Skip to content

feat(model): add unified system entity data access control#17723

Open
david-leifker wants to merge 1 commit into
masterfrom
system-data-support
Open

feat(model): add unified system entity data access control#17723
david-leifker wants to merge 1 commit into
masterfrom
system-data-support

Conversation

@david-leifker
Copy link
Copy Markdown
Collaborator

@david-leifker david-leifker commented Jun 3, 2026

Summary

  • Add @SystemEntity / @System PDL annotations and the dataHubSystemState production entity for GMS-internal operational state
  • Enforce system data access at three layers: AuthUtil API gate (403), DAO read filter (SystemDataReadFilter + AspectReadGuard), and write validator (SystemDataWriteValidator / SYSTEM_ACTOR only)
  • Centralize enable/disable via authorization.systemDataAccessControl.enabled (SystemDataAccessControlConfiguration) wired into AuthUtil and plugin registration

Test plan

  • :entity-registry:test — policy, read filter, write validator, annotation parsing
  • :metadata-auth:auth-api:test — AuthUtil system-data gate
  • :metadata-io:test — AspectReadGuard, DAO batchGet/getLatestAspects, Cassandra + Ebean paths
  • :metadata-service:factories:test — Spring plugin wiring
  • smoke-test/tests/system_data/test_system_data_access.py — live GMS against dataHubSystemState

Made with Cursor

@github-actions github-actions Bot added docs Issues and Improvements to docs product PR or Issue related to the DataHub UI/UX devops PR or Issue related to DataHub backend & deployment smoke_test Contains changes related to smoke tests labels Jun 3, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 3, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 81.38298% with 105 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...nkedin/metadata/aspect/filter/AspectReadGuard.java 75.51% 10 Missing and 2 partials ⚠️
...om/linkedin/metadata/models/EntitySpecBuilder.java 72.97% 10 Missing ⚠️
.../main/java/com/datahub/authorization/AuthUtil.java 77.27% 5 Missing and 5 partials ⚠️
...tadata/aspect/plugins/filter/AspectReadFilter.java 11.11% 7 Missing and 1 partial ⚠️
...inkedin/metadata/aspect/plugins/PluginFactory.java 70.83% 5 Missing and 2 partials ⚠️
...ata/aspect/plugins/config/PluginConfiguration.java 50.00% 6 Missing and 1 partial ⚠️
...om/linkedin/metadata/models/PartialEntitySpec.java 0.00% 7 Missing ⚠️
...inkedin/metadata/policy/SystemDataPolicyIndex.java 88.70% 3 Missing and 4 partials ⚠️
.../metadata/entity/cassandra/CassandraAspectDao.java 88.70% 4 Missing and 3 partials ⚠️
...tadata/models/annotation/SystemDataVisibility.java 76.47% 3 Missing and 1 partial ⚠️
... and 10 more

📢 Thoughts on this report? Let us know!

@david-leifker david-leifker force-pushed the system-data-support branch from 3612c05 to e220d5b Compare June 3, 2026 23:44
@david-leifker david-leifker force-pushed the system-data-support branch from e220d5b to 4f6b4a5 Compare June 4, 2026 00:44
@maggiehays maggiehays added the needs-review Label for PRs that need review from a maintainer. label Jun 4, 2026
@david-leifker @cursoragent
feat(model): add unified system entity data access control
efe7fdc 
Co-authored-by: Cursor <cursoragent@cursor.com>
@david-leifker david-leifker force-pushed the system-data-support branch from 4f6b4a5 to efe7fdc Compare June 4, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

devops PR or Issue related to DataHub backend & deployment docs Issues and Improvements to docs needs-review Label for PRs that need review from a maintainer. product PR or Issue related to the DataHub UI/UX smoke_test Contains changes related to smoke tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@david-leifker @maggiehays