Add LIST_ENVIRONMENT_DATASETS permission for listing shared datasets

data-dot-all · Nov 22, 2024 · ae854e0 · ae854e0
1 parent 6c01162
commit ae854e0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/backend/dataall/modules/s3_datasets_shares/api/resolvers.py b/backend/dataall/modules/s3_datasets_shares/api/resolvers.py
@@ -65,13 +65,11 @@ def get_s3_consumption_data(context: Context, source, shareUri: str):
 
 
 def list_shared_databases_tables_with_env_group(context: Context, source, environmentUri: str, groupUri: str):
-    return S3ShareService.list_shared_databases_tables_with_env_group(environmentUri=environmentUri, groupUri=groupUri)
+    return S3ShareService.list_shared_databases_tables_with_env_group(uri=environmentUri, group_uri=groupUri)
 
 
 def resolve_shared_db_name(context: Context, source, **kwargs):
-    return S3ShareService.resolve_shared_db_name(
-        source.GlueDatabaseName, source.shareUri, source.targetEnvAwsAccountId, source.targetEnvRegion
-    )
+    return S3ShareService.resolve_shared_db_name(source.GlueDatabaseName, source.shareUri)
 
 
 def list_shared_table_columns(context: Context, source, tableUri: str, shareUri: str, filter: dict):

diff --git a/backend/dataall/modules/s3_datasets_shares/services/s3_share_service.py b/backend/dataall/modules/s3_datasets_shares/services/s3_share_service.py
@@ -1,6 +1,6 @@
 import logging
 
-from dataall.base.db import utils
+from dataall.base.db import utils, exceptions
 from dataall.base.context import get_context
 from dataall.base.aws.sts import SessionHelper
 from dataall.base.aws.iam import IAM
@@ -10,6 +10,7 @@
 from dataall.core.tasks.db.task_models import Task
 from dataall.core.tasks.service_handlers import Worker
 from dataall.modules.datasets_base.db.dataset_repositories import DatasetBaseRepository
+from dataall.modules.datasets_base.services.dataset_list_permissions import LIST_ENVIRONMENT_DATASETS
 from dataall.modules.shares_base.db.share_object_models import ShareObject
 from dataall.modules.shares_base.db.share_object_repositories import ShareObjectRepository
 from dataall.modules.shares_base.db.share_object_item_repositories import ShareObjectItemRepository
@@ -173,12 +174,13 @@ def reapply_share_items_for_dataset(uri: str):
         return True
 
     @staticmethod
-    def list_shared_tables_by_env_dataset(dataset_uri: str, env_uri: str):
+    @ResourcePolicyService.has_resource_permission(LIST_ENVIRONMENT_DATASETS)
+    def list_shared_tables_by_env_dataset(uri: str, dataset_uri: str):
         context = get_context()
         with context.db_engine.scoped_session() as session:
             log.info(
                 S3ShareObjectRepository.query_dataset_tables_shared_with_env(
-                    session, env_uri, dataset_uri, context.username, context.groups
+                    session, uri, dataset_uri, context.username, context.groups
                 )
             )
             return [
@@ -188,7 +190,7 @@ def list_shared_tables_by_env_dataset(dataset_uri: str, env_uri: str):
                     + (f'_{res.resourceLinkSuffix}' if res.resourceLinkSuffix else ''),
                 }
                 for res in S3ShareObjectRepository.query_dataset_tables_shared_with_env(
-                    session, env_uri, dataset_uri, context.username, context.groups
+                    session, uri, dataset_uri, context.username, context.groups
                 )
             ]
 
@@ -259,11 +261,17 @@ def get_s3_consumption_data(uri):
             }
 
     @staticmethod
-    def list_shared_databases_tables_with_env_group(environmentUri: str, groupUri: str):
+    @ResourcePolicyService.has_resource_permission(LIST_ENVIRONMENT_DATASETS)
+    def list_shared_databases_tables_with_env_group(uri: str, group_uri: str):
         context = get_context()
+        if group_uri not in context.groups:
+            raise exceptions.UnauthorizedOperation(
+                action='LIST_ENVIRONMENT_GROUP_DATASETS',
+                message=f'User: {context.username} is not a member of the team {group_uri}',
+            )
         with context.db_engine.scoped_session() as session:
             return S3ShareObjectRepository.query_shared_glue_databases(
-                session=session, groups=context.groups, env_uri=environmentUri, group_uri=groupUri
+                session=session, groups=context.groups, env_uri=uri, group_uri=group_uri
             )
 
     @staticmethod
@@ -303,7 +311,7 @@ def list_table_data_filters_by_attached(uri: str, data: dict):
             )
 
     @staticmethod
-    def resolve_shared_db_name(GlueDatabaseName: str, shareUri: str, targetEnvAwsAccountId: str, targetEnvRegion: str):
+    def resolve_shared_db_name(GlueDatabaseName: str, shareUri: str):
         with get_context().db_engine.scoped_session() as session:
             share = ShareObjectRepository.get_share_by_uri(session, shareUri)
             dataset = DatasetBaseRepository.get_dataset_by_uri(session, share.datasetUri)