User with Delete permission not able to delete testCases

[aniketkatkar97]

Affected module
backend

Describe the bug
A user with only Delete permission cannot delete a test case.

To Reproduce

Screen.Recording.2023-04-11.at.6.36.03.PM.mov

---

Request URL:: /api/v1/testCases/{id}?hardDelete=false&recursive=false
Request Method: DELETE
Response:

{
    "code": 403,
    "message": "Principal: CatalogPrincipal{name='aniket'} operations [EditTests] not allowed"
}

{
    "resource": "all",
    "permissions": [
        {
            "operation": "All",
            "access": "notAllow"
        },
        {
            "operation": "Create",
            "access": "notAllow"
        },
        {
            "operation": "Delete",
            "access": "allow",
            "rule": {
                "name": "TestRule",
                "description": "",
                "effect": "allow",
                "operations": [
                    "Delete"
                ],
                "resources": [
                    "All"
                ]
            },
            "policy": "DataStewardPolicy",
            "role": "DataSteward"
        },
        ...
    ]
}

Expected behavior
A clear and concise description of what you expected to happen.

Version:

• OS: [e.g. iOS]
• Python version:
• OpenMetadata version: [e.g. 0.8]
• OpenMetadata Ingestion package version: [e.g. openmetadata-ingestion[docker]==XYZ]

Additional context
Add any other context about the problem here.

[harshach]

@ShaileshParmar11 @TeddyCr
user with following policies are unable to view the tests

As admin

[TeddyCr]

@harshach regarding what you mentioned I believe this comes from the list test suite operation context being linked to the table resource (and not a test resource per say).

...
    OperationContext operationContext = new OperationContext(Entity.TABLE, MetadataOperation.VIEW_TESTS);
...

I believe if your user does not have view permission tables then no test suites will be returned.

As far as the user not being able to delete tests with the DELETE permission it looks like the DELETE request uses the EDIT_TESTS. Any more info why we used this one instead of the DELETE one?

[harshach]

We need to be consistent in the transitive permissions
Example

1. Service Creation means one should be able to create Ingestion Pipeine related to service
2. Table's EditTests means they should be able to Edit/Delete the test that's belongs to the table

Not all entities are top-level entities and deriving it from the main parent/container makes sense.
So this means we shouldn't be showing the derived/child entities in Resources Section and its clear to the user all these permissions are being in affect from Table rather than Test's Delete

[TeddyCr]

@harshach thanks for this explaination. I am not sure I fully understand what is required next based on what you mentioned. Could you give a bit more details?

[harshach]

@TeddyCr assigned it to myself. I'll cleanup as part of a PR I am working on

[pmbrull]

@harshach was this done?