feat(permissions) Add platform privilege for editing global home page

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java

@@ -366,6 +366,11 @@ public static boolean canManageFeatures(@Nonnull QueryContext context) {
         context.getOperationContext(), PoliciesConfig.MANAGE_FEATURES_PRIVILEGE);
   }
 
+  public static boolean canManageHomePageTemplates(@Nonnull QueryContext context) {
+    return AuthUtil.isAuthorized(
+        context.getOperationContext(), PoliciesConfig.MANAGE_HOME_PAGE_TEMPLATES_PRIVILEGE);
+  }
+
   public static boolean isAuthorized(
       @Nonnull QueryContext context,
       @Nonnull String resourceType,

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/module/UpsertPageModuleResolver.java

@@ -6,7 +6,9 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.authorization.AuthorizationUtils;
 import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
+import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.DataHubPageModule;
 import com.linkedin.datahub.graphql.generated.DataHubPageModuleType;
 import com.linkedin.datahub.graphql.generated.PageModuleScope;
@@ -43,7 +45,10 @@ public CompletableFuture<DataHubPageModule> get(DataFetchingEnvironment environm
     PageModuleScope scope = input.getScope();
     com.linkedin.datahub.graphql.generated.PageModuleParamsInput paramsInput = input.getParams();
 
-    // TODO: check permissions if the scope is GLOBAL
+    if (input.getScope().equals(PageModuleScope.GLOBAL)
+        && !AuthorizationUtils.canManageHomePageTemplates(context)) {
+      throw new AuthorizationException("User does not have permission to update global modules.");
+    }
 
     return GraphQLConcurrencyUtils.supplyAsync(
         () -> {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/template/UpsertPageTemplateResolver.java

@@ -6,7 +6,9 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.authorization.AuthorizationUtils;
 import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
+import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.DataHubPageTemplate;
 import com.linkedin.datahub.graphql.generated.PageTemplateRowInput;
 import com.linkedin.datahub.graphql.generated.PageTemplateScope;
@@ -44,7 +46,10 @@ public CompletableFuture<DataHubPageTemplate> get(DataFetchingEnvironment enviro
     PageTemplateScope scope = input.getScope();
     PageTemplateSurfaceType surfaceType = input.getSurfaceType();
 
-    // TODO: check permissions if the scope is GLOBAL
+    if (input.getScope().equals(PageTemplateScope.GLOBAL)
+        && !AuthorizationUtils.canManageHomePageTemplates(context)) {
+      throw new AuthorizationException("User does not have permission to update global templates.");
+    }
 
     return GraphQLConcurrencyUtils.supplyAsync(
         () -> {

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/module/UpsertPageModuleResolverTest.java

@@ -1,6 +1,7 @@
 package com.linkedin.datahub.graphql.resolvers.module;
 
 import static com.linkedin.datahub.graphql.TestUtils.getMockAllowContext;
+import static com.linkedin.datahub.graphql.TestUtils.getMockDenyContext;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
@@ -15,6 +16,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.DataHubPageModule;
 import com.linkedin.datahub.graphql.generated.DataHubPageModuleType;
 import com.linkedin.datahub.graphql.generated.LinkModuleParamsInput;
@@ -159,6 +161,64 @@ public void testUpsertPageModuleWithLinkParams() throws Exception {
     verify(mockService, times(1)).getPageModuleEntityResponse(any(), eq(moduleUrn));
   }
 
+  @Test
+  public void testUpsertGlobalPageModuleSuccessWithPermission() throws Exception {
+    // Arrange
+    UpsertPageModuleInput input = new UpsertPageModuleInput();
+    input.setName(TEST_MODULE_NAME);
+    input.setType(DataHubPageModuleType.RICH_TEXT);
+    input.setScope(PageModuleScope.GLOBAL);
+
+    RichTextModuleParamsInput richTextParams = new RichTextModuleParamsInput();
+    richTextParams.setContent(TEST_RICH_TEXT_CONTENT);
+    PageModuleParamsInput paramsInput = new PageModuleParamsInput();
+    paramsInput.setRichTextParams(richTextParams);
+    input.setParams(paramsInput);
+
+    Urn moduleUrn = UrnUtils.getUrn(TEST_MODULE_URN);
+    EntityResponse mockResponse = createMockEntityResponse(moduleUrn);
+
+    when(mockEnvironment.getArgument("input")).thenReturn(input);
+    when(mockEnvironment.getContext()).thenReturn(mockQueryContext);
+    when(mockService.upsertPageModule(any(), eq(null), any(), any(), any(), any()))
+        .thenReturn(moduleUrn);
+    when(mockService.getPageModuleEntityResponse(any(), eq(moduleUrn))).thenReturn(mockResponse);
+
+    // Act
+    CompletableFuture<DataHubPageModule> future = resolver.get(mockEnvironment);
+    DataHubPageModule result = future.get();
+
+    // Assert
+    assertNotNull(result);
+    assertEquals(result.getUrn(), TEST_MODULE_URN);
+    assertEquals(result.getType().toString(), "DATAHUB_PAGE_MODULE");
+    verify(mockService, times(1)).upsertPageModule(any(), eq(null), any(), any(), any(), any());
+    verify(mockService, times(1)).getPageModuleEntityResponse(any(), eq(moduleUrn));
+  }
+
+  @Test
+  public void testUpsertGlobalPageModuleFailureWithoutPermission() throws Exception {
+    // Arrange
+    UpsertPageModuleInput input = new UpsertPageModuleInput();
+    input.setName(TEST_MODULE_NAME);
+    input.setType(DataHubPageModuleType.RICH_TEXT);
+    input.setScope(PageModuleScope.GLOBAL);
+
+    RichTextModuleParamsInput richTextParams = new RichTextModuleParamsInput();
+    richTextParams.setContent(TEST_RICH_TEXT_CONTENT);
+    PageModuleParamsInput paramsInput = new PageModuleParamsInput();
+    paramsInput.setRichTextParams(richTextParams);
+    input.setParams(paramsInput);
+
+    QueryContext mockDenyContext = getMockDenyContext();
+
+    when(mockEnvironment.getArgument("input")).thenReturn(input);
+    when(mockEnvironment.getContext()).thenReturn(mockDenyContext);
+
+    // Act & Assert
+    assertThrows(AuthorizationException.class, () -> resolver.get(mockEnvironment).get());
+  }
+
   @Test
   public void testUpsertPageModuleValidationFailureRichTextWithoutParams() throws Exception {
     // Arrange

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/template/UpsertPageTemplateResolverTest.java

@@ -1,6 +1,7 @@
 package com.linkedin.datahub.graphql.resolvers.template;
 
 import static com.linkedin.datahub.graphql.TestUtils.getMockAllowContext;
+import static com.linkedin.datahub.graphql.TestUtils.getMockDenyContext;
 import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.*;
 import static org.testng.Assert.*;
@@ -9,6 +10,7 @@
 import com.linkedin.common.urn.Urn;
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.PageTemplateRowInput;
 import com.linkedin.datahub.graphql.generated.PageTemplateScope;
 import com.linkedin.datahub.graphql.generated.PageTemplateSurfaceType;
@@ -139,6 +141,131 @@ public void testGetSuccessWithGeneratedUrn() throws Exception {
     verify(mockService, times(1)).getPageTemplateEntityResponse(any(), eq(urn));
   }
 
+  @Test
+  public void testCreateGlobalTemplateSuccessWithPermission() throws Exception {
+    PageTemplateService mockService = mock(PageTemplateService.class);
+    UpsertPageTemplateResolver resolver = new UpsertPageTemplateResolver(mockService);
+
+    QueryContext mockContext = getMockAllowContext();
+    DataFetchingEnvironment mockEnv = mock(DataFetchingEnvironment.class);
+    UpsertPageTemplateInput input = new UpsertPageTemplateInput();
+    input.setUrn(null);
+    input.setRows(createTestRowInputs());
+    input.setScope(PageTemplateScope.GLOBAL);
+    input.setSurfaceType(PageTemplateSurfaceType.HOME_PAGE);
+
+    Urn urn = UrnUtils.getUrn(TEST_TEMPLATE_URN);
+    when(mockService.upsertPageTemplate(any(), eq(null), any(), any(), any())).thenReturn(urn);
+
+    // Mock EntityResponse with a valid aspect map
+    EntityResponse mockResponse = mock(EntityResponse.class);
+    DataHubPageTemplateProperties properties = new DataHubPageTemplateProperties();
+
+    // Set required fields
+    DataHubPageTemplateRowArray rows = new DataHubPageTemplateRowArray();
+    properties.setRows(rows);
+
+    DataHubPageTemplateSurface surface = new DataHubPageTemplateSurface();
+    surface.setSurfaceType(com.linkedin.template.PageTemplateSurfaceType.HOME_PAGE);
+    properties.setSurface(surface);
+
+    DataHubPageTemplateVisibility visibility = new DataHubPageTemplateVisibility();
+    visibility.setScope(com.linkedin.template.PageTemplateScope.GLOBAL);
+    properties.setVisibility(visibility);
+
+    AuditStamp auditStamp = new AuditStamp();
+    auditStamp.setTime(System.currentTimeMillis());
+    auditStamp.setActor(UrnUtils.getUrn("urn:li:corpuser:test"));
+    properties.setCreated(auditStamp);
+    properties.setLastModified(auditStamp);
+
+    EnvelopedAspectMap aspectMap = new EnvelopedAspectMap();
+    EnvelopedAspect aspect = new EnvelopedAspect();
+    aspect.setValue(new com.linkedin.entity.Aspect(properties.data()));
+    aspectMap.put(
+        com.linkedin.metadata.Constants.DATAHUB_PAGE_TEMPLATE_PROPERTIES_ASPECT_NAME, aspect);
+    when(mockResponse.getAspects()).thenReturn(aspectMap);
+    when(mockResponse.getUrn()).thenReturn(urn);
+    when(mockService.getPageTemplateEntityResponse(any(), eq(urn))).thenReturn(mockResponse);
+    when(mockEnv.getArgument(eq("input"))).thenReturn(input);
+    when(mockEnv.getContext()).thenReturn(mockContext);
+    resolver.get(mockEnv).join();
+    verify(mockService, times(1)).upsertPageTemplate(any(), eq(null), any(), any(), any());
+    verify(mockService, times(1)).getPageTemplateEntityResponse(any(), eq(urn));
+  }
+
+  @Test
+  public void testCreateGlobalTemplateFailureWithoutPermission() throws Exception {
+    PageTemplateService mockService = mock(PageTemplateService.class);
+    UpsertPageTemplateResolver resolver = new UpsertPageTemplateResolver(mockService);
+
+    QueryContext mockContext = getMockDenyContext();
+    DataFetchingEnvironment mockEnv = mock(DataFetchingEnvironment.class);
+    UpsertPageTemplateInput input = new UpsertPageTemplateInput();
+    input.setUrn(null);
+    input.setRows(createTestRowInputs());
+    input.setScope(PageTemplateScope.GLOBAL);
+    input.setSurfaceType(PageTemplateSurfaceType.HOME_PAGE);
+
+    when(mockEnv.getArgument(eq("input"))).thenReturn(input);
+    when(mockEnv.getContext()).thenReturn(mockContext);
+
+    assertThrows(AuthorizationException.class, () -> resolver.get(mockEnv).join());
+  }
+
+  @Test
+  public void testCreatePersonalTemplateSuccessWithoutPermission() throws Exception {
+    PageTemplateService mockService = mock(PageTemplateService.class);
+    UpsertPageTemplateResolver resolver = new UpsertPageTemplateResolver(mockService);
+
+    QueryContext mockContext = getMockDenyContext();
+    DataFetchingEnvironment mockEnv = mock(DataFetchingEnvironment.class);
+    UpsertPageTemplateInput input = new UpsertPageTemplateInput();
+    input.setUrn(null);
+    input.setRows(createTestRowInputs());
+    input.setScope(PageTemplateScope.PERSONAL);
+    input.setSurfaceType(PageTemplateSurfaceType.HOME_PAGE);
+
+    Urn urn = UrnUtils.getUrn(TEST_TEMPLATE_URN);
+    when(mockService.upsertPageTemplate(any(), eq(null), any(), any(), any())).thenReturn(urn);
+
+    // Mock EntityResponse with a valid aspect map
+    EntityResponse mockResponse = mock(EntityResponse.class);
+    DataHubPageTemplateProperties properties = new DataHubPageTemplateProperties();
+
+    // Set required fields
+    DataHubPageTemplateRowArray rows = new DataHubPageTemplateRowArray();
+    properties.setRows(rows);
+
+    DataHubPageTemplateSurface surface = new DataHubPageTemplateSurface();
+    surface.setSurfaceType(com.linkedin.template.PageTemplateSurfaceType.HOME_PAGE);
+    properties.setSurface(surface);
+
+    DataHubPageTemplateVisibility visibility = new DataHubPageTemplateVisibility();
+    visibility.setScope(com.linkedin.template.PageTemplateScope.PERSONAL);
+    properties.setVisibility(visibility);
+
+    AuditStamp auditStamp = new AuditStamp();
+    auditStamp.setTime(System.currentTimeMillis());
+    auditStamp.setActor(UrnUtils.getUrn("urn:li:corpuser:test"));
+    properties.setCreated(auditStamp);
+    properties.setLastModified(auditStamp);
+
+    EnvelopedAspectMap aspectMap = new EnvelopedAspectMap();
+    EnvelopedAspect aspect = new EnvelopedAspect();
+    aspect.setValue(new com.linkedin.entity.Aspect(properties.data()));
+    aspectMap.put(
+        com.linkedin.metadata.Constants.DATAHUB_PAGE_TEMPLATE_PROPERTIES_ASPECT_NAME, aspect);
+    when(mockResponse.getAspects()).thenReturn(aspectMap);
+    when(mockResponse.getUrn()).thenReturn(urn);
+    when(mockService.getPageTemplateEntityResponse(any(), eq(urn))).thenReturn(mockResponse);
+    when(mockEnv.getArgument(eq("input"))).thenReturn(input);
+    when(mockEnv.getContext()).thenReturn(mockContext);
+    resolver.get(mockEnv).join();
+    verify(mockService, times(1)).upsertPageTemplate(any(), eq(null), any(), any(), any());
+    verify(mockService, times(1)).getPageTemplateEntityResponse(any(), eq(urn));
+  }
+
   @Test
   public void testGetThrowsException() throws Exception {
     PageTemplateService mockService = mock(PageTemplateService.class);

metadata-service/services/src/main/java/com/linkedin/metadata/service/PageModuleService.java

@@ -1,11 +1,13 @@
 package com.linkedin.metadata.service;
 
+import com.datahub.authorization.AuthUtil;
 import com.linkedin.common.AuditStamp;
 import com.linkedin.common.urn.Urn;
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.entity.EntityResponse;
 import com.linkedin.entity.client.EntityClient;
 import com.linkedin.metadata.Constants;
+import com.linkedin.metadata.authorization.PoliciesConfig;
 import com.linkedin.metadata.entity.AspectUtils;
 import com.linkedin.metadata.key.DataHubPageModuleKey;
 import com.linkedin.metadata.utils.EntityKeyUtils;
@@ -195,6 +197,11 @@ public void checkDeleteModulePermissions(
               "Attempted to delete a page module that does not exist with urn %s", moduleUrn));
     }
 
+    if (properties.getVisibility().getScope().equals(PageModuleScope.GLOBAL)
+        && AuthUtil.isAuthorized(opContext, PoliciesConfig.MANAGE_HOME_PAGE_TEMPLATES_PRIVILEGE)) {
+      throw new UnauthorizedException("User is unauthorized to delete global modules.");
+    }
+
     if (properties.getVisibility().getScope().equals(PageModuleScope.PERSONAL)
         && !properties.getCreated().getActor().equals(opContext.getActorContext().getActorUrn())) {
       throw new UnauthorizedException(