Merge pull request #9007 from mandy-chessell/oak2026

Prevent non-administrators from updating their own secirity account

Author: mandy-chessell

open-metadata-implementation/common-services/metadata-security/metadata-security-server/src/main/java/org/odpi/openmetadata/metadatasecurity/server/OpenMetadataPlatformSecurityVerifier.java

@@ -254,18 +254,7 @@ public static synchronized void updateUserAccount(String                  userId
             /*
              * Validate that someone has authority to update the user's account details.
              */
-            if (delegatingUserId.equals(userAccount.getUserId()))
-            {
-                /*
-                 * The caller is updating their own account.
-                 */
-                validatePlatformOperator(userId, null);
-            }
-            else
-            {
-                validatePlatformOperator(userId, delegatingUserId);
-            }
-
+            validatePlatformOperator(userId, delegatingUserId);
             userSecurityConnector.setUserAccount(userAccount);
         }
     }
@@ -284,7 +273,7 @@ public static synchronized void deleteUserAccount(String userId,
                                                       String accountUserId) throws UserNotAuthorizedException
     {
         /*
-         * Validate that someone has authority to update the user's account details.
+         * Validate that someone has authority to delete the user's account details.
          */
         validatePlatformOperator(userId, delegatingUserId);
 

open-metadata-implementation/governance-server-services/integration-daemon-services/integration-daemon-services-spring/src/main/java/org/odpi/openmetadata/governanceservers/integrationdaemonservices/server/spring/IntegrationDaemonResource.java

@@ -243,12 +243,12 @@ public  VoidResponse updateConnectorConnection(@PathVariable String     serverNa
 
 
     /**
-     * Issue a refresh() request on all connectors running in the integration daemon, or a specific connector if the connector name is specified.
+     * Issue a refresh() request on all connectors running in the integration daemon or a specific connector if the connector name is specified.
      *
      * @param serverName integration daemon server name
      * @param delegatingUserId external userId making request
      * @param requestBody optional name of the connector to target - if no connector name is specified, all
-     *                      connectors managed by this integration service are refreshed.
+     *                      connectors managed by this integration daemon are refreshed.
      *
      * @return void or
      *  InvalidParameterException one of the parameters is null or invalid or
@@ -272,12 +272,12 @@ public VoidResponse refreshConnectors(@PathVariable                  String
 
 
     /**
-     * Restart all connectors running in the integration daemon, or restart a specific connector if the connector name is specified.
+     * Restart all connectors running in the integration daemon or restart a specific connector if the connector name is specified.
      *
      * @param serverName integration daemon server name
      * @param delegatingUserId external userId making request
      * @param requestBody optional name of the connector to target - if no connector name is specified, all
-     *                      connectors managed by this integration service are refreshed.
+     *                      connectors managed by this integration daemon are refreshed.
      *
      * @return void or
      *  InvalidParameterException one of the parameters is null or invalid or
@@ -305,8 +305,8 @@ public VoidResponse restartConnectors(@PathVariable                  String
      *
      * @param serverName integration daemon server name
      * @param delegatingUserId external userId making request
-     * @param integrationGroupName name of integration group of interest
-     * @return list of statuses - on for each assigned integration groups or
+     * @param integrationGroupName name of the integration group of interest
+     * @return integration group status, or
      *  InvalidParameterException one of the parameters is null or invalid or
      *  UserNotAuthorizedException the user is not authorized to issue this request or
      */
@@ -327,11 +327,11 @@ public IntegrationGroupSummaryResponse getIntegrationGroupSummary(@PathVariable
 
 
     /**
-     * Return a summary of each of the integration groups running in the integration daemon.
+     * Return a summary of the integration groups running in the integration daemon.
      *
      * @param serverName integration daemon server name
      * @param delegatingUserId external userId making request
-     * @return list of statuses - one for each assigned integration groups
+     * @return list of statuses - one for each integration group, or
      *  InvalidParameterException one of the parameters is null or invalid or
      *  UserNotAuthorizedException the user is not authorized to issue this request or
      */

open-metadata-implementation/view-services/security-officer/Egeria-api-security-officer.http

@@ -29,13 +29,13 @@ Content-Type: application/json
 ###
 # @name: setUserAccount
 # Set up or update a user account in the platform metadata security connector
-# The user requires operator permission for the platform unless it is their own user account they are retrieving.
+# The user requires operator permission for the platform.
 #
 # @param serverName  name of called server
 # @param platformGUID unique identifier of the platform
 # @param requestBody requestBody used to create and configure the connector that performs platform security
 # @return void response
-#/
+#
 POST {{baseURL}}/servers/{{viewServer}}/api/open-metadata/security-officer/platforms/{{platformGUID}}/user-accounts
 Authorization: Bearer {{token}}
 Content-Type: application/json
@@ -80,13 +80,13 @@ Content-Type: application/json
       "clearPassword" : "newSecret1"
     }
   }
-
 }
 
 
 ###
 # @name: getUserAccount
-# Return the user account object for the requested user from the platform metadata security connector.  Null is returned if no platform security or user account has been set up.
+# Return the user account object for the requested user from the platform metadata security connector.
+# Null is returned if no platform security or user account has been set up.
 # The user requires operator permission for the platform unless it is their own user account they are retrieving.
 #
 # @param serverName  name of called server

open-metadata-implementation/view-services/security-officer/Egeria-coco-manage-users.http

@@ -36,7 +36,7 @@ Content-Type: application/json
 
 ###
 # =====================================================================================================================
-# Get access the the platform
+# Retrieve the platform GUID
 # https://egeria-project.org/types/0037-Software-Server-Platforms/
 
 ###
@@ -91,9 +91,14 @@ Authorization: Bearer {{callieToken}}
 GET {{baseURL}}/servers/{{viewServer}}/api/open-metadata/security-officer/platforms/{{omagServerPlatformGUID}}/user-accounts/garygeeke
 Authorization: Bearer {{callieToken}}
 
+###
+## Gary can see his account
+GET {{baseURL}}/servers/{{viewServer}}/api/open-metadata/security-officer/platforms/{{omagServerPlatformGUID}}/user-accounts/garygeeke
+Authorization: Bearer {{garyToken}}
+
 ###
 # ========================================================================================
-# Setting up new user account got Freddie Mercury
+# Setting up new user account for Freddie Mercury
 #
 ###
 
@@ -108,7 +113,7 @@ Authorization: Bearer {{garyToken}}
 
 # @name: setUserAccount
 # Set up or update a user account in the platform metadata security connector
-# The user requires operator permission for the platform unless it is their own user account they are retrieving.
+# The user requires operator permission for the platform.
 #
 # @param serverName  name of called server
 # @param platformGUID unique identifier of the platform
@@ -246,4 +251,33 @@ Authorization: Bearer {{freddieToken}}
 Content-Type: application/json
 
 
+###
+# ========================================================================================
+# Can Callie update her own User Account?   She attempts to give herself admin privileges
+#
+###
+POST {{baseURL}}/servers/{{viewServer}}/api/open-metadata/security-officer/platforms/{{omagServerPlatformGUID}}/user-accounts
+Authorization: Bearer {{callieToken}}
+Content-Type: application/json
+
+{
+  "class": "UserAccountResponse",
+  "requestId": "a30a2090-cf6f-4d9a-8b5c-633f88707763",
+  "relatedHTTPCode": 200,
+  "userAccount": {
+    "userName": "Callie Quartile",
+    "securityRoles": [
+      "serverAdministrator",
+      "dataScientist",
+      "clinicalTrials",
+      "openMetadataMember"
+    ],
+    "userAccountStatus": "AVAILABLE",
+    "secrets": {
+      "clearPassword": "secret"
+    },
+    "userId": "calliequartile"
+  }
+}
+