Skip to content

feat: Introducing Dataset Permissions #4074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JHoelli wants to merge 57 commits into
base: dev
Choose a base branch
from
Open

feat: Introducing Dataset Permissions #4074

JHoelli wants to merge 57 commits into from
+995 −314

Conversation

@JHoelli
Copy link
Contributor

@JHoelli JHoelli commented Dec 19, 2025
edited
Loading

Purpose

Intoducing first simple permissions for Dataset.

Assumptions

  • A newly created dataset inherits the permissions of the pipeline admin who created it.
  • Permissions at the dataset level are user-specific, as in Connect and Pipelines.
  • Option to add additional permissions (similar to e.g., Connect)

Concept

Role Read Write
Admin X X
Asset Admin - -
Asset User - -
Connect Admin - -
Data Explorer Admin X -
Data Explorer User X -
Dashboard Admin X -
Dashboard User X -
Pipeline User X -
Pipeline Admin X X

Example

A dashboard user or admin, the uses a chart which on the other hand is based on a dataset, also needs to be given explicit rights on that dataset to be able to see the chart with values.

Remarks

Backend

  • Permission for DataLakeMeasureResources
  • Permissions for DataLakeResources

UI

  • Section Dataset Permission, so that everyone can see the datasets assigned
  • Add Option Share Dataset in the Dataset Section

Migration

  • Migrate all existing measures with new permission (--> setting them to public)

Testing

  • Write End2End Tests

PR introduces (a) breaking change(s): no

PR introduces (a) deprecation(s): no

JHoelli and others added 28 commits December 9, 2025 09:27
@JHoelli
fix for failing renaming test
725951b
@JHoelli
Merge branch 'apache:dev' into dev
e8399a1
@JHoelli
Merge branch 'apache:dev' into dev
357b9da
@JHoelli
Merge branch 'apache:dev' into dev
eac00c8
@JHoelli
Merge branch 'apache:dev' into dev
486d1a9
@JHoelli
Merge branch 'apache:dev' into dev
3c8b34b
@JHoelli
Merge branch 'apache:dev' into dev
cf55438
@JHoelli
Merge branch 'apache:dev' into dev
bcc64e2
@JHoelli
Merge branch 'apache:dev' into dev
acc16cc
@JHoelli
write permission to couchdb
a8ab817
@JHoelli
moved to datalake measure
7e61cad
@JHoelli
refactored permission to DataLakePermissionManager
24e1b8d
@JHoelli
adding roles and privileges to db
8500abd
@JHoelli
no migration necessary
bfcfa43
@JHoelli
first draft getAll()
0149071
@JHoelli
Get Correctly implemented
f8aaa91
@JHoelli
Permissions working?
69537df
@JHoelli
Get Methods
3204870
@JHoelli
first permission draft
cc97d2e
@JHoelli
mocked api
a244662
@JHoelli
small fix for by measureName
be96c51
@JHoelli
fix for count endpoint
3eee8a0
@JHoelli
small fiy in params
aee9680
@JHoelli
DataLakeMeasureResource Permission Working
d773247
@JHoelli
DataLakeResources API Permissions
5af9f37
@JHoelli
removed unnecessary method
d5ef998
@JHoelli
refactored the permission functions
49bc22f
@JHoelli
cleanup
d1e00f8
@github-actions github-actions bot added java Pull requests that update Java code backend Everything that is related to the StreamPipes backend labels Dec 19, 2025
@github-actions github-actions bot added the testing Relates to any kind of test (unit test, integration, or E2E test). label Jan 5, 2026
@JHoelli JHoelli marked this pull request as ready for review January 5, 2026 12:37
tenthe
tenthe requested changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@tenthe tenthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @JHoelli,

thanks a lot for the PR, this is a really cool new functionality.
I tested it locally and everything worked as expected, including the migration.

I only have a few minor code comments.

@tenthe
Copy link
Contributor

tenthe commented Jan 7, 2026

Hi @JHoelli,

I just realized we need to change the logic for setting data lake permissions. Currently, this is handled in PipelineManager.addPipeline, but this is not the only place where a measurement can be created. A measurement can also be created via the API, so this logic should be moved to the REST interface, DataLakeMeasureResource.

@JHoelli
Copy link
Contributor Author

JHoelli commented Jan 7, 2026
edited
Loading

Current Issue

When moving permission management for datasets from the Pipeline Manager to the DataLakeResource, we are facing an issue where the principal ID is lost if a data lake is created from a pipeline. This occurs because the getAuthenticatedUserSid() method only returns the user ID of the service principal (sp-service-client), which results in incorrect ownership assignments.

On the other hand, when a data lake is created via API, the correct ownership is assigned, as the user token is properly used.

Creating a data lake via API results in the correct ownership due to the provided user token.

Possible Solutions

Move the Measurement Creation to the DataSinkInvocation

Idea: Split the measurement creation and update process. Only create the measurement and pipeline permissions within the Pipeline Manager.

Pros:

  • Separates concerns, keeping pipeline management cleaner.

  • Allows permissions to be set specifically for the pipeline context (using the SchemaManager not the ClientAPI).

Cons:

  • more complex flow management.

  • Reusability

Add an additional Header

Idea: Introduce a new HTTP header to specify if the authenticated user is an admin. If the user is an admin, allow the system to use the user ID from the token (via TokenAuthenticationFilter) instead of the service principal ID or introduce an 'onbehalfof'.

Reasoning: If a user already has admin rights, setting another user reduces those rights.

Pros:

  • Reusable solution for other use cases.

  • Ensures the correct user ownership.

Cons:

  • may be harder to understand.
  • no other usage of such logic.

Create Permissions in the Pipeline Manager and only check if Permissions are available in the DataMeasureResource

Idea: Revert to the old approach: create the permissions in the Pipeline Manager with the authenticated user. In the DataMeasureResource, simply check whether permissions already exist. If not, use the currently authenticated user to set the permission.

Pros:

  • Easy to implement.

  • Ensures functionality with the StreamPipes client and core systems.

Cons:

  • Permissions are managed in two separate places, making the implementation less clean.

  • Reduces reusability, as permission management is not centralized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tenthe tenthe tenthe requested changes

Assignees

No one assigned

Labels

backend Everything that is related to the StreamPipes backend java Pull requests that update Java code testing Relates to any kind of test (unit test, integration, or E2E test). ui Anything that affects the UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JHoelli @tenthe