storage record with no acl owners become ghost record if OPA service is enabled.

Storage records become inaccessible if OPA is enabled in case there is no ACL group associated with the record.

Scenario:

Usually, when we create a record we define the owners and viewers group and the member associated with the group can access the record. However, it is possible to delete the group and even disassociate ACL groups from the storage record. there is no validation as of now for a must-required single record. eventually record becomes a ghost record and nobody can access it.

There was a fix provided to users. data. root members can still access the group and add ACLs if needed. it is discussed in this ADR

osdu/platform/security-and-compliance/entitlements#141

Findings

We have seen that code works fine and still users.data.root members can access the record if there is no associated ACL members for the record but if OPA is enabled we can not access the record even member is associated to users.data.root group.

code below checks if OPA is enabled and get access rights from OPA service

https://community.opengroup.org/osdu/platform/system/storage/-/blob/master/storage-core/src/main/java/org/opengroup/osdu/storage/service/IngestionServiceImpl.java#L198

OPA service returns with false access rites. However, if OPA is disabled the flow works because we have code added to return true if the member belongs to users.data.root.

We have found this not working in the Azure OSDU instance and need to know if requires a policy file fix or shall be handled in code to stop records from becoming ghost in case OPA is enabled.