Skip to content

Confusion about the parent-child relationship for user.data.root group

I am very confused about the parent-child relationship for user.data.root group. According to the documentation (https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/blob/master/docs/bootstrap/bootstrap-groups-structure.md), the user.data.root group is "A group will be automatically added to all data groups so that the member of it has the permission to all data on the partition". It means user.data.root group is a member of all other data groups. In the OSDU implementation of parent-child relationship of roles, the "member" should be "child" and the target group should be "parent". The Add Member API works exactly in this way. "child" aggregates all rights of its parents. So in theory, user.data.root group should be "child" of all other data groups. In this way, user.data.root group will have all the rights of all other data groups.

But the implementation of parent-child relationship for user.data.root group is the reversed order, i.e. user.data.root group is parents of all other data groups. I think this implementation is wrong. It is not consistent with the documentation and the user.data.root group cannot aggregate the rights of other data groups.

The wrong code logic is in addRootGroupNodeAsMemberOfGroupNewGroup method of org.opengroup.osdu.entitlements.v2.jdbc.spi.jdbc.creategroup.CreateGroupRepoJdbc. The name of this method indicates it will add root group as a member of a new data group, but its codes shows it adds the root group as parents of a new data group.

private void addRootGroupNodeAsMemberOfGroupNewGroup(GroupInfoEntity createdGroup, CreateGroupRepoDto createGroupRepoDto) {
	GroupInfoEntity parentGroup = groupRepository
			.findByEmail(createGroupRepoDto.getDataRootGroupNode().getNodeId())
			.stream()
			.findFirst()
			.orElseThrow(() ->
					new DatabaseAccessException(
							HttpStatus.NOT_FOUND,
							"Could not find the group with email: " +
									createGroupRepoDto.getDataRootGroupNode().getNodeId()));

	groupRepository.addChildGroupById(parentGroup.getId(), createdGroup.getId());
}

How could the root group aggregate the rights of all other data groups if it is the parent of other data groups.

Besides the entitlement-v2-jdbc, entitlement-v2-AWS also implements the same wrong logic. I have not checked the codes of other providers, I am not sure if they implement the logic correctly.

There is another evidence which can prove the logic of adding user.data.root group as parents is wrong. The run method in org.opengroup.osdu.entitlements.v2.service.CreateGroupService class has this logic (check the code below).

  • when you are adding a new data group, it will check the existing parents of user.data.root group. If the number of parents of user.data.root group is larger than the quota, it will throw an exception. It implicitly indicates the user.data.root group should be child, not the parent. If user.data.root group is parent of every other data group, there will be no need to add this parent amount check logic in this method.
  Set<ParentReference> allExistingParentsOfRootDataGroup = retrieveGroupRepo.loadAllParents(dataRootGroupNode).getParentReferences();
            if (allExistingParentsOfRootDataGroup.size() >= dataRootGroupQuota) {
                log.error(String.format("Identity %s already belong to %d groups", dataRootGroupNode.getNodeId(), allExistingParentsOfRootDataGroup.size()));
                throw new AppException(HttpStatus.PRECONDITION_FAILED.value(), HttpStatus.PRECONDITION_FAILED.getReasonPhrase(), String.format("%s's group quota hit. Identity can't belong to more than %d groups",
                        dataRootGroupNode.getNodeId(), dataRootGroupQuota));
            }

Maybe I have a wrong understanding, hope someone can give me some clarification. Thanks.