The GitHub Actions job "Required Checks" on texera.git/gh-readonly-queue/main/pr-5198-afc5f98c8e512c1e90f8fee86dd0a596e58d08d9 has failed. Run started by GitHub user Yicong-Huang (triggered by Yicong-Huang).
Head commit for run: 03c89453a7d8916fe8205368c24bc23f8d6ea3b2 / Matthew B. <[email protected]> fix(auth): enforce @RolesAllowed in file-service by registering RolesAllowedDynamicFeature (#5198) ### What changes were proposed in this PR? Registers Jersey's `RolesAllowedDynamicFeature` in `file-service`'s Jersey environment so the `@RolesAllowed` / `@PermitAll` annotations already present on `DatasetResource` are actually enforced. `file-service` registered `JwtAuthFilter` (authentication) and the `AuthValueFactoryProvider.Binder` (so `@Auth user` injects), but never `RolesAllowedDynamicFeature` (authorization). The ~20 `@RolesAllowed(Array("REGULAR", "ADMIN"))` annotations on `DatasetResource` were therefore decorative: any valid JWT reached the resource method regardless of role. This adds the one missing registration. ```scala // Enforce @RolesAllowed annotations on resource methods environment.jersey.register(classOf[RolesAllowedDynamicFeature]) ``` Once enforcement is live, the six public-dataset endpoints (`getPublicPresignedUrl`, `getPublicPresignedUrlWithS3`, `getPublicDatasetVersionList`, `retrievePublicDatasetVersionRootFileNodes`, `getPublicDataset`, `getDatasetCover`) must stay reachable without a JWT for anonymous hub visitors. They are already `@PermitAll` on `main`; the new spec pins that so a future refactor cannot silently lock them out. ### Scope note This PR was originally "complete @RolesAllowed enforcement across microservices." Since then the rest of that work has landed or is in flight on `main`, so this PR has been narrowed to the one remaining gap: - `config-service`, `computing-unit-managing-service`, `workflow-compiling-service`: done in #5049 / #5199. - `JwtAuthFilter` priority + eager-401 + `@PermitAll` opt-out: done in #5404. - `access-control-service` (LiteLLM proxy hardening + feature registration): handled by #5421 (@Yicong-Huang). - **`file-service`: this PR.** With this and #5421, every microservice that uses `@RolesAllowed` enforces it, closing out #4904. ### Any related issues, documentation, or discussions? Closes #5433. Follow-up to #4904; companion to #5421. ### How was this PR tested? Added `DatasetResourcePermissionsSpec`, which verifies the six public-dataset endpoints carry `@PermitAll` so they remain anonymous-accessible after enforcement is enabled. `file-service` and the auth modules compile clean. Existing `DatasetResource` `@RolesAllowed` annotations are unchanged. ### Was this PR authored or co-authored using generative AI tooling? Co-authored with Claude Opus 4.8 in compliance with ASF Generative Tooling Guidance. --------- Co-authored-by: Yicong Huang <[email protected]> Report URL: https://github.com/apache/texera/actions/runs/27102809335 With regards, GitHub Actions via GitBox
