Investigating Datahub Editor Role Permission Error

Original Slack Thread

Hi all, I’m Editor role on Datahub tool. But, sometimes I got the under error when I edit description of a column. I’m using v0.10.3. Do you have any suggestion for me to investigate the issue, here?attachment

Hi- could you confirm what permission you have with editor role? You should have Edit descriptions policy for the specific data entity.

Yeah, the user is assigned Editor role. It is a role has available in Datahub (same as Admin and Reader).
I can see on document about description for this role: Can read and edit all metadata. Cannot take administrative actions.
And this issue occasionally happen. Most of the time I have permission to change the description of the column, a few times I got this error.

Do you know any bug/issue related to this issue on v0.10.3 that is fixed on latest version?

That is very strange - does it occur to a specific data source? Could you confirm that there’s no policy that override this?

Most of time, It’s happen on BigQuery Datasource. I only use default role of Datahub on my deployment.

Not that I know of, I’ll forward to this to our product team just in case. (cc. <@U03BEML16LB> tagging you FYI)

Hmm okay, just to check - are you able to edit description with admin role with the same entity?

Yeah, any suggestion for me. It can enable debug to help to investigate this issue.

Yes, I can. And I can edit description with other user who is assign Editor role.

I know, It’s pretty weird.

:thinking_face: Okay, not really sure what’s happening here. we’ll get back to you shortly.

Thank <@U04QRNY4ZHA> :laughing:

Hi! Do you have Rest API Authorization enabled or any other non-default auth settings?

Hi <@UV5UEC3LN>,
This is my config on chart for Auth. The rest of config, I only use default value of chart.

    enabled: true
    provider: google
    clientId: <|>
    clientSecret: SECRET
    # only needed if you would like to store the client secret in secret
    # clientSecretRef:
    #   secretRef: &lt;secret-ref&gt;
    #   secretKey: &lt;secret-key&gt;
    # only needed if provider is `okta`
    # oktaDomain: <|>

    # only needed if provider is `azure`
    # azureTenantId: your-azure-tenant-id
    # if needed, it should set meaningful defaults from provider
    scope: "openid profile email"

      value: "false"
    # # AUTH_OIDC
    # - name: AUTH_OIDC_ENABLED
    #   value: "true"
    # - name: AUTH_OIDC_CLIENT_ID
    #   value: "<|>"
    #   value: "SECRET"
    #   value: "<>"
    # - name: AUTH_OIDC_BASE_URL
    #   value: "<>"
    # - name: AUTH_OIDC_SCOPE
    #   value: "openid profile email"
    #   value: "email"
    #   value: "([^@]+)"```

About Rest API Authorization, it’s disabled.

Hi <@UV5UEC3LN>,
If you have more information, please tell me.