoint: decryptOrNullify(pipeline)
    alt "pipelineServiceClient == null"
        KillEndpoint-->>Client: 200 Pipeline Client Disabled
    else
        KillEndpoint->>PSC: killIngestion(pipeline)
        PSC-->>KillEndpoint: PipelineServiceClientResponse
        KillEndpoint-->>Client: response
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant KillEndpoint as POST /kill/{id}
    participant Authorizer
    participant DB as Entity Store
    participant PSC as PipelineServiceClient

    Client->>KillEndpoint: "POST kill/{id}"
    Note over KillEndpoint: NEW: explicit EditAll check
    KillEndpoint->>Authorizer: authorize(EDIT_ALL, getResourceContextById(id))
    Authorizer-->>KillEndpoint: 403 if not EditAll
    Note over KillEndpoint: Pre-existing: getInternal ViewAll check
    KillEndpoint->>DB: getInternal (fetches + ViewAll auth)
    DB-->>KillEndpoint: IngestionPipeline
    KillEndpoint->>KillEndpoint: decryptOrNullify(pipeline)
    alt "pipelineServiceClient == null"
        KillEndpoint-->>Client: 200 Pipeline Client Disabled
    else
        KillEndpoint->>PSC: killIngestion(pipeline)
        PSC-->>KillEndpoint: PipelineServiceClientResponse
        KillEndpoint-->>Client: response
    end
Loading

Reviews (3): Last reviewed commit: "test(ingestion-pipeline): trim kill-test..." | Re-trigger Greptile

@manerow manerow added the To release Will cherry-pick this PR into the release branch label Jun 26, 2026
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

✅ PR checks passed

The linked issue has a description and all required Shipping project fields set. Thanks!

@github-actions github-actions Bot added backend safe to test Add this label to run secure Github workflows on PRs labels Jun 26, 2026
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

🟡 Playwright Results — all passed (26 flaky)

✅ 4446 passed · ❌ 0 failed · 🟡 26 flaky · ⏭️ 38 skipped

Shard Passed Failed Flaky Skipped
🟡 Shard 1 322 0 3 4
🟡 Shard 2 822 0 7 9
🟡 Shard 3 830 0 1 7
🟡 Shard 4 820 0 6 10
🟡 Shard 5 870 0 3 0
🟡 Shard 6 782 0 6 8
🟡 26 flaky test(s) (passed on retry)
  • Pages/AuditLogs.spec.ts › should validate export response structure (shard 1, 1 retry)
  • Flow/SearchRBAC.spec.ts › User without permission (shard 1, 1 retry)
  • Flow/SearchRBAC.spec.ts › the browse tree only shows the asset-type categories a user can access (shard 1, 2 retries)
  • Features/BulkEditEntity.spec.ts › Database (shard 2, 1 retry)
  • Features/BulkEditEntity.spec.ts › Table (shard 2, 1 retry)
  • Features/BulkImport.spec.ts › Database (shard 2, 2 retries)
  • Features/BulkImport.spec.ts › Database Schema (shard 2, 2 retries)
  • Features/BulkImport.spec.ts › Keyboard Delete selection (shard 2, 2 retries)
  • Features/ContextCenter.spec.ts › delete button on the row deletes the memory after confirmation (shard 2, 1 retry)
  • Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › Admin: Complete export-import-validate flow (shard 2, 2 retries)
  • Features/Glossary/LargeGlossaryPerformance.spec.ts › should expand and collapse all terms (shard 3, 1 retry)
  • Flow/IngestionBot.spec.ts › Ingestion bot should be able to access domain specific domain (shard 4, 2 retries)
  • Flow/PersonaFlow.spec.ts › Set default persona for team should work properly (shard 4, 1 retry)
  • Pages/CustomProperties.spec.ts › Time Interval (shard 4, 1 retry)
  • Pages/CustomProperties.spec.ts › Date (shard 4, 1 retry)
  • Pages/DataContracts.spec.ts › Create Data Contract and validate for Database (shard 4, 1 retry)
  • Pages/DataContracts.spec.ts › Contract Status badge should be visible on condition if Contract Tab is present/hidden by Persona (shard 4, 1 retry)
  • Pages/Entity.spec.ts › Tier Add, Update and Remove (shard 5, 1 retry)
  • Pages/EntityDataConsumer.spec.ts › Tier Add, Update and Remove (shard 5, 1 retry)
  • Pages/ExplorePageRightPanel_KnowledgeCenter.spec.ts › Should remove user owner for knowledgeCenter (shard 5, 1 retry)
  • Pages/GlossaryImportExport.spec.ts › Check for Circular Reference in Glossary Import (shard 6, 1 retry)
  • Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
  • Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
  • Pages/Lineage/PlatformLineage.spec.ts › Verify domain platform view (shard 6, 1 retry)
  • Pages/LogsViewer.spec.ts › Logs page shows breadcrumb, summary, and log viewer or empty state after opening from bundle suite pipeline tab (shard 6, 1 retry)
  • Pages/UserDetails.spec.ts › Admin user can edit teams from the user profile (shard 6, 1 retry)

📦 Download artifacts

How to debug locally
# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

@manerow manerow merged commit f7dd54f into main Jun 29, 2026
66 of 67 checks passed
@manerow manerow deleted the fix/ingestionpipeline-permissions-29467 branch June 29, 2026 06:41
@github-actions

Copy link
Copy Markdown
Contributor

Changes have been cherry-picked to the 1.13 branch.

github-actions Bot pushed a commit that referenced this pull request Jun 29, 2026
…ire EditAll to kill (#29530)

* fix(ingestion-pipeline): expose Trigger in resource descriptor and require EditAll to kill

* test(ingestion-pipeline): assert ForbiddenException for kill authz and make editor case orchestrator-independent

* test(ingestion-pipeline): trim kill-test comments to the essentials

(cherry picked from commit f7dd54f)
@github-actions

Copy link
Copy Markdown
Contributor

Changes have been cherry-picked to the 1.12.13 branch.

github-actions Bot pushed a commit that referenced this pull request Jun 29, 2026
…ire EditAll to kill (#29530)

* fix(ingestion-pipeline): expose Trigger in resource descriptor and require EditAll to kill

* test(ingestion-pipeline): assert ForbiddenException for kill authz and make editor case orchestrator-independent

* test(ingestion-pipeline): trim kill-test comments to the essentials

(cherry picked from commit f7dd54f)
@gitar-bot

gitar-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Exposes Trigger in the ingestionPipeline descriptor and enforces EditAll for kill operations, closing existing RBAC gaps. Verified with new integration tests for permission scoping and authorization enforcement.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

mohityadav766 added a commit that referenced this pull request Jun 29, 2026
…and require EditAll to kill (#29530)"

This reverts commit 2a65a05.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend safe to test Add this label to run secure Github workflows on PRs To release Will cherry-pick this PR into the release branch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Align ingestionPipeline backend permissions: expose Trigger in the resource descriptor + tighten Kill authz (ViewAll → EditAll)

2 participants