fix(policy): grant Trigger to default bot + steward policies for /trigger authz

Author: manerow

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1129/Migration.java

@@ -0,0 +1,20 @@
+package org.openmetadata.service.migration.mysql.v1129;
+
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+
+import lombok.SneakyThrows;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    addTriggerOperationToDefaultPolicies(collectionDAO);
+  }
+}

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1130/Migration.java

@@ -1,5 +1,7 @@
 package org.openmetadata.service.migration.mysql.v1130;
 
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -31,5 +33,6 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
+    addTriggerOperationToDefaultPolicies(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1129/Migration.java

@@ -0,0 +1,20 @@
+package org.openmetadata.service.migration.postgres.v1129;
+
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+
+import lombok.SneakyThrows;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    addTriggerOperationToDefaultPolicies(collectionDAO);
+  }
+}

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1130/Migration.java

@@ -1,5 +1,7 @@
 package org.openmetadata.service.migration.postgres.v1130;
 
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -31,5 +33,6 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
+    addTriggerOperationToDefaultPolicies(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1129/MigrationUtil.java

@@ -0,0 +1,43 @@
+package org.openmetadata.service.migration.utils.v1129;
+
+import static org.openmetadata.service.migration.utils.v160.MigrationUtil.addOperationsToPolicyRule;
+
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.openmetadata.schema.type.MetadataOperation;
+import org.openmetadata.service.jdbi3.CollectionDAO;
+
+@Slf4j
+public class MigrationUtil {
+
+  private MigrationUtil() {}
+
+  /**
+   * Retrofits default seeded policies that grant broad edit capability with the {@code Trigger}
+   * operation, keeping pre-existing customer behavior intact after {@code /trigger} starts
+   * enforcing authz (GH-27962).
+   *
+   * <p>Targets the rules whose resources are {@code "All"} and that already grant {@code EditAll}
+   * (the broad-bot allow rules) plus {@code DataStewardPolicy} which grants {@code EditOwners} —
+   * stewards can already reach trigger via the ownership-edit escalation path, so granting it
+   * explicitly aligns the policy with the effective capability and improves the audit trail.
+   *
+   * <p>Each call is idempotent via {@link
+   * org.openmetadata.service.migration.utils.v160.MigrationUtil#addOperationsToPolicyRule}.
+   */
+  public static void addTriggerOperationToDefaultPolicies(CollectionDAO collectionDAO) {
+    record PolicyRule(String policy, String rule) {}
+    List<PolicyRule> targets =
+        List.of(
+            new PolicyRule("IngestionBotPolicy", "IngestionBotRule-Allow"),
+            new PolicyRule("LineageBotPolicy", "LineageBotRule-Allow"),
+            new PolicyRule("ProfilerBotPolicy", "ProfilerBotBotRule-Allow"),
+            new PolicyRule("QualityBotPolicy", "QualityBotBotRule-Allow"),
+            new PolicyRule("UsageBotPolicy", "UsageBotRule-Allow-Usage"),
+            new PolicyRule("DataStewardPolicy", "DataStewardPolicy-EditRule"));
+    for (PolicyRule t : targets) {
+      addOperationsToPolicyRule(
+          t.policy(), t.rule(), List.of(MetadataOperation.TRIGGER), collectionDAO);
+    }
+  }
+}

openmetadata-service/src/main/resources/json/data/policy/DataStewardPolicy.json

@@ -10,7 +10,7 @@
     {
       "name": "DataStewardPolicy-EditRule",
       "resources" : ["all"],
-      "operations": ["ViewAll", "EditDescription", "EditDisplayName", "EditLineage", "EditOwners", "EditTags", "EditTier", "EditGlossaryTerms", "EditCertification"],
+      "operations": ["ViewAll", "EditDescription", "EditDisplayName", "EditLineage", "EditOwners", "EditTags", "EditTier", "EditGlossaryTerms", "EditCertification", "Trigger"],
       "effect": "allow"
     }
   ]

openmetadata-service/src/main/resources/json/data/policy/IngestionBotPolicy.json

@@ -11,7 +11,7 @@
       "name": "IngestionBotRule-Allow",
       "description" : "Allow ingestion bots to create/update/delete data entities",
       "resources" : ["All"],
-      "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete"],
+      "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete", "Trigger"],
       "effect": "allow"
     },
     {

openmetadata-service/src/main/resources/json/data/policy/LineageBotPolicy.json

@@ -18,7 +18,7 @@
       "name": "LineageBotRule-Allow",
       "description" : "Allow creating and updating lineage",
       "resources" : ["All"],
-      "operations": ["EditAll", "ViewAll"],
+      "operations": ["EditAll", "ViewAll", "Trigger"],
       "effect": "allow"
     },
     {

openmetadata-service/src/main/resources/json/data/policy/ProfilerBotPolicy.json

@@ -11,7 +11,7 @@
       "name": "ProfilerBotBotRule-Allow",
       "description" : "Allow updating sample data, profile data, and tests for all the resources.",
       "resources" : ["All"],
-      "operations": ["EditAll", "ViewAll"],
+      "operations": ["EditAll", "ViewAll", "Trigger"],
       "effect": "allow"
     },
     {

openmetadata-service/src/main/resources/json/data/policy/QualityBotPolicy.json

@@ -11,7 +11,7 @@
       "name": "QualityBotBotRule-Allow",
       "description" : "Allow updating sample data, profile data, and tests for all the resources.",
       "resources" : ["All"],
-      "operations": ["EditAll", "ViewAll"],
+      "operations": ["EditAll", "ViewAll", "Trigger"],
       "effect": "allow"
     },
     {