Sidharth Kumar Mishra created ATLAS-4170: --------------------------------------------
Summary: v2/entity/bulk Entity GET API is able to read unauthorised entities too when skipFailedEntities is passed as True Key: ATLAS-4170 URL: https://issues.apache.org/jira/browse/ATLAS-4170 Project: Atlas Issue Type: Bug Reporter: Sidharth Kumar Mishra Assignee: Sidharth Kumar Mishra As part of https://issues.apache.org/jira/browse/ATLAS-3855, skipFailedEntities was introduced to ignore the entities where it fails to read When skipFailedEntities is not passed or is passed as skipFailedEntities=False, then we get 403 with below error as expected {code:java} { "errorCode": "ATLAS-403-00-001", "errorMessage": "hrt is not authorized to perform read entity: guid=ad0f349c-1fe6-46f0-be6d-98ca2e754e1c" } {code} But when we pass skipFailedEntities=True, then API is able to retrieve the data for even those entities on which the user has explicit deny conditions. Ideally, we should be ignoring these unauthorised entities and return data only for authorised ones. -- This message was sent by Atlassian Jira (v8.3.4#803005)