Skip to content

feat(secret): add SecretService caller guard with ENFORCE default#17995

Open
david-leifker wants to merge 1 commit into
masterfrom
feat/secret-service-caller-guard-enforce
Open

feat(secret): add SecretService caller guard with ENFORCE default#17995
david-leifker wants to merge 1 commit into
masterfrom
feat/secret-service-caller-guard-enforce

Conversation

@david-leifker

@david-leifker david-leifker commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Add caller guard modes (ENFORCE, AUDIT, DISABLED) to SecretService, thread OperationContext through encrypt/decrypt call sites, and default SECRET_SERVICE_CALLER_GUARD_MODE to ENFORCE. Document secure-by-default secret handling for OSS datahub-actions and Cloud embedded executors.

@github-actions github-actions Bot added docs Issues and Improvements to docs product PR or Issue related to the DataHub UI/UX devops PR or Issue related to DataHub backend & deployment smoke_test Contains changes related to smoke tests labels Jun 22, 2026
@codecov

codecov Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.06897% with 15 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...atahubproject/metadata/services/SecretService.java 88.63% 2 Missing and 3 partials ⚠️
...graphql/resolvers/connection/ConnectionMapper.java 50.00% 1 Missing and 3 partials ⚠️
...io/datahubproject/metadata/context/AgentClass.java 91.66% 1 Missing and 1 partial ⚠️
...ubproject/metadata/services/RestrictedService.java 0.00% 2 Missing ⚠️
...datahub/authentication/user/NativeUserService.java 90.00% 1 Missing ⚠️
...factory/context/services/SecretServiceFactory.java 80.00% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@david-leifker david-leifker force-pushed the feat/secret-service-caller-guard-enforce branch from b4eb5db to 5b84e8c Compare June 22, 2026 19:06
@david-leifker @cursoragent
feat(secret): add SecretService caller guard with ENFORCE default
720546b 
Add caller guard modes (ENFORCE, AUDIT, DISABLED) to SecretService,
thread OperationContext through encrypt/decrypt call sites, and default
SECRET_SERVICE_CALLER_GUARD_MODE to ENFORCE. Document secure-by-default
secret handling for OSS datahub-actions and Cloud embedded executors.

Co-authored-by: Cursor <cursoragent@cursor.com>
@david-leifker david-leifker force-pushed the feat/secret-service-caller-guard-enforce branch from 5b84e8c to 720546b Compare June 22, 2026 20:25
@maggiehays maggiehays added the needs-review Label for PRs that need review from a maintainer. label Jun 22, 2026
@david-leifker david-leifker enabled auto-merge (squash) June 23, 2026 00:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

devops PR or Issue related to DataHub backend & deployment docs Issues and Improvements to docs needs-review Label for PRs that need review from a maintainer. product PR or Issue related to the DataHub UI/UX smoke_test Contains changes related to smoke tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@david-leifker @maggiehays