feat(auditSearch): support backend audit events and search api (#13377)

Author: RyanHolstien

datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java

@@ -5,6 +5,7 @@
 import static com.linkedin.metadata.Constants.GROUP_MEMBERSHIP_ASPECT_NAME;
 import static org.pac4j.play.store.PlayCookieSessionStore.*;
 import static play.mvc.Results.internalServerError;
+import static utils.FrontendConstants.SSO_LOGIN;
 
 import auth.CookieConfigs;
 import auth.sso.SsoManager;
@@ -290,7 +291,8 @@ private Result handleOidcCallback(
       log.info("OIDC callback authentication successful for user: {}", userName);
 
       // Successfully logged in - Generate GMS login token
-      final String accessToken = authClient.generateSessionTokenForUser(corpUserUrn.getId());
+      final String accessToken =
+          authClient.generateSessionTokenForUser(corpUserUrn.getId(), SSO_LOGIN);
       return result
           .withSession(createSessionMap(corpUserUrn.toString(), accessToken))
           .withCookies(

datahub-frontend/app/client/AuthServiceClient.java

@@ -1,5 +1,7 @@
 package client;
 
+import static com.linkedin.metadata.Constants.DATAHUB_LOGIN_SOURCE_HEADER_NAME;
+
 import com.datahub.authentication.Authentication;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -70,7 +72,7 @@ public AuthServiceClient(
    * an Actor of type USER.
    */
   @Nonnull
-  public String generateSessionTokenForUser(@Nonnull final String userId) {
+  public String generateSessionTokenForUser(@Nonnull final String userId, String loginSource) {
     Objects.requireNonNull(userId, "userId must not be null");
     CloseableHttpResponse response = null;
 
@@ -98,6 +100,8 @@ public String generateSessionTokenForUser(@Nonnull final String userId) {
       // Add authorization header with DataHub frontend system id and secret.
       request.addHeader(Http.HeaderNames.AUTHORIZATION, this.systemAuthentication.getCredentials());
 
+      request.addHeader(DATAHUB_LOGIN_SOURCE_HEADER_NAME, loginSource);
+
       response = httpClient.execute(request);
       final HttpEntity entity = response.getEntity();
       if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK && entity != null) {

datahub-frontend/app/client/KafkaTrackingProducer.java

@@ -70,7 +70,7 @@ public void send(ProducerRecord<String, String> record) {
     producer.send(record);
   }
 
-  private static KafkaProducer createKafkaProducer(
+  private static KafkaProducer<String, String> createKafkaProducer(
       Config config, KafkaConfiguration kafkaConfiguration) {
     final ProducerConfiguration producerConfiguration = kafkaConfiguration.getProducer();
     final Properties props = new Properties();
@@ -154,7 +154,7 @@ private static KafkaProducer createKafkaProducer(
       }
     }
 
-    return new org.apache.kafka.clients.producer.KafkaProducer<String, String>(props);
+    return new org.apache.kafka.clients.producer.KafkaProducer<>(props);
   }
 
   private static void setConfig(Config config, Properties props, String key, String configKey) {

datahub-frontend/app/controllers/AuthenticationController.java

@@ -3,6 +3,11 @@
 import static auth.AuthUtils.*;
 import static org.pac4j.core.client.IndirectClient.ATTEMPTED_AUTHENTICATION_SUFFIX;
 import static org.pac4j.play.store.PlayCookieSessionStore.*;
+import static utils.FrontendConstants.FALLBACK_LOGIN;
+import static utils.FrontendConstants.GUEST_LOGIN;
+import static utils.FrontendConstants.PASSWORD_LOGIN;
+import static utils.FrontendConstants.PASSWORD_RESET;
+import static utils.FrontendConstants.SIGN_UP_LINK_LOGIN;
 
 import auth.AuthUtils;
 import auth.CookieConfigs;
@@ -117,7 +122,8 @@ public Result authenticate(Http.Request request) {
     if (guestAuthenticationConfigs.isGuestEnabled()
         && guestAuthenticationConfigs.getGuestPath().equals(redirectPath)) {
       final String accessToken =
-          authClient.generateSessionTokenForUser(guestAuthenticationConfigs.getGuestUser());
+          authClient.generateSessionTokenForUser(
+              guestAuthenticationConfigs.getGuestUser(), GUEST_LOGIN);
       redirectPath =
           "/"; // We requested guest login by accessing {guestPath} URL. It is not really a target.
       CorpuserUrn guestUserUrn = new CorpuserUrn(guestAuthenticationConfigs.getGuestUser());
@@ -150,7 +156,8 @@ public Result authenticate(Http.Request request) {
 
     // 3. If no auth enabled, fallback to using default user account & redirect.
     // Generate GMS session token, TODO:
-    final String accessToken = authClient.generateSessionTokenForUser(DEFAULT_ACTOR_URN.getId());
+    final String accessToken =
+        authClient.generateSessionTokenForUser(DEFAULT_ACTOR_URN.getId(), FALLBACK_LOGIN);
     return Results.redirect(redirectPath)
         .withSession(createSessionMap(DEFAULT_ACTOR_URN.toString(), accessToken))
         .withCookies(
@@ -215,7 +222,8 @@ public Result logIn(Http.Request request) {
 
     final Urn actorUrn = new CorpuserUrn(username);
     logger.info("Login successful for user: {}, urn: {}", username, actorUrn);
-    final String accessToken = authClient.generateSessionTokenForUser(actorUrn.getId());
+    final String accessToken =
+        authClient.generateSessionTokenForUser(actorUrn.getId(), PASSWORD_LOGIN);
     return createSession(actorUrn.toString(), accessToken);
   }
 
@@ -279,7 +287,8 @@ public Result signUp(Http.Request request) {
     final String userUrnString = userUrn.toString();
     authClient.signUp(userUrnString, fullName, email, title, password, inviteToken);
     logger.info("Signed up user {} using invite tokens", userUrnString);
-    final String accessToken = authClient.generateSessionTokenForUser(userUrn.getId());
+    final String accessToken =
+        authClient.generateSessionTokenForUser(userUrn.getId(), SIGN_UP_LINK_LOGIN);
     return createSession(userUrnString, accessToken);
   }
 
@@ -319,7 +328,8 @@ public Result resetNativeUserCredentials(Http.Request request) {
     final Urn userUrn = new CorpuserUrn(email);
     final String userUrnString = userUrn.toString();
     authClient.resetNativeUserCredentials(userUrnString, password, resetToken);
-    final String accessToken = authClient.generateSessionTokenForUser(userUrn.getId());
+    final String accessToken =
+        authClient.generateSessionTokenForUser(userUrn.getId(), PASSWORD_RESET);
     return createSession(userUrnString, accessToken);
   }
 

datahub-frontend/app/utils/FrontendConstants.java

@@ -0,0 +1,12 @@
+package utils;
+
+public class FrontendConstants {
+  private FrontendConstants() {}
+
+  public static final String PASSWORD_RESET = "passwordReset";
+  public static final String PASSWORD_LOGIN = "passwordLogin";
+  public static final String FALLBACK_LOGIN = "fallbackLogin";
+  public static final String SIGN_UP_LINK_LOGIN = "signUpLinkLogin";
+  public static final String GUEST_LOGIN = "guestLogin";
+  public static final String SSO_LOGIN = "ssoLogin";
+}

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/analytics/service/AnalyticsService.java

@@ -11,6 +11,7 @@
 import com.linkedin.datahub.graphql.generated.NumericDataPoint;
 import com.linkedin.datahub.graphql.generated.Row;
 import com.linkedin.datahub.graphql.types.entitytype.EntityTypeMapper;
+import com.linkedin.metadata.datahubusage.DataHubUsageEventConstants;
 import com.linkedin.metadata.utils.elasticsearch.IndexConvention;
 import java.util.List;
 import java.util.Map;
@@ -178,7 +179,9 @@ public List<NamedBar> getBarChart(
                 indexName, dateRange, dimensions)
             + String.format("filters: %s, uniqueOn: %s", filters, uniqueOn));
 
-    assert (dimensions.size() == 1 || dimensions.size() == 2);
+    if (!(dimensions.size() == 1 || dimensions.size() == 2)) {
+      throw new IllegalArgumentException("Dimensions must have 1 or 2 specified: " + dimensions);
+    }
     AggregationBuilder filteredAgg = getFilteredAggregation(filters, mustNotFilters, dateRange);
 
     TermsAggregationBuilder termAgg = AggregationBuilders.terms(DIMENSION).field(dimensions.get(0));
@@ -350,6 +353,7 @@ private AggregationBuilder getFilteredAggregation(
       Optional<DateRange> dateRange,
       String dateRangeField) {
     BoolQueryBuilder filteredQuery = QueryBuilders.boolQuery();
+    filteredQuery.filter(getDefaultFilters());
     mustFilters.forEach((key, values) -> filteredQuery.must(QueryBuilders.termsQuery(key, values)));
     mustNotFilters.forEach(
         (key, values) -> filteredQuery.mustNot(QueryBuilders.termsQuery(key, values)));
@@ -365,6 +369,14 @@ private AggregationBuilder getFilteredAggregation(
     return getFilteredAggregation(mustFilters, mustNotFilters, dateRange, "timestamp");
   }
 
+  private QueryBuilder getDefaultFilters() {
+    return QueryBuilders.boolQuery()
+        .mustNot(
+            QueryBuilders.termQuery(
+                DataHubUsageEventConstants.USAGE_SOURCE,
+                DataHubUsageEventConstants.BACKEND_SOURCE));
+  }
+
   private QueryBuilder dateRangeQuery(DateRange dateRange) {
     // Use timestamp as dateRangeField
     return dateRangeQuery(dateRange, "timestamp");

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/concurrency/GraphQLConcurrencyUtils.java

@@ -2,6 +2,7 @@
 
 import com.codahale.metrics.MetricRegistry;
 import com.linkedin.metadata.utils.metrics.MetricUtils;
+import io.opentelemetry.context.Context;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
 import java.util.function.Supplier;
@@ -16,7 +17,7 @@ public static ExecutorService getExecutorService() {
   }
 
   public static void setExecutorService(ExecutorService executorService) {
-    GraphQLConcurrencyUtils.graphQLExecutorService = executorService;
+    GraphQLConcurrencyUtils.graphQLExecutorService = Context.taskWrapping(executorService);
   }
 
   public static <T> CompletableFuture<T> supplyAsync(
@@ -26,7 +27,9 @@ public static <T> CompletableFuture<T> supplyAsync(
                 GraphQLConcurrencyUtils.class.getSimpleName(), "supplyAsync", caller, task))
         .inc();
     if (GraphQLConcurrencyUtils.graphQLExecutorService == null) {
-      return CompletableFuture.supplyAsync(supplier);
+      // Hack around to force context wrapping for base executor
+      return CompletableFuture.supplyAsync(
+          supplier, Context.taskWrapping(new CompletableFuture().defaultExecutor()));
     } else {
       return CompletableFuture.supplyAsync(
           supplier, GraphQLConcurrencyUtils.graphQLExecutorService);

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/assertion/ReportAssertionResultResolver.java

@@ -11,6 +11,7 @@
 import com.linkedin.data.template.SetMode;
 import com.linkedin.data.template.StringMap;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.AssertionResultInput;
 import com.linkedin.datahub.graphql.generated.StringMapEntryInput;
@@ -53,7 +54,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
     final AssertionResultInput input =
         bindArgument(environment.getArgument("result"), AssertionResultInput.class);
 
-    return CompletableFuture.supplyAsync(
+    return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           final Urn asserteeUrn =
               _assertionService.getEntityUrnForAssertion(
@@ -80,7 +81,9 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
           }
           throw new AuthorizationException(
               "Unauthorized to perform this action. Please contact your DataHub administrator.");
-        });
+        },
+        this.getClass().getSimpleName(),
+        "get");
   }
 
   private static StringMap mapContextParameters(List<StringMapEntryInput> input) {

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/assertion/UpsertCustomAssertionResolver.java

@@ -9,6 +9,7 @@
 import com.linkedin.common.urn.UrnUtils;
 import com.linkedin.data.template.SetMode;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.Assertion;
 import com.linkedin.datahub.graphql.generated.PlatformInput;
@@ -51,7 +52,7 @@ public CompletableFuture<Assertion> get(DataFetchingEnvironment environment) thr
       assertionUrn = UrnUtils.getUrn(maybeAssertionUrn);
     }
 
-    return CompletableFuture.supplyAsync(
+    return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           // Check whether the current user is allowed to update the assertion.
           if (AssertionUtils.isAuthorizedToEditAssertionFromAssertee(context, entityUrn)) {
@@ -71,7 +72,9 @@ public CompletableFuture<Assertion> get(DataFetchingEnvironment environment) thr
           }
           throw new AuthorizationException(
               "Unauthorized to perform this action. Please contact your DataHub administrator.");
-        });
+        },
+        this.getClass().getSimpleName(),
+        "get");
   }
 
   @SneakyThrows

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/auth/CreateAccessTokenResolver.java

@@ -66,6 +66,7 @@ public CompletableFuture<AccessToken> get(final DataFetchingEnvironment environm
 
             final String accessToken =
                 _statefulTokenService.generateAccessToken(
+                    context.getOperationContext(),
                     type,
                     createActor(input.getType(), actorUrn),
                     expiresInMs.orElse(null),

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/auth/RevokeAccessTokenResolver.java

@@ -45,7 +45,7 @@ public CompletableFuture<Boolean> get(DataFetchingEnvironment environment) throw
 
           if (isAuthorizedToRevokeToken(context, tokenId)) {
             try {
-              _statefulTokenService.revokeAccessToken(tokenId);
+              _statefulTokenService.revokeAccessToken(context.getOperationContext(), tokenId);
             } catch (Exception e) {
               throw new RuntimeException("Failed to revoke access token", e);
             }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/chart/ChartStatsSummaryResolver.java

@@ -1,5 +1,6 @@
 package com.linkedin.datahub.graphql.resolvers.chart;
 
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.generated.ChartStatsSummary;
 import com.linkedin.metadata.timeseries.TimeseriesAspectService;
 import graphql.schema.DataFetcher;
@@ -21,6 +22,6 @@ public ChartStatsSummaryResolver(final TimeseriesAspectService timeseriesAspectS
   public CompletableFuture<ChartStatsSummary> get(DataFetchingEnvironment environment)
       throws Exception {
     // Not yet implemented
-    return CompletableFuture.completedFuture(null);
+    return GraphQLConcurrencyUtils.supplyAsync(() -> null, this.getClass().getSimpleName(), "get");
   }
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/connection/UpsertConnectionResolver.java

@@ -8,6 +8,7 @@
 import com.linkedin.connection.DataHubConnectionDetailsType;
 import com.linkedin.connection.DataHubJsonConnection;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.generated.DataHubConnection;
 import com.linkedin.datahub.graphql.generated.UpsertDataHubConnectionInput;
@@ -44,7 +45,7 @@ public CompletableFuture<DataHubConnection> get(final DataFetchingEnvironment en
         bindArgument(environment.getArgument("input"), UpsertDataHubConnectionInput.class);
     final Authentication authentication = context.getAuthentication();
 
-    return CompletableFuture.supplyAsync(
+    return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           if (!ConnectionUtils.canManageConnections(context)) {
             throw new AuthorizationException(
@@ -73,6 +74,8 @@ public CompletableFuture<DataHubConnection> get(final DataFetchingEnvironment en
             throw new RuntimeException(
                 String.format("Failed to upsert a Connection from input %s", input), e);
           }
-        });
+        },
+        this.getClass().getSimpleName(),
+        "get");
   }
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/datacontract/EntityDataContractResolver.java

@@ -5,6 +5,7 @@
 import com.linkedin.common.EntityRelationships;
 import com.linkedin.common.urn.Urn;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.generated.DataContract;
 import com.linkedin.datahub.graphql.generated.Entity;
 import com.linkedin.datahub.graphql.types.datacontract.DataContractMapper;
@@ -38,7 +39,7 @@ public EntityDataContractResolver(
 
   @Override
   public CompletableFuture<DataContract> get(DataFetchingEnvironment environment) {
-    return CompletableFuture.supplyAsync(
+    return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           final QueryContext context = environment.getContext();
           final String entityUrn = ((Entity) environment.getSource()).getUrn();
@@ -91,6 +92,8 @@ public CompletableFuture<DataContract> get(DataFetchingEnvironment environment)
           } catch (URISyntaxException | RemoteInvocationException e) {
             throw new RuntimeException("Failed to retrieve Data Contract from GMS", e);
           }
-        });
+        },
+        this.getClass().getSimpleName(),
+        "get");
   }
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/datacontract/UpsertDataContractResolver.java

@@ -19,6 +19,7 @@
 import com.linkedin.datacontract.SchemaContract;
 import com.linkedin.datacontract.SchemaContractArray;
 import com.linkedin.datahub.graphql.QueryContext;
+import com.linkedin.datahub.graphql.concurrency.GraphQLConcurrencyUtils;
 import com.linkedin.datahub.graphql.exception.AuthorizationException;
 import com.linkedin.datahub.graphql.exception.DataHubGraphQLErrorCode;
 import com.linkedin.datahub.graphql.exception.DataHubGraphQLException;
@@ -68,7 +69,7 @@ public CompletableFuture<DataContract> get(final DataFetchingEnvironment environ
     final UpsertDataContractInput input =
         bindArgument(environment.getArgument("input"), UpsertDataContractInput.class);
     final Urn entityUrn = UrnUtils.getUrn(input.getEntityUrn());
-    return CompletableFuture.supplyAsync(
+    return GraphQLConcurrencyUtils.supplyAsync(
         () -> {
           if (DataContractUtils.canEditDataContract(context, entityUrn)) {
 
@@ -124,7 +125,9 @@ public CompletableFuture<DataContract> get(final DataFetchingEnvironment environ
           }
           throw new AuthorizationException(
               "Unauthorized to perform this action. Please contact your DataHub administrator.");
-        });
+        },
+        this.getClass().getSimpleName(),
+        "get");
   }
 
   private void validateInput(