fix(policy): use a dedicated TriggerRule on DataStewardPolicy instead of mixing into EditRule

Author: manerow

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1129/Migration.java

@@ -1,6 +1,7 @@
 package org.openmetadata.service.migration.mysql.v1129;
 
-import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultBotPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerRuleToDataStewardPolicy;
 
 import lombok.SneakyThrows;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -15,6 +16,7 @@ public Migration(MigrationFile migrationFile) {
   @Override
   @SneakyThrows
   public void runDataMigration() {
-    addTriggerOperationToDefaultPolicies(collectionDAO);
+    addTriggerOperationToDefaultBotPolicies(collectionDAO);
+    addTriggerRuleToDataStewardPolicy(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1130/Migration.java

@@ -1,6 +1,7 @@
 package org.openmetadata.service.migration.mysql.v1130;
 
-import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultBotPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerRuleToDataStewardPolicy;
 
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -33,6 +34,7 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
-    addTriggerOperationToDefaultPolicies(collectionDAO);
+    addTriggerOperationToDefaultBotPolicies(collectionDAO);
+    addTriggerRuleToDataStewardPolicy(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1129/Migration.java

@@ -1,6 +1,7 @@
 package org.openmetadata.service.migration.postgres.v1129;
 
-import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultBotPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerRuleToDataStewardPolicy;
 
 import lombok.SneakyThrows;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -15,6 +16,7 @@ public Migration(MigrationFile migrationFile) {
   @Override
   @SneakyThrows
   public void runDataMigration() {
-    addTriggerOperationToDefaultPolicies(collectionDAO);
+    addTriggerOperationToDefaultBotPolicies(collectionDAO);
+    addTriggerRuleToDataStewardPolicy(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1130/Migration.java

@@ -1,6 +1,7 @@
 package org.openmetadata.service.migration.postgres.v1130;
 
-import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToDefaultBotPolicies;
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerRuleToDataStewardPolicy;
 
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -33,6 +34,7 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
-    addTriggerOperationToDefaultPolicies(collectionDAO);
+    addTriggerOperationToDefaultBotPolicies(collectionDAO);
+    addTriggerRuleToDataStewardPolicy(collectionDAO);
   }
 }

openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1129/MigrationUtil.java

@@ -4,40 +4,91 @@
 
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
+import org.openmetadata.schema.entity.policies.Policy;
+import org.openmetadata.schema.entity.policies.accessControl.Rule;
+import org.openmetadata.schema.type.Include;
 import org.openmetadata.schema.type.MetadataOperation;
+import org.openmetadata.schema.utils.JsonUtils;
+import org.openmetadata.service.Entity;
+import org.openmetadata.service.exception.EntityNotFoundException;
 import org.openmetadata.service.jdbi3.CollectionDAO;
+import org.openmetadata.service.jdbi3.PolicyRepository;
 
 @Slf4j
 public class MigrationUtil {
 
   private MigrationUtil() {}
 
   /**
-   * Retrofits default seeded policies that grant broad edit capability with the {@code Trigger}
-   * operation, keeping pre-existing customer behavior intact after {@code /trigger} starts
-   * enforcing authz (GH-27962).
+   * Retrofits seeded bot policies that grant broad {@code EditAll} on {@code ["All"]} resources
+   * with the {@code Trigger} operation. Pre-fix these identities could trigger pipelines because
+   * {@code /trigger} skipped authz; the migration preserves that behavior under the new authz
+   * enforcement (GH-27962).
    *
-   * <p>Targets the rules whose resources are {@code "All"} and that already grant {@code EditAll}
-   * (the broad-bot allow rules) plus {@code DataStewardPolicy} which grants {@code EditOwners} —
-   * stewards can already reach trigger via the ownership-edit escalation path, so granting it
-   * explicitly aligns the policy with the effective capability and improves the audit trail.
-   *
-   * <p>Each call is idempotent via {@link
+   * <p>Each entry is idempotent via {@link
    * org.openmetadata.service.migration.utils.v160.MigrationUtil#addOperationsToPolicyRule}.
    */
-  public static void addTriggerOperationToDefaultPolicies(CollectionDAO collectionDAO) {
+  public static void addTriggerOperationToDefaultBotPolicies(CollectionDAO collectionDAO) {
     record PolicyRule(String policy, String rule) {}
     List<PolicyRule> targets =
         List.of(
             new PolicyRule("IngestionBotPolicy", "IngestionBotRule-Allow"),
             new PolicyRule("LineageBotPolicy", "LineageBotRule-Allow"),
             new PolicyRule("ProfilerBotPolicy", "ProfilerBotBotRule-Allow"),
             new PolicyRule("QualityBotPolicy", "QualityBotBotRule-Allow"),
-            new PolicyRule("UsageBotPolicy", "UsageBotRule-Allow-Usage"),
-            new PolicyRule("DataStewardPolicy", "DataStewardPolicy-EditRule"));
+            new PolicyRule("UsageBotPolicy", "UsageBotRule-Allow-Usage"));
     for (PolicyRule t : targets) {
       addOperationsToPolicyRule(
           t.policy(), t.rule(), List.of(MetadataOperation.TRIGGER), collectionDAO);
     }
   }
+
+  /**
+   * Adds a dedicated {@code DataStewardPolicy-TriggerRule} to the existing {@code
+   * DataStewardPolicy} if not already present. Data stewards already have {@code EditOwners} on
+   * all resources, so they could already reach trigger via an ownership rewrite; this rule makes
+   * the capability explicit for audit clarity rather than burying it inside the existing edit
+   * rule.
+   *
+   * <p>Mirrors the new-rule shape used by {@code
+   * v180.MigrationUtil.addDenyDisplayNameRuleToBotPolicies}. Idempotent — skips when the rule
+   * already exists.
+   */
+  public static void addTriggerRuleToDataStewardPolicy(CollectionDAO collectionDAO) {
+    PolicyRepository repository = (PolicyRepository) Entity.getEntityRepository(Entity.POLICY);
+    try {
+      Policy policy = repository.findByName("DataStewardPolicy", Include.NON_DELETED);
+      boolean hasTriggerRule =
+          policy.getRules().stream()
+              .anyMatch(
+                  r ->
+                      "DataStewardPolicy-TriggerRule".equals(r.getName())
+                          && r.getEffect() == Rule.Effect.ALLOW
+                          && r.getOperations() != null
+                          && r.getOperations().contains(MetadataOperation.TRIGGER));
+      if (!hasTriggerRule) {
+        Rule triggerRule =
+            new Rule()
+                .withName("DataStewardPolicy-TriggerRule")
+                .withDescription(
+                    "Allow data stewards to trigger ingestion pipelines. Stewards already have "
+                        + "EditOwners on all resources and can reach trigger via an ownership "
+                        + "rewrite; this rule makes the capability explicit for audit clarity.")
+                .withResources(List.of("all"))
+                .withOperations(List.of(MetadataOperation.TRIGGER))
+                .withEffect(Rule.Effect.ALLOW);
+        policy.getRules().add(triggerRule);
+        collectionDAO
+            .policyDAO()
+            .update(policy.getId(), policy.getFullyQualifiedName(), JsonUtils.pojoToJson(policy));
+        LOG.info("Added DataStewardPolicy-TriggerRule to DataStewardPolicy");
+      } else {
+        LOG.debug("DataStewardPolicy already has TriggerRule, skipping");
+      }
+    } catch (EntityNotFoundException ex) {
+      LOG.warn("DataStewardPolicy not found, skipping TriggerRule addition");
+    } catch (Exception e) {
+      LOG.error("Failed to add TriggerRule to DataStewardPolicy: {}", e.getMessage(), e);
+    }
+  }
 }

openmetadata-service/src/main/resources/json/data/policy/DataStewardPolicy.json

@@ -10,7 +10,14 @@
     {
       "name": "DataStewardPolicy-EditRule",
       "resources" : ["all"],
-      "operations": ["ViewAll", "EditDescription", "EditDisplayName", "EditLineage", "EditOwners", "EditTags", "EditTier", "EditGlossaryTerms", "EditCertification", "Trigger"],
+      "operations": ["ViewAll", "EditDescription", "EditDisplayName", "EditLineage", "EditOwners", "EditTags", "EditTier", "EditGlossaryTerms", "EditCertification"],
+      "effect": "allow"
+    },
+    {
+      "name": "DataStewardPolicy-TriggerRule",
+      "description": "Allow data stewards to trigger ingestion pipelines. Stewards already have EditOwners on all resources and can reach trigger via an ownership rewrite; this rule makes the capability explicit for audit clarity.",
+      "resources": ["all"],
+      "operations": ["Trigger"],
       "effect": "allow"
     }
   ]