Skip to content

Fixes #23880: Add new policy conditions isReviewer() and !isReviewer #23986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Fixes #23880: Add new policy conditions isReviewer() and !isReviewer #23986

wants to merge 15 commits into from

Conversation

@qiyingshao
Copy link

@qiyingshao qiyingshao commented Oct 23, 2025
edited
Loading

Describe your changes:

Fixes #23880

I worked on adding a new policy condition isReviewer() (and its negation !isReviewer) because there was previously no way to check if a user is listed as a reviewer of an entity during policy evaluation.
This condition helps improve access control flexibility which is similar to isOwner() but applied to the reviewers field.

I tested my changes by:

  • Adding unit tests in SubjectContextTest.java to verify that isReviewer() and !isReviewer() return correct results.
  • Adding unit tests in RuleEvaluatorTest.java to ensure reviewer-based conditions are properly evaluated during policy execution.
  • Adding unit tests in ElasticSearchRBACConditionEvaluatorTest.java to verify that reviewer-based conditions are correctly translated into Elasticsearch queries.
  • Running all existing and new tests to confirm there are no regressions.

Type of change:

  • Bug fix
  • Improvement
  • New feature
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation

Checklist:

  • I have read the CONTRIBUTING document.
  • My PR title is Fixes <issue-number>: <short explanation>
  • I have commented on my code, particularly in hard-to-understand areas.
  • For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

New feature

  • The issue properly describes why the new feature is needed, what's the goal, and how we are building it. Any discussion
    or decision-making process is reflected in the issue.
  • I have updated the documentation.
  • I have added tests around the new logic.

@github-actions
Copy link
Contributor

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

@github-actions
Copy link
Contributor

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

@github-actions
Copy link
Contributor

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

@qiyingshao qiyingshao marked this pull request as ready for review October 23, 2025 08:23
@qiyingshao qiyingshao requested a review from a team as a code owner October 23, 2025 08:23
@github-actions
Copy link
Contributor

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

@TeddyCr TeddyCr added the safe to test Add this label to run secure Github workflows on PRs label Oct 23, 2025
@qiyingshao qiyingshao requested a review from harshach October 23, 2025 20:36
@github-actions
Copy link
Contributor

The Java checkstyle failed.

Please run mvn spotless:apply in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Java code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshach harshach Awaiting requested review from harshach

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

safe to test Add this label to run secure Github workflows on PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request for new policy conditions: isReviewer() and !isReviewer

3 participants

@qiyingshao @harshach @TeddyCr