Added permissions and tests for data column/table operations

backend/dataall/modules/s3_datasets/services/dataset_column_service.py

@@ -1,4 +1,5 @@
 from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService
+from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService
 from dataall.core.tasks.service_handlers import Worker
 from dataall.base.aws.sts import SessionHelper
 from dataall.base.context import get_context
@@ -7,11 +8,10 @@
 from dataall.modules.s3_datasets.aws.glue_table_client import GlueTableClient
 from dataall.modules.s3_datasets.db.dataset_column_repositories import DatasetColumnRepository
 from dataall.modules.s3_datasets.db.dataset_table_repositories import DatasetTableRepository
-from dataall.modules.s3_datasets.services.dataset_permissions import UPDATE_DATASET_TABLE
+from dataall.modules.s3_datasets.services.dataset_permissions import UPDATE_DATASET_TABLE, MANAGE_DATASETS
 from dataall.modules.s3_datasets.db.dataset_models import DatasetTable, DatasetTableColumn
 from dataall.modules.s3_datasets.db.dataset_repositories import DatasetRepository
 from dataall.modules.datasets_base.services.datasets_enums import ConfidentialityClassification
-from dataall.modules.s3_datasets.services.dataset_permissions import PREVIEW_DATASET_TABLE
 
 
 class DatasetColumnService:
@@ -42,6 +42,7 @@ def paginate_active_columns_for_table(uri: str, filter=None):
             return DatasetColumnRepository.paginate_active_columns_for_table(session, uri, filter)
 
     @classmethod
+    @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS)
     @ResourcePolicyService.has_resource_permission(
         UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri, param_name='table_uri'
     )
@@ -56,6 +57,7 @@ def sync_table_columns(cls, table_uri: str):
         return cls.paginate_active_columns_for_table(uri=table_uri, filter={})
 
     @staticmethod
+    @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS)
     @ResourcePolicyService.has_resource_permission(
         UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri_for_column, param_name='column_uri'
     )

tests/test_tenant_unauthorized.py

@@ -37,8 +37,8 @@
     'Mutation.updateConsumptionRole',
     'Query.generateEnvironmentAccessToken',
     'Query.getEnvironmentAssumeRoleUrl',
-    # 'Mutation.updateStack', ---> fix for nested fields
-    # 'Mutation.updateKeyValueTags', ---> fix for nested fields
+    # 'Mutation.updateStack', ---> fix for nested fields. PR PART 2
+    # 'Mutation.updateKeyValueTags', ---> fix for nested fields. PR PART 2
     'Mutation.createSagemakerStudioUser',
     'Mutation.deleteSagemakerStudioUser',
     'Query.getSagemakerStudioUserPresignedUrl',
@@ -58,8 +58,8 @@
     'Mutation.batchMetadataFormFieldUpdates',
     # 'Mutation.startMaintenanceWindow',  ---> admin action. No need for tenant permission check
     # 'Mutation.stopMaintenanceWindow',  ---> admin action. No need for tenant permission check
-    # 'Mutation.markNotificationAsRead',
-    # 'Mutation.deleteNotification',
+    # 'Mutation.markNotificationAsRead', ---> TO CONFIRM. tenant permissions do not apply to user personal notifications.
+    # 'Mutation.deleteNotification', ---> TO CONFIRM. tenant permissions do not apply to user personal notifications.
     'Mutation.createGlossary',
     'Mutation.updateGlossary',
     'Mutation.deleteGlossary',
@@ -72,8 +72,8 @@
     'Mutation.approveTermAssociation',
     'Mutation.dismissTermAssociation',
     # 'Mutation.startReindexCatalog',  ---> admin action. No need for tenant permission check
-    # 'Mutation.postFeedMessage',
-    # 'Mutation.createShareObject',
+    # 'Mutation.postFeedMessage', ---> TO CONFIRM. tenant permissions do not apply to user personal feed comments.
+    # 'Mutation.createShareObject', ---> TO DECIDE. Share permissions (all below). Do we need MANAGE_SHARES permission
     # 'Mutation.deleteShareObject',
     # 'Mutation.cancelShareExtension',
     # 'Mutation.addSharedItem',
@@ -92,19 +92,19 @@
     # 'Mutation.updateShareRequestReason',
     # 'Mutation.updateShareItemFilters',
     # 'Mutation.removeShareItemFilter',
-    # 'Mutation.upVote',
-    # 'Mutation.syncDatasetTableColumns',
-    # 'Mutation.updateDatasetTableColumn',
-    # 'Mutation.startDatasetProfilingRun',
-    # 'Mutation.createDatasetStorageLocation',
-    # 'Mutation.updateDatasetStorageLocation',
-    # 'Mutation.deleteDatasetStorageLocation',
-    # 'Mutation.createDataset',
-    # 'Mutation.updateDataset',
-    # 'Mutation.generateDatasetAccessToken',
+    # 'Mutation.upVote', ---> TO CONFIRM. tenant permissions do not apply to user personal up votes.
+    'Mutation.syncDatasetTableColumns',
+    'Mutation.updateDatasetTableColumn',
+    # 'Mutation.startDatasetProfilingRun', ---> fix for nested fields. PR PART 2
+    # 'Mutation.createDatasetStorageLocation', ---> fix for nested fields. PR PART 2
+    'Mutation.updateDatasetStorageLocation',
+    'Mutation.deleteDatasetStorageLocation',
+    # 'Mutation.createDataset', ---> fix for nested fields. PR PART 2
+    # 'Mutation.updateDataset', ---> fix for nested fields. PR PART 2
+    'Mutation.generateDatasetAccessToken',
     'Mutation.deleteDataset',
-    # 'Mutation.importDataset',
-    # 'Mutation.startGlueCrawler',
+    # 'Mutation.importDataset', ---> fix for nested fields. PR PART 2
+    'Mutation.startGlueCrawler',
     'Mutation.updateDatasetTable',
     'Mutation.deleteDatasetTable',
     'Mutation.syncTables',