From 2ce5c011e20a23dc055b8169dec15db420a77177 Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Wed, 16 Aug 2023 17:09:38 +0530
Subject: [PATCH 1/2] GOV-1245 Suppress read AuthPolicy access logs

---
 .../graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
index 8a4f1fe696..62f0c118cd 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
@@ -303,6 +303,7 @@ private List<AtlasEntityHeader> getCollectionPolicies(String guid) throws AtlasB
         dsl.put("query", mapOf("bool", mapOf("must", mustClauseList)));
 
         indexSearchParams.setDsl(dsl);
+        indexSearchParams.setSuppressLogs(true);
 
         AtlasSearchResult result = discovery.directIndexSearch(indexSearchParams);
         if (result != null) {

From e92ade9ee33c6f18109c516a56fcba2d9b136f5c Mon Sep 17 00:00:00 2001
From: Nikhil P Bonte <nikhil.bonte@atlan.com>
Date: Wed, 16 Aug 2023 18:19:30 +0530
Subject: [PATCH 2/2] GOV-1245 Address review comments

---
 .../v2/preprocessor/AuthPolicyPreProcessor.java |  8 ++++----
 .../sql/QueryCollectionPreProcessor.java        | 17 +++++++++++------
 .../java/org/apache/atlas/RequestContext.java   |  9 +++++++++
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyPreProcessor.java
index a79f4a7be7..4574363b78 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyPreProcessor.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/AuthPolicyPreProcessor.java
@@ -245,13 +245,13 @@ public void processDelete(AtlasVertex vertex) throws AtlasBaseException {
     }
 
     private void authorizeDeleteAuthPolicy(AtlasEntity policy) throws AtlasBaseException {
-        if (getPolicyCategory(policy).equals(POLICY_CATEGORY_BOOTSTRAP) && getPolicySubCategory(policy).equals(POLICY_SUB_CATEGORY_COLLECTION)) {
-            //skip auth check for collection bootstrap policies
-            //refer - https://linear.app/atlanproduct/issue/GOV-1245/collection-delete-is-failing-for-member-as-they-dont-have-authpolicy
-        } else {
+        if (!RequestContext.get().isSkipAuthPolicyDeleteAuthCheck()) {
             AtlasEntityAccessRequest request = new AtlasEntityAccessRequest(typeRegistry, AtlasPrivilege.ENTITY_DELETE, new AtlasEntityHeader(policy));
             verifyAccess(request, "delete entity: guid=" + policy.getGuid());
         }
+        /* else,
+        * skip auth check
+        * */
     }
 
     private void validateConnectionAdmin(AtlasEntity policy) throws AtlasBaseException {
diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
index 62f0c118cd..4b7496611f 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java
@@ -30,6 +30,7 @@
 import org.apache.atlas.model.instance.AtlasStruct;
 import org.apache.atlas.model.instance.EntityMutationResponse;
 import org.apache.atlas.model.instance.EntityMutations;
+import org.apache.atlas.repository.graph.GraphHelper;
 import org.apache.atlas.repository.graphdb.AtlasVertex;
 import org.apache.atlas.repository.store.graph.AtlasEntityStore;
 import org.apache.atlas.repository.store.graph.v2.AtlasEntityStream;
@@ -170,26 +171,30 @@ public void processDelete(AtlasVertex vertex) throws AtlasBaseException {
         AtlasPerfMetrics.MetricRecorder metricRecorder = RequestContext.get().startMetricRecord("processDeleteCollection");
 
         try {
-            AtlasEntityHeader collection = entityRetriever.toAtlasEntityHeader(vertex);
+            AtlasEntity.Status collectionStatus = GraphHelper.getStatus(vertex);
 
-            if (!AtlasEntity.Status.ACTIVE.equals(collection.getStatus())) {
+            if (!AtlasEntity.Status.ACTIVE.equals(collectionStatus)) {
                 throw new AtlasBaseException("Collection is already deleted/purged");
             }
 
             if (ATLAS_AUTHORIZER_IMPL.equalsIgnoreCase(CURRENT_AUTHORIZER_IMPL)) {
+                String collectionGuid = GraphHelper.getGuid(vertex);
+
                 //delete collection policies
-                List<AtlasEntityHeader> policies = getCollectionPolicies(collection.getGuid());
-                EntityMutationResponse response = entityStore.deleteByIds(policies.stream().map(x -> x.getGuid()).collect(Collectors.toList()));
+                List<AtlasEntityHeader> policies = getCollectionPolicies(collectionGuid);
+                RequestContext.get().setSkipAuthPolicyDeleteAuthCheck(true);
+                entityStore.deleteByIds(policies.stream().map(x -> x.getGuid()).collect(Collectors.toList()));
 
                 //delete collection roles
-                String adminRoleName = String.format(COLL_ADMIN_ROLE_PATTERN, collection.getGuid());
-                String viewerRoleName = String.format(COLL_VIEWER_ROLE_PATTERN, collection.getGuid());
+                String adminRoleName = String.format(COLL_ADMIN_ROLE_PATTERN, collectionGuid);
+                String viewerRoleName = String.format(COLL_VIEWER_ROLE_PATTERN, collectionGuid);
 
                 keycloakStore.removeRoleByName(adminRoleName);
                 keycloakStore.removeRoleByName(viewerRoleName);
             }
         } finally {
             RequestContext.get().endMetricRecord(metricRecorder);
+            RequestContext.get().setSkipAuthPolicyDeleteAuthCheck(false);
         }
     }
 
diff --git a/server-api/src/main/java/org/apache/atlas/RequestContext.java b/server-api/src/main/java/org/apache/atlas/RequestContext.java
index ef6df62b28..bdf9dfa3df 100644
--- a/server-api/src/main/java/org/apache/atlas/RequestContext.java
+++ b/server-api/src/main/java/org/apache/atlas/RequestContext.java
@@ -94,6 +94,7 @@ public class RequestContext {
     private final Map<AtlasObjectId, Object> relationshipEndToVertexIdMap = new HashMap<>();
     private boolean     allowDuplicateDisplayName;
     private MetricsRegistry metricsRegistry;
+    private boolean skipAuthPolicyDeleteAuthCheck = false;
 
     private RequestContext() {
     }
@@ -419,6 +420,14 @@ public void setPoliciesBootstrappingInProgress(boolean policiesBootstrappingInPr
         isPoliciesBootstrappingInProgress = policiesBootstrappingInProgress;
     }
 
+    public boolean isSkipAuthPolicyDeleteAuthCheck() {
+        return skipAuthPolicyDeleteAuthCheck;
+    }
+
+    public void setSkipAuthPolicyDeleteAuthCheck(boolean skipAuthPolicyDeleteAuthCheck) {
+        this.skipAuthPolicyDeleteAuthCheck = skipAuthPolicyDeleteAuthCheck;
+    }
+
     public static long earliestActiveRequestTime() {
         long ret = System.currentTimeMillis();