diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java index 5269145fe948..38bb01a32ed9 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java @@ -169,7 +169,12 @@ public boolean isTeamAsset(String parentTeam, List owners) { Entity.getEntity(Entity.TEAM, owner.getId(), TEAM_FIELDS, Include.NON_DELETED); return isInTeam(parentTeam, team.getEntityReference()); } catch (Exception ex) { - // Ignore and return false + LOG.warn( + "Failed to check team asset ownership for team [{}] with owner [{}]: {}", + parentTeam, + owner.getId(), + ex.getMessage(), + ex); } } } @@ -182,8 +187,8 @@ public static boolean isInTeam(String parentTeam, EntityReference team) { Set visitedTeams = new HashSet<>(); stack.push(team); // Start with team and see if the parent matches while (!stack.isEmpty()) { + EntityReference currentTeamRef = stack.pop(); try { - EntityReference currentTeamRef = stack.pop(); // Skip if we've already visited this team to prevent circular dependencies if (visitedTeams.contains(currentTeamRef.getId())) { LOG.warn( @@ -199,7 +204,12 @@ public static boolean isInTeam(String parentTeam, EntityReference team) { listOrEmpty(parent.getParents()) .forEach(stack::push); // Continue to go up the chain of parents } catch (Exception ex) { - // Ignore and return false + LOG.warn( + "Failed to traverse team hierarchy for parent [{}] at team [{}]: {}", + parentTeam, + currentTeamRef != null ? currentTeamRef.getName() : null, + ex.getMessage(), + ex); } } return false; @@ -226,7 +236,8 @@ private static List getRolesForTeams( roles.addAll(team.getDefaultRoles()); roles.addAll(getRolesForTeams(team.getParents(), visitedTeams)); } catch (Exception ex) { - // Ignore and continue + LOG.warn( + "Failed to resolve roles for team [{}]: {}", teamRef.getName(), ex.getMessage(), ex); } } return roles.stream().distinct().collect(Collectors.toList()); @@ -280,8 +291,8 @@ public static boolean hasRole(User user, String role) { } listOrEmpty(user.getTeams()).forEach(stack::push); // Continue to go up the chain of parents while (!stack.isEmpty()) { + EntityReference currentTeamRef = stack.pop(); try { - EntityReference currentTeamRef = stack.pop(); // Skip if we've already visited this team to prevent circular dependencies if (visitedTeams.contains(currentTeamRef.getId())) { LOG.warn( @@ -298,7 +309,12 @@ public static boolean hasRole(User user, String role) { listOrEmpty(parent.getParents()) .forEach(stack::push); // Continue to go up the chain of parents } catch (Exception ex) { - // Ignore the exception and return false + LOG.warn( + "Failed to check role [{}] for team [{}]: {}", + role, + currentTeamRef != null ? currentTeamRef.getName() : null, + ex.getMessage(), + ex); } } return false; @@ -471,7 +487,11 @@ static class UserPolicyIterator implements Iterator { Entity.TEAM, resourceOwner.getId(), TEAM_FIELDS, Include.NON_DELETED); iterators.add(new TeamPolicyIterator(team.getId(), teamsVisited, true)); } catch (Exception ex) { - // Ignore + LOG.warn( + "Failed to load policies for resource owner team [{}]: {}", + resourceOwner.getId(), + ex.getMessage(), + ex); } } }