From a01ab3971fe9618ce1c2c0022959b573f64f8634 Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Thu, 30 Nov 2023 21:29:12 +0530
Subject: [PATCH 1/8] Revisit PErsona transformer

---
 .../policy_cache_transformer_persona.json     | 87 ++++---------------
 1 file changed, 18 insertions(+), 69 deletions(-)

diff --git a/addons/static/templates/policy_cache_transformer_persona.json b/addons/static/templates/policy_cache_transformer_persona.json
index 7136399710..4a9cf8ced4 100644
--- a/addons/static/templates/policy_cache_transformer_persona.json
+++ b/addons/static/templates/policy_cache_transformer_persona.json
@@ -381,24 +381,12 @@
         "entity:{entity}",
         "entity:{entity}/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-read"]
     }
   ],
-  "persona-domain-create": [
-    {
-      "policyResourceCategory": "ENTITY",
-      "policyType": "ACCESS",
-      "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
-        "entity-type:DataDomain",
-        "entity-classification:*"
-      ],
-      "actions": ["entity-create"]
-    }
-  ],
   "persona-domain-update": [
     {
       "policyResourceCategory": "ENTITY",
@@ -407,6 +395,7 @@
         "entity:{entity}",
         "entity:{entity}/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-update"]
@@ -420,18 +409,16 @@
         "relationship-type:*",
 
         "end-one-entity-type:DataDomain",
+        "end-two-entity-type:DataProduct",
         "end-one-entity-classification:*",
         "end-one-entity:{entity}",
         "end-one-entity:{entity}/*",
 
         "end-two-entity-type:DataDomain",
         "end-two-entity-type:DataProduct",
-        "end-two-entity-type:DataContract",
         "end-two-entity-classification:*",
         "end-two-entity:*"
       ],
-
-
       "actions": ["add-relationship", "update-relationship", "remove-relationship"]
     },
     {
@@ -443,41 +430,28 @@
 
         "end-one-entity-type:DataDomain",
         "end-one-entity-type:DataProduct",
-        "end-one-entity-type:DataContract",
         "end-one-entity-classification:*",
         "end-one-entity:*",
 
         "end-two-entity-type:DataDomain",
+        "end-two-entity-type:DataProduct",
         "end-two-entity-classification:*",
         "end-two-entity:{entity}",
         "end-two-entity:{entity}/*"
       ],
-
       "actions": ["add-relationship", "update-relationship", "remove-relationship"]
     }
   ],
-  "persona-domain-delete": [
-    {
-      "policyResourceCategory": "ENTITY",
-      "policyType": "ACCESS",
-      "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
-        "entity-type:{DataDomain}",
-        "entity-classification:*"
-      ],
-      "actions": ["entity-delete"]
-    }
-  ],
+
 
   "persona-domain-sub-domain-read": [
     {
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/domain/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-read"]
@@ -488,9 +462,9 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/domain/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-create"]
@@ -501,9 +475,9 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/domain/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-update"]
@@ -514,9 +488,9 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/domain/*",
         "entity-type:DataDomain",
+        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-delete"]
@@ -528,8 +502,7 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/*/product/*",
         "entity-type:DataProduct",
         "entity-classification:*"
       ],
@@ -541,8 +514,7 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/*/product/*",
         "entity-type:DataProduct",
         "entity-classification:*"
       ],
@@ -554,8 +526,7 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/*/product/*",
         "entity-type:DataProduct",
         "entity-classification:*"
       ],
@@ -575,28 +546,7 @@
 
         "end-two-entity-type:DataProduct",
         "end-two-entity-classification:*",
-        "end-two-entity:{entity}",
-        "end-two-entity:{entity}/*"
-      ],
-
-      "actions": ["add-relationship", "update-relationship", "remove-relationship"]
-    },
-    {
-      "policyResourceCategory": "RELATIONSHIP",
-      "policyType": "ACCESS",
-      "description": "Link/unlink any DataContract to this DataProduct",
-
-      "resources": [
-        "relationship-type:*",
-
-        "end-one-entity-type:DataProduct",
-        "end-one-entity-classification:*",
-        "end-one-entity:*",
-
-        "end-two-entity-type:DataContract",
-        "end-two-entity-classification:*",
-        "end-two-entity:{entity}",
-        "end-two-entity:{entity}/*"
+        "end-two-entity:{entity}/*/product/*"
       ],
 
       "actions": ["add-relationship", "update-relationship", "remove-relationship"]
@@ -607,8 +557,7 @@
       "policyResourceCategory": "ENTITY",
       "policyType": "ACCESS",
       "resources": [
-        "entity:{entity}",
-        "entity:{entity}/*",
+        "entity:{entity}/*/product/*",
         "entity-type:DataProduct",
         "entity-classification:*"
       ],

From 32911a4ad6e976a4eb36071adb742f572d0a6030 Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Thu, 30 Nov 2023 21:30:16 +0530
Subject: [PATCH 2/8] Update maven add to build

---
 .github/workflows/maven.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 3403d45797..f4158c2692 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -26,6 +26,7 @@ on:
       - development
       - master
       - lineageondemand
+      - domainpoliices
 
 jobs:
   build:

From fab17a8beb2e246f334eb3862628231e31526125 Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Thu, 30 Nov 2023 21:35:37 +0530
Subject: [PATCH 3/8] Transformer: limit sub domain permissions

---
 addons/static/templates/policy_cache_transformer_persona.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/addons/static/templates/policy_cache_transformer_persona.json b/addons/static/templates/policy_cache_transformer_persona.json
index 4a9cf8ced4..85b9ae3338 100644
--- a/addons/static/templates/policy_cache_transformer_persona.json
+++ b/addons/static/templates/policy_cache_transformer_persona.json
@@ -451,7 +451,6 @@
       "resources": [
         "entity:{entity}/domain/*",
         "entity-type:DataDomain",
-        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-read"]
@@ -464,7 +463,6 @@
       "resources": [
         "entity:{entity}/domain/*",
         "entity-type:DataDomain",
-        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-create"]
@@ -477,7 +475,6 @@
       "resources": [
         "entity:{entity}/domain/*",
         "entity-type:DataDomain",
-        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-update"]
@@ -490,7 +487,6 @@
       "resources": [
         "entity:{entity}/domain/*",
         "entity-type:DataDomain",
-        "entity-type:DataProduct",
         "entity-classification:*"
       ],
       "actions": ["entity-delete"]

From 81833a122d4d05d6a07900b099c83ece0c9360d7 Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Thu, 30 Nov 2023 21:50:12 +0530
Subject: [PATCH 4/8] Persona alias for product and sub-domain reads

---
 .../repository/store/aliasstore/ESAliasStore.java | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
index c8ccfaf2a7..6e51565431 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
@@ -204,15 +204,24 @@ private void personaPolicyToESDslClauses(List<AtlasEntity> policies,
                         terms.add(glossaryQName);
                         allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, "*@" + glossaryQName)));
                     }
-                } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_DOMAIN)
-                        || getPolicyActions(policy).contains(ACCESS_READ_PERSONA_SUB_DOMAIN)
-                        || getPolicyActions(policy).contains(ACCESS_READ_PERSONA_PRODUCT)) {
+                } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_DOMAIN)) {
 
                     for (String asset : assets) {
                         terms.add(asset);
                         allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*")));
                     }
 
+                } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_SUB_DOMAIN)) {
+                    for (String asset : assets) {
+                        //terms.add(asset);
+                        allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/domain/*")));
+                    }
+
+                } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_PRODUCT)) {
+                    for (String asset : assets) {
+                        //terms.add(asset);
+                        allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*/product/*")));
+                    }
                 }
             }
 

From c5cb4b54df0212324b237cbae73de8c446499fc6 Mon Sep 17 00:00:00 2001
From: Anshul Mehta <anshul.mk97@gmail.com>
Date: Thu, 30 Nov 2023 22:45:11 +0530
Subject: [PATCH 5/8] Update policy_cache_transformer_persona.json

---
 .../policy_cache_transformer_persona.json     | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/addons/static/templates/policy_cache_transformer_persona.json b/addons/static/templates/policy_cache_transformer_persona.json
index 85b9ae3338..1417f5a08d 100644
--- a/addons/static/templates/policy_cache_transformer_persona.json
+++ b/addons/static/templates/policy_cache_transformer_persona.json
@@ -503,6 +503,24 @@
         "entity-classification:*"
       ],
       "actions": ["entity-read"]
+    },
+    {
+      "policyResourceCategory": "RELATIONSHIP",
+      "policyType": "ACCESS",
+      "description": "Link/unlink any DataProduct to Domain",
+      "resources": [
+        "relationship-type:*",
+        
+        "entity:{entity}/*",
+        "entity:{entity}",
+        "end-one-entity-type:DataDomain",
+        "end-one-entity-classification:*",
+        
+        "end-two-entity-type:DataProduct",
+        "end-two-entity-classification:*",
+        "end-two-entity:{entity}/*"
+      ],
+      "actions": ["add-relationship", "update-relationship", "remove-relationship"]
     }
   ],
   "persona-domain-product-create": [
@@ -575,4 +593,4 @@
       "actions": ["select"]
     }
   ]
-}
\ No newline at end of file
+}

From 1f0561ec5872f2d8ccd9cea420b70bd0bcba0f09 Mon Sep 17 00:00:00 2001
From: Anshul Mehta <anshul.mk97@gmail.com>
Date: Thu, 30 Nov 2023 23:20:55 +0530
Subject: [PATCH 6/8] Update policy_cache_transformer_persona.json

---
 .../policy_cache_transformer_persona.json     | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/addons/static/templates/policy_cache_transformer_persona.json b/addons/static/templates/policy_cache_transformer_persona.json
index 1417f5a08d..710f7cd354 100644
--- a/addons/static/templates/policy_cache_transformer_persona.json
+++ b/addons/static/templates/policy_cache_transformer_persona.json
@@ -503,11 +503,23 @@
         "entity-classification:*"
       ],
       "actions": ["entity-read"]
+    }
+  ],
+  "persona-domain-product-create": [
+    {
+      "policyResourceCategory": "ENTITY",
+      "policyType": "ACCESS",
+      "resources": [
+        "entity:{entity}/*/product/*",
+        "entity-type:DataProduct",
+        "entity-classification:*"
+      ],
+      "actions": ["entity-create"]
     },
     {
       "policyResourceCategory": "RELATIONSHIP",
       "policyType": "ACCESS",
-      "description": "Link/unlink any DataProduct to Domain",
+      "description": "Link/unlink this DataProduct to any parent Domain",
       "resources": [
         "relationship-type:*",
         
@@ -523,18 +535,6 @@
       "actions": ["add-relationship", "update-relationship", "remove-relationship"]
     }
   ],
-  "persona-domain-product-create": [
-    {
-      "policyResourceCategory": "ENTITY",
-      "policyType": "ACCESS",
-      "resources": [
-        "entity:{entity}/*/product/*",
-        "entity-type:DataProduct",
-        "entity-classification:*"
-      ],
-      "actions": ["entity-create"]
-    }
-  ],
   "persona-domain-product-update": [
     {
       "policyResourceCategory": "ENTITY",

From 0578ffed4bb30a5d1fa759c882c41055655b3f9e Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Thu, 30 Nov 2023 23:45:04 +0530
Subject: [PATCH 7/8] Fix alias for Product and Sub-domain read

---
 .../repository/store/aliasstore/ESAliasStore.java      | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
index 6e51565431..afcc273fbe 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
@@ -214,13 +214,19 @@ private void personaPolicyToESDslClauses(List<AtlasEntity> policies,
                 } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_SUB_DOMAIN)) {
                     for (String asset : assets) {
                         //terms.add(asset);
-                        allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/domain/*")));
+                        List<Map<String, Object>> mustMap = new ArrayList<>();
+                        mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/domain/*")));
+                        mustMap.add(mapOf("term", mapOf("__typeName", "DataDomain")));
+                        allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
                     }
 
                 } else if (getPolicyActions(policy).contains(ACCESS_READ_PERSONA_PRODUCT)) {
                     for (String asset : assets) {
                         //terms.add(asset);
-                        allowClauseList.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*/product/*")));
+                        List<Map<String, Object>> mustMap = new ArrayList<>();
+                        mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*/product/*")));
+                        mustMap.add(mapOf("term", mapOf("__typeName", "DataProduct")));
+                        allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
                     }
                 }
             }

From 551b8fc973bf9c4b9e776d769307943601fa366d Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Fri, 1 Dec 2023 00:08:44 +0530
Subject: [PATCH 8/8] Fix alias for Product and Sub-domain read

---
 .../atlas/repository/store/aliasstore/ESAliasStore.java       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
index afcc273fbe..d551aeb227 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/aliasstore/ESAliasStore.java
@@ -216,7 +216,7 @@ private void personaPolicyToESDslClauses(List<AtlasEntity> policies,
                         //terms.add(asset);
                         List<Map<String, Object>> mustMap = new ArrayList<>();
                         mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/domain/*")));
-                        mustMap.add(mapOf("term", mapOf("__typeName", "DataDomain")));
+                        mustMap.add(mapOf("term", mapOf("__typeName.keyword", "DataDomain")));
                         allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
                     }
 
@@ -225,7 +225,7 @@ private void personaPolicyToESDslClauses(List<AtlasEntity> policies,
                         //terms.add(asset);
                         List<Map<String, Object>> mustMap = new ArrayList<>();
                         mustMap.add(mapOf("wildcard", mapOf(QUALIFIED_NAME, asset + "/*/product/*")));
-                        mustMap.add(mapOf("term", mapOf("__typeName", "DataProduct")));
+                        mustMap.add(mapOf("term", mapOf("__typeName.keyword", "DataProduct")));
                         allowClauseList.add(mapOf("bool", mapOf("must", mustMap)));
                     }
                 }