[CDAP-21188] Enabling RBAC enforcement for dataprep's workspace operations

sahusanket · sahusanket · commit d39eeb7bb67a · 2025-07-22T15:15:26.000+05:30
diff --git a/wrangler-proto/pom.xml b/wrangler-proto/pom.xml
@@ -36,6 +36,11 @@
       <artifactId>cdap-etl-api</artifactId>
       <version>${cdap.version}</version>
     </dependency>
+    <dependency>
+      <groupId>io.cdap.cdap</groupId>
+      <artifactId>cdap-proto</artifactId>
+      <version>${cdap.version}</version>
+    </dependency>
     <dependency>
       <groupId>io.cdap.wrangler</groupId>
       <artifactId>wrangler-api</artifactId>
diff --git a/wrangler-proto/src/main/java/io/cdap/wrangler/proto/id/WorkspaceEntityId.java b/wrangler-proto/src/main/java/io/cdap/wrangler/proto/id/WorkspaceEntityId.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright © 2025 Cask Data, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package io.cdap.wrangler.proto.id;
+
+import io.cdap.cdap.proto.id.SystemAppEntityId;
+
+/**
+ * Uniquely identifies a dataprep.workspace entity
+ */
+public class WorkspaceEntityId extends SystemAppEntityId {
+  public WorkspaceEntityId(String namespace, String workspaceId) {
+    super(namespace, "dataprep", "workspace", workspaceId);
+  }
+}
diff --git a/wrangler-service/src/main/java/io/cdap/wrangler/service/directive/WorkspaceHandler.java b/wrangler-service/src/main/java/io/cdap/wrangler/service/directive/WorkspaceHandler.java
@@ -41,7 +41,10 @@
 import io.cdap.cdap.etl.proto.connection.SampleResponse;
 import io.cdap.cdap.features.Feature;
 import io.cdap.cdap.internal.io.SchemaTypeAdapter;
+import io.cdap.cdap.proto.element.EntityType;
 import io.cdap.cdap.proto.id.NamespaceId;
+import io.cdap.cdap.proto.security.StandardPermission;
+import io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer;
 import io.cdap.wrangler.PropertyIds;
 import io.cdap.wrangler.RequestExtractor;
 import io.cdap.wrangler.api.DirectiveConfig;
@@ -58,6 +61,7 @@
 import io.cdap.wrangler.parser.MigrateToV2;
 import io.cdap.wrangler.parser.RecipeCompiler;
 import io.cdap.wrangler.proto.BadRequestException;
+import io.cdap.wrangler.proto.id.WorkspaceEntityId;
 import io.cdap.wrangler.proto.recipe.v2.Recipe;
 import io.cdap.wrangler.proto.recipe.v2.RecipeId;
 import io.cdap.wrangler.proto.workspace.v2.Artifact;
@@ -121,6 +125,7 @@ public class WorkspaceHandler extends AbstractDirectiveHandler {
   private WorkspaceStore wsStore;
   private RecipeStore recipeStore;
   private ConnectionDiscoverer discoverer;
+  private ContextAccessEnforcer contextAccessEnforcer;
 
   // Injected by CDAP
   @SuppressWarnings("unused")
@@ -132,6 +137,7 @@ public void initialize(SystemHttpServiceContext context) throws Exception {
     wsStore = new WorkspaceStore(context);
     recipeStore = new RecipeStore(context);
     discoverer = new ConnectionDiscoverer(context);
+    contextAccessEnforcer = context.getContextAccessEnforcer();
   }
 
   @POST
@@ -144,6 +150,10 @@ public void createWorkspace(HttpServiceRequest request, HttpServiceResponder res
         throw new BadRequestException("Creating workspace in system namespace is currently not supported");
       }
 
+      WorkspaceId wsId = new WorkspaceId(ns);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.CREATE);
+
       WorkspaceCreationRequest creationRequest =
         GSON.fromJson(StandardCharsets.UTF_8.decode(request.getContent()).toString(), WorkspaceCreationRequest.class);
 
@@ -171,7 +181,6 @@ public void createWorkspace(HttpServiceRequest request, HttpServiceResponder res
           return new StageSpec(plugin.getSchema(), pluginSpec);
         }).collect(Collectors.toSet()), detail.getSupportedSampleTypes(), sampleRequest);
 
-      WorkspaceId wsId = new WorkspaceId(ns);
       long now = System.currentTimeMillis();
       Workspace workspace = Workspace.builder(generateWorkspaceName(wsId, creationRequest.getSampleRequest().getPath()),
                                               wsId.getWorkspaceId())
@@ -190,6 +199,8 @@ public void listWorkspaces(HttpServiceRequest request, HttpServiceResponder resp
       if (ns.getName().equalsIgnoreCase(NamespaceId.SYSTEM.getNamespace())) {
         throw new BadRequestException("Listing workspaces in system namespace is currently not supported");
       }
+      contextAccessEnforcer.enforceOnParent(EntityType.SYSTEM_APP_ENTITY, new NamespaceId(ns.getName()),
+                                            StandardPermission.LIST);
       responder.sendString(GSON.toJson(new ServiceResponse<>(wsStore.listWorkspaces(ns))));
     });
   }
@@ -204,7 +215,10 @@ public void getWorkspace(HttpServiceRequest request, HttpServiceResponder respon
       if (ns.getName().equalsIgnoreCase(NamespaceId.SYSTEM.getNamespace())) {
         throw new BadRequestException("Getting workspace in system namespace is currently not supported");
       }
-      responder.sendString(GSON.toJson(wsStore.getWorkspace(new WorkspaceId(ns, workspaceId))));
+      WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.GET);
+      responder.sendString(GSON.toJson(wsStore.getWorkspace(wsId)));
     });
   }
 
@@ -221,11 +235,13 @@ public void updateWorkspace(HttpServiceRequest request, HttpServiceResponder res
       if (ns.getName().equalsIgnoreCase(NamespaceId.SYSTEM.getNamespace())) {
         throw new BadRequestException("Updating workspace in system namespace is currently not supported");
       }
+      WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.UPDATE);
 
       WorkspaceUpdateRequest updateRequest =
         GSON.fromJson(StandardCharsets.UTF_8.decode(request.getContent()).toString(), WorkspaceUpdateRequest.class);
 
-      WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
       Workspace newWorkspace = Workspace.builder(wsStore.getWorkspace(wsId))
                                  .setDirectives(updateRequest.getDirectives())
                                  .setInsights(updateRequest.getInsights())
@@ -250,6 +266,9 @@ public void resampleWorkspace(HttpServiceRequest request, HttpServiceResponder r
       }
 
       WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.UPDATE);
+
       Workspace currentWorkspace = wsStore.getWorkspace(wsId);
 
       String connectionName = currentWorkspace.getSampleSpec() == null ? null :
@@ -294,7 +313,10 @@ public void deleteWorkspace(HttpServiceRequest request, HttpServiceResponder res
       if (ns.getName().equalsIgnoreCase(NamespaceId.SYSTEM.getNamespace())) {
         throw new BadRequestException("Deleting workspace in system namespace is currently not supported");
       }
-      wsStore.deleteWorkspace(new WorkspaceId(ns, workspaceId));
+      WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.DELETE);
+      wsStore.deleteWorkspace(wsId);
       responder.sendStatus(HttpURLConnection.HTTP_OK);
     });
   }
@@ -312,6 +334,10 @@ public void upload(HttpServiceRequest request, HttpServiceResponder responder,
         throw new BadRequestException("Uploading data in system namespace is currently not supported");
       }
 
+      WorkspaceId id = new WorkspaceId(ns);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(id.getNamespace().getName(), id.getWorkspaceId()),
+                                    StandardPermission.CREATE);
+
       String name = request.getHeader(PropertyIds.FILE_NAME);
       if (name == null) {
         throw new BadRequestException("Name must be provided in the 'file' header");
@@ -335,7 +361,6 @@ public void upload(HttpServiceRequest request, HttpServiceResponder responder,
         sample.add(new Row(COLUMN_NAME, line));
       }
 
-      WorkspaceId id = new WorkspaceId(ns);
       long now = System.currentTimeMillis();
       Workspace workspace = Workspace.builder(name, id.getWorkspaceId())
                               .setCreatedTimeMillis(now).setUpdatedTimeMillis(now).build();
@@ -360,9 +385,11 @@ public void execute(HttpServiceRequest request, HttpServiceResponder responder,
                       @PathParam("id") String workspaceId) {
     respond(responder, namespace, ns -> {
       validateNamespace(ns, "Executing directives in system namespace is currently not supported");
+      WorkspaceId wsId =  new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.USE);
 
-      DirectiveExecutionResponse response = execute(ns, request, new WorkspaceId(ns, workspaceId),
-                                                    null);
+      DirectiveExecutionResponse response = execute(ns, request, wsId, null);
       responder.sendJson(response);
     });
   }
@@ -406,6 +433,8 @@ public void specification(HttpServiceRequest request, HttpServiceResponder respo
       composite.reload(namespace);
 
       WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.GET);
       WorkspaceDetail detail = wsStore.getWorkspaceDetail(wsId);
       List<String> directives = new ArrayList<>(detail.getWorkspace().getDirectives());
       UserDirectivesCollector userDirectivesCollector = new UserDirectivesCollector();
@@ -448,12 +477,13 @@ public void applyRecipe(HttpServiceRequest request, HttpServiceResponder respond
                           @PathParam("recipe-id") String recipeIdString) {
     respond(responder, namespace, ns -> {
       validateNamespace(ns, "Executing directives in system namespace is currently not supported");
-
+      WorkspaceId wsId = new WorkspaceId(ns, workspaceId);
+      contextAccessEnforcer.enforce(new WorkspaceEntityId(wsId.getNamespace().getName(), wsId.getWorkspaceId()),
+                                    StandardPermission.USE);
       RecipeId recipeId = RecipeId.builder(ns).setRecipeId(recipeIdString).build();
       Recipe recipe = recipeStore.getRecipeById(recipeId);
 
-      DirectiveExecutionResponse response = execute(ns, request, new WorkspaceId(ns, workspaceId),
-                                                    recipe.getDirectives());
+      DirectiveExecutionResponse response = execute(ns, request, wsId, recipe.getDirectives());
       responder.sendJson(response);
     });
   }
