If Metadata Service authentication is disabled, then NoOpAuthenticator applies and requests are authenticated using the X-DataHub-Actor header. This identity is the one being used for the authorization. However, when Metadata Service authentication is enabled, DataHubSystemAuthenticator is applied and according to the code all requests are authenticated with the System Id client. So this is the identity to be used in the authorization. Is that correct or what I'm missing? @big-carpet-38439 , as main contributor in this topic, may you bring some light here? 🙏

There is a test for this scenario, however I think this line is wrong https://github.com/datahub-project/datahub/blob/b3c790aab6c34c001efcca217a305b9478[…]uthentication/authenticator/DataHubSystemAuthenticatorTest.java instead it should be

assertEquals(authentication.getActor().getId(), "urn:li:corpuser:datahub");

If my conclusions are correct, then this bug is impacting all users with Metadata Service authentication enabled and having authorization policies ⚠️ and results in all frontend requests being authorized with the system id user instead of the original actor.

After some deeper investigation (I think) I found the missing piece that solves my misunderstanding. The front-end is not using the

X-DataHub-Actor

header anymore. Instead, the frontend, as trusted component (system id authorization) asks the GMS for an access token to be used during the session. And so, all following requests will be authenticated by the DataHubTokenAuthenticator using the given JWT token. https://github.com/datahub-project/datahub/blob/ae30be9c25760ff53c8ef49724fcc17756[…]java/com/datahub/auth/authentication/AuthServiceController.java

In case this https://github.com/datahub-project/datahub/pull/8071 is of any help to anyone else looking at this 😅