Affected module
Backend
Describe the bug
Both MCP tools can return entities outside a caller's permitted domains, for two different reasons:
-
semantic_search never applies RBAC/domain filtering at all. It doesn't pass SubjectContext into the vector search path (OpenSearchVectorService / VectorSearchQueryBuilder), so results aren't scoped to the caller's role/policy regardless of settings.
-
search_metadata does pass SubjectContext, but domain filtering is silently skipped whenever the calling identity is a bot. SearchUtils.shouldApplyRbacConditions() requires !subjectContext.isBot() before applying RBAC conditions — so bot-authenticated tokens (the standard way to connect MCP) bypass domain scoping even with Search RBAC enabled. Confirmed with a real user PAT it can still leak, suggesting an unconditioned ViewAll (e.g. the default Organization Policy) is overriding the domain-scoped rule.
To Reproduce
- Create two Domains (e.g. Finance, Marketing) with assets in each.
- Create a role scoped to one domain only (
hasDomain()), assign it to a test user/bot.
- Query
search_metadata and semantic_search via MCP with that identity's token.
- Observe: assets from the other domain are still returned.
Expected behavior
Both tools should scope results to only the domains the caller is permitted to access, matching the behavior of the regular UI/API search.
OS
No response
Python version
No response
OpenMetadata version
1.12.5
OpenMetadata Ingestion package version
No response
Additional context
No response
Pre-submission checklist
Affected module
Backend
Describe the bug
Both MCP tools can return entities outside a caller's permitted domains, for two different reasons:
semantic_searchnever applies RBAC/domain filtering at all. It doesn't passSubjectContextinto the vector search path (OpenSearchVectorService/VectorSearchQueryBuilder), so results aren't scoped to the caller's role/policy regardless of settings.search_metadatadoes passSubjectContext, but domain filtering is silently skipped whenever the calling identity is a bot.SearchUtils.shouldApplyRbacConditions()requires!subjectContext.isBot()before applying RBAC conditions — so bot-authenticated tokens (the standard way to connect MCP) bypass domain scoping even with Search RBAC enabled. Confirmed with a real user PAT it can still leak, suggesting an unconditionedViewAll(e.g. the default Organization Policy) is overriding the domain-scoped rule.To Reproduce
hasDomain()), assign it to a test user/bot.search_metadataandsemantic_searchvia MCP with that identity's token.Expected behavior
Both tools should scope results to only the domains the caller is permitted to access, matching the behavior of the regular UI/API search.
OS
No response
Python version
No response
OpenMetadata version
1.12.5
OpenMetadata Ingestion package version
No response
Additional context
No response
Pre-submission checklist