Issue with Group Policies Enforcement in Datahub - Seeking Clarification and Bug Investigation

Original Slack Thread

Hi Team

Hope you are well. My team was looking at Datahub and looking at groups, policies and privileges.
Summary of issue: If we add a user to a policy/policies the policy is enforced:white_check_mark:. If we add a group to a policy it is not enforced as expected meaning adding users to a policy works but adding a group to a policy does not. :x:

Tech details:
version : v0.11.0
Deployment: GKE on Google Cloud platform
Customisation: None. this is the ‘datahub quickstart’ configuration with no custom code changes. We are only exploring config changes through the UI

On v0.11.0 we have noticed some behaviour in groups that doesn’t make sense based on how we read the docs and wondering if there is an issue here?

Steps to recreate:
• Have at least two users in Datahub - user 1 and user 2
• User 1 should be able to edit, delete and create tags
• User 2 should not be able to edit delete and create tags
• Log in as root user so you can access the right screens
• As root user, assign the role of no role to user 1 and user 2 so that policies will apply and not be overwritten by the editor or reader access
• Deactivate the default policy ‘All Users - Base Platform Privileges’ to ensure this does not override other settings
• Optionally, deactivate ‘Asset Owners - Metadata Policy’ as well to ensure no owner based conflict
• Create a Platform and Metadata policy that allows management, creation etc of tags
• Create a Group and add user 1 to this group. User 2 should not be in any groups
Variation 1 - applying user to policies - this works fine:
• Add User1 to these policies
• Test that User 1 can manage, create and delete tags - they can:white_check_mark:
• Confirm User 2 cannot - they cannot:white_check_mark:
Variation 2 - applying group to the policy - this does not work as expected:
• Add the group that has user 1 in to the policies. Ensure no users are added to the policies
• Test that User 1 can manage, create and delete tags - They cannot:negative_squared_cross_mark:
• Confirm User 2 cannot -They cannot:white_check_mark:
Not the expected behaviour
Are you able to confirm if this is expected behaviour and if we missed something please? It would be great to be able to define groups that will make access management easier.

P.S we checked and noted a similar issue raised but could not fix this behaviour by following the steps outlined in the bug report as you can see from the above steps: (Platform access policies are not working as configured · Issue #4107 · datahub-project/datahub · GitHub)

Hi Catherine! Thanks so much for this very detailed breakdown - definitely looks like there’s a bug here… I’ve asked Chris to take a look early this week!

<@U03BEML16LB> * ^^

hey yes thanks Catherine! i’ll be checking into this asap and will get back to you here when i do

Thanks Chris. Happy to raise a bug report or similar if needed