Merge pull request #3413 from atlanhq/wf_service_account

ChiragMadan1 · web-flow · commit 194ee0bc73e4 · 2024-08-26T17:12:26.000+05:30
WIN-24 | Grant permissions to governance workflow client
diff --git a/addons/policies/bootstrap_entity_policies.json b/addons/policies/bootstrap_entity_policies.json
@@ -2120,7 +2120,8 @@
                 [
                     "admin",
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2185,7 +2186,8 @@
                 [
                     "admin",
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2221,7 +2223,8 @@
                 [
                     "admin",
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2441,7 +2444,8 @@
                 "policyUsers":
                 [
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2551,7 +2555,8 @@
                 "policyUsers":
                 [
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2587,7 +2592,8 @@
                 "policyUsers":
                 [
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2622,7 +2628,8 @@
                 "policyUsers":
                 [
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
@@ -2657,7 +2664,8 @@
                 "policyUsers":
                 [
                     "service-account-atlan-argo",
-                    "service-account-atlan-backend"
+                    "service-account-atlan-backend",
+                    "atlan-governance-workflows"
                 ],
                 "policyGroups":
                 [],
diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyValidator.java
@@ -307,8 +307,10 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,
             //only allow argo & backend
             if (!RequestContext.get().isSkipAuthorizationCheck()) {
                 String userName = RequestContext.getCurrentUser();
-                validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && !BACKEND_SERVICE_USER_NAME.equals(userName),
-                        "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh");
+                validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && 
+                !BACKEND_SERVICE_USER_NAME.equals(userName) && 
+                !GOVERNANCE_WORKFLOWS_SERVICE_USER_NAME.equals(userName),
+                    "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh");
             }
         }
     }
diff --git a/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java b/repository/src/main/java/org/apache/atlas/repository/util/AccessControlUtils.java
@@ -114,6 +114,7 @@ public final class AccessControlUtils {
     public static final String CONN_NAME_PATTERN = "connection_admins_%s";
     public static final String ARGO_SERVICE_USER_NAME = "service-account-atlan-argo";
     public static final String BACKEND_SERVICE_USER_NAME = "service-account-atlan-backend";
+    public static final String GOVERNANCE_WORKFLOWS_SERVICE_USER_NAME = "atlan-governance-workflows";
 
     public static final String INSTANCE_DOMAIN_KEY = "instance";
 

Original file line number	Diff line number	Diff line change
`@@ -307,8 +307,10 @@ public void validate(AtlasEntity policy, AtlasEntity existingPolicy,`
`307`	`307`	`//only allow argo & backend`
`308`	`308`	`if (!RequestContext.get().isSkipAuthorizationCheck()) {`
`309`	`309`	`String userName = RequestContext.getCurrentUser();`
`310`		`- validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) && !BACKEND_SERVICE_USER_NAME.equals(userName),`
`311`		`- "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh");`
	`310`	`+ validateOperation (!ARGO_SERVICE_USER_NAME.equals(userName) &&`
	`311`	`+ !BACKEND_SERVICE_USER_NAME.equals(userName) &&`
	`312`	`+ !GOVERNANCE_WORKFLOWS_SERVICE_USER_NAME.equals(userName),`
	`313`	`+ "Create/Update AuthPolicy with policyCategory other than persona, purpose and datamesh");`
`312`	`314`	`}`
`313`	`315`	`}`
`314`	`316`	`}`