fix(policy): grant Trigger to IngestionBot for /trigger authz

manerow · manerow · commit a3d7299579d2 · 2026-05-14T12:02:35.000+02:00
diff --git a/bootstrap/sql/migrations/native/1.12.9/mysql/postDataMigrationSQLScript.sql b/bootstrap/sql/migrations/native/1.12.9/mysql/postDataMigrationSQLScript.sql
@@ -0,0 +1 @@
+-- Placeholder for 1.12.9 MySQL
diff --git a/bootstrap/sql/migrations/native/1.12.9/mysql/schemaChanges.sql b/bootstrap/sql/migrations/native/1.12.9/mysql/schemaChanges.sql
@@ -0,0 +1 @@
+-- Placeholder for 1.12.9 MySQL
diff --git a/bootstrap/sql/migrations/native/1.12.9/postgres/postDataMigrationSQLScript.sql b/bootstrap/sql/migrations/native/1.12.9/postgres/postDataMigrationSQLScript.sql
@@ -0,0 +1 @@
+-- Placeholder for 1.12.9 Postgres
diff --git a/bootstrap/sql/migrations/native/1.12.9/postgres/schemaChanges.sql b/bootstrap/sql/migrations/native/1.12.9/postgres/schemaChanges.sql
@@ -0,0 +1 @@
+-- Placeholder for 1.12.9 Postgres
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1129/Migration.java b/openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1129/Migration.java
@@ -0,0 +1,20 @@
+package org.openmetadata.service.migration.mysql.v1129;
+
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToIngestionBotPolicy;
+
+import lombok.SneakyThrows;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    addTriggerOperationToIngestionBotPolicy(collectionDAO);
+  }
+}
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1130/Migration.java b/openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1130/Migration.java
@@ -1,5 +1,7 @@
 package org.openmetadata.service.migration.mysql.v1130;
 
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToIngestionBotPolicy;
+
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -31,5 +33,6 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
+    addTriggerOperationToIngestionBotPolicy(collectionDAO);
   }
 }
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1129/Migration.java b/openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1129/Migration.java
@@ -0,0 +1,20 @@
+package org.openmetadata.service.migration.postgres.v1129;
+
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToIngestionBotPolicy;
+
+import lombok.SneakyThrows;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    addTriggerOperationToIngestionBotPolicy(collectionDAO);
+  }
+}
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1130/Migration.java b/openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1130/Migration.java
@@ -1,5 +1,7 @@
 package org.openmetadata.service.migration.postgres.v1130;
 
+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToIngestionBotPolicy;
+
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.service.migration.api.MigrationProcessImpl;
@@ -31,5 +33,6 @@ public void runDataMigration() {
       LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);
     }
     MigrationUtil.addTableColumnSearchSettings();
+    addTriggerOperationToIngestionBotPolicy(collectionDAO);
   }
 }
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1129/MigrationUtil.java b/openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1129/MigrationUtil.java
@@ -0,0 +1,22 @@
+package org.openmetadata.service.migration.utils.v1129;
+
+import static org.openmetadata.service.migration.utils.v160.MigrationUtil.addOperationsToPolicyRule;
+
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.openmetadata.schema.type.MetadataOperation;
+import org.openmetadata.service.jdbi3.CollectionDAO;
+
+@Slf4j
+public class MigrationUtil {
+
+  private MigrationUtil() {}
+
+  public static void addTriggerOperationToIngestionBotPolicy(CollectionDAO collectionDAO) {
+    addOperationsToPolicyRule(
+        "IngestionBotPolicy",
+        "IngestionBotRule-Allow",
+        List.of(MetadataOperation.TRIGGER),
+        collectionDAO);
+  }
+}
diff --git a/openmetadata-service/src/main/resources/json/data/policy/IngestionBotPolicy.json b/openmetadata-service/src/main/resources/json/data/policy/IngestionBotPolicy.json
@@ -11,7 +11,7 @@
       "name": "IngestionBotRule-Allow",
       "description" : "Allow ingestion bots to create/update/delete data entities",
       "resources" : ["All"],
-      "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete"],
+      "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete", "Trigger"],
       "effect": "allow"
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`package org.openmetadata.service.migration.mysql.v1130;`
`2`	`2`
	`3`	`+import static org.openmetadata.service.migration.utils.v1129.MigrationUtil.addTriggerOperationToIngestionBotPolicy;`
	`4`	`+`
`3`	`5`	`import lombok.SneakyThrows;`
`4`	`6`	`import lombok.extern.slf4j.Slf4j;`
`5`	`7`	`import org.openmetadata.service.migration.api.MigrationProcessImpl;`
`@@ -31,5 +33,6 @@ public void runDataMigration() {`
`31`	`33`	`LOG.error("v1130 glossaryTerm version relatedTerms transform failed; re-run to retry.", e);`
`32`	`34`	`}`
`33`	`35`	`MigrationUtil.addTableColumnSearchSettings();`
	`36`	`+ addTriggerOperationToIngestionBotPolicy(collectionDAO);`
`34`	`37`	`}`
`35`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`"name": "IngestionBotRule-Allow",`
`12`	`12`	`"description" : "Allow ingestion bots to create/update/delete data entities",`
`13`	`13`	`"resources" : ["All"],`
`14`		`- "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete"],`
	`14`	`+ "operations": ["Create", "BulkCreate", "BulkUpdate", "EditAll", "ViewAll", "Delete", "Trigger"],`
`15`	`15`	`"effect": "allow"`
`16`	`16`	`},`
`17`	`17`	`{`