feat(model): add unified system entity data access control

Introduce @SystemEntity/@System annotations, dataHubSystemState entity, and
three enforcement layers (AuthUtil API gate, DAO read filter, write validator)
with a single configuration toggle for operators.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: david-leifker

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/knowledge/DocumentChangeHistoryResolver.java

@@ -74,6 +74,7 @@ public CompletableFuture<List<DocumentChange>> get(DataFetchingEnvironment envir
             // Get timeline from TimelineService
             List<ChangeTransaction> transactions =
                 _timelineService.getTimeline(
+                    context.getOperationContext(),
                     documentUrn,
                     categories,
                     startTime,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/timeline/GetSchemaBlameResolver.java

@@ -61,7 +61,14 @@ public CompletableFuture<GetSchemaBlameResult> get(final DataFetchingEnvironment
                 Collections.singleton(ChangeCategory.TECHNICAL_SCHEMA);
             final List<ChangeTransaction> changeTransactionList =
                 _timelineService.getTimeline(
-                    datasetUrn, changeCategorySet, startTime, endTime, null, null, false);
+                    context.getOperationContext(),
+                    datasetUrn,
+                    changeCategorySet,
+                    startTime,
+                    endTime,
+                    null,
+                    null,
+                    false);
             return SchemaBlameMapper.map(changeTransactionList, version);
           } catch (Exception e) {
             log.error("Failed to list schema blame data", e);

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/timeline/GetSchemaVersionListResolver.java

@@ -60,7 +60,14 @@ public CompletableFuture<GetSchemaVersionListResult> get(
             changeCategorySet.add(ChangeCategory.TECHNICAL_SCHEMA);
             List<ChangeTransaction> changeTransactionList =
                 _timelineService.getTimeline(
-                    datasetUrn, changeCategorySet, startTime, endTime, null, null, false);
+                    context.getOperationContext(),
+                    datasetUrn,
+                    changeCategorySet,
+                    startTime,
+                    endTime,
+                    null,
+                    null,
+                    false);
             return SchemaVersionListMapper.map(changeTransactionList);
           } catch (Exception e) {
             log.error("Failed to list schema version data", e);

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/timeline/GetTimelineResolver.java

@@ -66,6 +66,7 @@ public CompletableFuture<GetTimelineResult> get(final DataFetchingEnvironment en
                     : Arrays.stream(ChangeCategory.values()).collect(Collectors.toSet());
             final List<ChangeTransaction> changeTransactionList =
                 _timelineService.getTimeline(
+                    context.getOperationContext(),
                     entityUrn,
                     changeCategorySet,
                     TimelineService.DEFAULT_MAX_CHANGE_TRANSACTIONS,

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/knowledge/DocumentChangeHistoryResolverTest.java

@@ -80,6 +80,7 @@ public void testGetChangeHistorySuccess() throws Exception {
     transactions.add(transaction);
 
     when(mockTimelineService.getTimeline(
+            any(),
             eq(TEST_DOCUMENT_URN),
             any(Set.class),
             anyLong(),
@@ -126,7 +127,14 @@ public void testGetChangeHistoryWithContentModification() throws Exception {
     transactions.add(transaction);
 
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -166,7 +174,14 @@ public void testGetChangeHistoryWithParentChange() throws Exception {
     transactions.add(transaction);
 
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -201,7 +216,14 @@ public void testGetChangeHistoryWithStateChange() throws Exception {
     transactions.add(transaction);
 
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -221,6 +243,7 @@ public void testGetChangeHistoryWithCustomTimeRange() throws Exception {
     when(mockEnv.getArgument("limit")).thenReturn(100);
 
     when(mockTimelineService.getTimeline(
+            any(),
             eq(TEST_DOCUMENT_URN),
             any(Set.class),
             eq(startTime),
@@ -235,6 +258,7 @@ public void testGetChangeHistoryWithCustomTimeRange() throws Exception {
     assertNotNull(result);
     verify(mockTimelineService, times(1))
         .getTimeline(
+            any(),
             eq(TEST_DOCUMENT_URN),
             any(Set.class),
             eq(startTime),
@@ -280,7 +304,14 @@ public void testGetChangeHistoryMultipleChanges() throws Exception {
     transactions.add(transaction2);
 
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -294,7 +325,14 @@ public void testGetChangeHistoryMultipleChanges() throws Exception {
   @Test(expectedExceptions = Exception.class)
   public void testGetChangeHistoryServiceThrowsException() throws Exception {
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenThrow(new RuntimeException("Service error"));
 
     // Should throw an exception when service fails
@@ -304,7 +342,14 @@ public void testGetChangeHistoryServiceThrowsException() throws Exception {
   @Test
   public void testGetChangeHistoryEmptyResult() throws Exception {
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(new ArrayList<>());
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -341,7 +386,14 @@ public void testGetChangeHistoryWithRelatedAssetChange() throws Exception {
     transactions.add(transaction);
 
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();
@@ -394,7 +446,14 @@ public void testGetChangeHistoryRespectsLimit() throws Exception {
 
     when(mockEnv.getArgument("limit")).thenReturn(10);
     when(mockTimelineService.getTimeline(
-            any(Urn.class), any(Set.class), anyLong(), anyLong(), isNull(), isNull(), eq(false)))
+            any(),
+            any(Urn.class),
+            any(Set.class),
+            anyLong(),
+            anyLong(),
+            isNull(),
+            isNull(),
+            eq(false)))
         .thenReturn(transactions);
 
     List<DocumentChange> result = resolver.get(mockEnv).get();

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/timeline/GetSchemaBlameResolverTest.java

@@ -39,7 +39,7 @@ public void testGetUnauthorizedThrowsAndDoesNotQueryDb() throws Exception {
   public void testGetAuthorizedInvokesTimelineService() throws Exception {
     TimelineService mockTimelineService = mock(TimelineService.class);
     when(mockTimelineService.getTimeline(
-            any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean()))
+            any(), any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean()))
         .thenReturn(Collections.emptyList());
 
     GetSchemaBlameResolver resolver = new GetSchemaBlameResolver(mockTimelineService);
@@ -54,6 +54,6 @@ public void testGetAuthorizedInvokesTimelineService() throws Exception {
 
     resolver.get(mockEnv).get();
     verify(mockTimelineService, times(1))
-        .getTimeline(any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean());
+        .getTimeline(any(), any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean());
   }
 }

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/timeline/GetSchemaVersionListResolverTest.java

@@ -39,7 +39,7 @@ public void testGetUnauthorizedThrowsAndDoesNotQueryDb() throws Exception {
   public void testGetAuthorizedInvokesTimelineService() throws Exception {
     TimelineService mockTimelineService = mock(TimelineService.class);
     when(mockTimelineService.getTimeline(
-            any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean()))
+            any(), any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean()))
         .thenReturn(Collections.emptyList());
 
     GetSchemaVersionListResolver resolver = new GetSchemaVersionListResolver(mockTimelineService);
@@ -54,6 +54,6 @@ public void testGetAuthorizedInvokesTimelineService() throws Exception {
 
     resolver.get(mockEnv).get();
     verify(mockTimelineService, times(1))
-        .getTimeline(any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean());
+        .getTimeline(any(), any(), any(), anyLong(), anyLong(), any(), any(), anyBoolean());
   }
 }

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/timeline/GetTimelineResolverTest.java

@@ -63,7 +63,7 @@ public void testGetUnauthorizedThrowsAndDoesNotQueryDb() {
   @Test
   public void testGetAuthorizedReturnsResult() throws Exception {
     TimelineService mockTimelineService = mock(TimelineService.class);
-    when(mockTimelineService.getTimeline(any(), any(), anyInt(), anyBoolean()))
+    when(mockTimelineService.getTimeline(any(), any(), any(), anyInt(), anyBoolean()))
         .thenReturn(List.of());
 
     GetTimelineResolver resolver = new GetTimelineResolver(mockTimelineService);
@@ -77,6 +77,6 @@ public void testGetAuthorizedReturnsResult() throws Exception {
     when(mockEnv.getArgument("input")).thenReturn(input);
 
     assertNotNull(resolver.get(mockEnv).get());
-    verify(mockTimelineService, times(1)).getTimeline(any(), any(), anyInt(), anyBoolean());
+    verify(mockTimelineService, times(1)).getTimeline(any(), any(), any(), anyInt(), anyBoolean());
   }
 }

docs-website/sidebars.js

@@ -1393,6 +1393,7 @@ module.exports = {
           ],
         },
         "docs/modeling/extending-the-metadata-model",
+        "docs/modeling/system-data",
         "docs/advanced/api-tracing",
         "docs/advanced/micrometer-best-practices",
         "datahub-web-react/src/app/analytics/README",

docs/modeling/extending-the-metadata-model.md

@@ -803,3 +803,8 @@ replaces it with its own- this has a different boostScore and a different fieldN
 As a result, you can issue a query specifically for tags on Schema Fields via `fieldTags:<tag_name>` or tags directly
 applied to an entity via `tags:<tag_name>`. Since both have `queryByDefault` set to true, you can also search for
 entities with either of these properties just by searching for the tag name.
+
+## System metadata
+
+For internal GMS-owned entities that must be hidden from users and writable only by the system actor, see
+[System Entity Data Access](./system-data.md).