Investigating Datahub Editor Role Permission Error

all-things-deployment
1

Original Slack Thread

Hi all, I’m Editor role on Datahub tool. But, sometimes I got the under error when I edit description of a column. I’m using v0.10.3. Do you have any suggestion for me to investigate the issue, here?attachment

2

Hi- could you confirm what permission you have with editor role? You should have Edit descriptions policy for the specific data entity.

3

Yeah, the user is assigned Editor role. It is a role has available in Datahub (same as Admin and Reader).
I can see on document about description for this role: Can read and edit all metadata. Cannot take administrative actions.
And this issue occasionally happen. Most of the time I have permission to change the description of the column, a few times I got this error.

4

Do you know any bug/issue related to this issue on v0.10.3 that is fixed on latest version?

5

That is very strange - does it occur to a specific data source? Could you confirm that there’s no policy that override this?

6

Most of time, It’s happen on BigQuery Datasource. I only use default role of Datahub on my deployment.

7

Not that I know of, I’ll forward to this to our product team just in case. (cc. <@U03BEML16LB> tagging you FYI)

8

Hmm okay, just to check - are you able to edit description with admin role with the same entity?

9

Yeah, any suggestion for me. It can enable debug to help to investigate this issue.

10

Yes, I can. And I can edit description with other user who is assign Editor role.

11

I know, It’s pretty weird.

12

:thinking_face: Okay, not really sure what’s happening here. we’ll get back to you shortly.

13

Thank <@U04QRNY4ZHA> :laughing:

14

Hi! Do you have Rest API Authorization enabled or any other non-default auth settings?

15

Hi <@UV5UEC3LN>,
This is my config on chart for Auth. The rest of config, I only use default value of chart.

  oidcAuthentication:
    enabled: true
    provider: google
    clientId: <http://305580188801-8k63np6egb0tt4s39qkv3ir3c4u04f9g.apps.googleusercontent.com|305580188801-8k63np6egb0tt4s39qkv3ir3c4u04f9g.apps.googleusercontent.com>
    clientSecret: SECRET
    # only needed if you would like to store the client secret in secret
    # clientSecretRef:
    #   secretRef: &lt;secret-ref&gt;
    #   secretKey: &lt;secret-key&gt;
    # only needed if provider is `okta`
    # oktaDomain: <http://datahub.dwh.company.co|datahub.dwh.company.co>

    # only needed if provider is `azure`
    # azureTenantId: your-azure-tenant-id
    # if needed, it should set meaningful defaults from provider
    scope: "openid profile email"

    extraEnvs:
    - name: AUTH_JAAS_ENABLED
      value: "false"
    # # AUTH_OIDC
    # - name: AUTH_OIDC_ENABLED
    #   value: "true"
    # - name: AUTH_OIDC_CLIENT_ID
    #   value: "<http://305580188801-8k63np6egb0tt4s39qkv3ir3helmc4u04f9g.apps.googleusercontent.com|305580188801-8k63np6egb0tt4s39qkv3ir3helmc4u04f9g.apps.googleusercontent.com>"
    # - name: AUTH_OIDC_CLIENT_SECRET
    #   value: "SECRET"
    # - name: AUTH_OIDC_DISCOVERY_URI
    #   value: "<https://accounts.google.com/.well-known/openid-configuration>"
    # - name: AUTH_OIDC_BASE_URL
    #   value: "<https://datahub.dwh.company.co>"
    # - name: AUTH_OIDC_SCOPE
    #   value: "openid profile email"
    # - name: AUTH_OIDC_USER_NAME_CLAIM
    #   value: "email"
    # - name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
    #   value: "([^@]+)"```
16

About Rest API Authorization, it’s disabled.

attachment
attachment1380×306 21.9 KB

17

Hi <@UV5UEC3LN>,
If you have more information, please tell me.