Skip to content

Fix roles field missing in bulk GET /policies response#25722

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/fix-bulk-get-policies-roles
Draft

Fix roles field missing in bulk GET /policies response#25722
Copilot wants to merge 3 commits intomainfrom
copilot/fix-bulk-get-policies-roles

Conversation

Copy link
Contributor

Copilot AI commented Feb 5, 2026
edited
Loading

Describe your changes:

Bulk GET /api/v1/policies?fields=roles returned empty roles arrays while single-entity GET worked correctly.

Root cause: PolicyRepository.fetchAndSetRoles() and fetchAndSetTeams() had incorrect parameter order in findFromBatch() calls.

The relationship is Role HAS Policy (Role=from, Policy=to). The code was:

// Wrong - swapped fromEntityType and toEntityType
.findFromBatch(policyIds, Relationship.HAS.ordinal(), POLICY, Entity.ROLE);

Fixed to:

// Correct - ROLE is from, POLICY is to
.findFromBatch(policyIds, Relationship.HAS.ordinal(), Entity.ROLE, POLICY);

Also corrected the result extraction—record.getToId() for policy ID, record.getFromId() for role/team ID.

Type of change:

  • Bug fix
  • Improvement
  • New feature
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation

Checklist:

  • I have read the CONTRIBUTING document.

  • My PR title is Fixes <issue-number>: <short explanation>

  • I have commented on my code, particularly in hard-to-understand areas.

  • For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

  • I have added a test that covers the exact scenario we are fixing. For complex issues, comment the issue number in the test for future reference.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • repository.apache.org
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher spotless:apply -pl openmetadata-service -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -q -DskipTests (dns block)
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -DskipTests -q (dns block)
  • s3.amazonaws.com
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher spotless:apply -pl openmetadata-service -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -q -DskipTests (dns block)
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -DskipTests -q (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>'roles' field missing in bulk GET /policies response</issue_title>
<issue_description>Affected module
Does it impact the UI, backend or Ingestion Framework?
Backend

Describe the bug
When performing a bulk GET request on the /api/v1/policies endpoint, the roles field is not returned, even when explicitly requested via the fields query parameter.
However, the same roles field is returned correctly when fetching an individual policy by ID or FQN

GET /api/v1/policies?fields=roles

The roles field is returned as an empty array (roles: []) in the bulk GET response.
The same policy returns the correct roles data when fetched individually by ID or FQN.

To Reproduce
Screenshots or steps to reproduce

Image Image

Expected behavior
The bulk GET response should include the roles object for each policy when fields=roles is specified.

Version:

  • OS: [e.g. iOS]
  • Python version:
  • OpenMetadata version: 1.11.7
  • OpenMetadata Ingestion package version: [e.g. openmetadata-ingestion[docker]==XYZ]

Additional context
Add any other context about the problem here.
</issue_description>

<agent_instructions>follow the description and check in PolicyRepository.java if roles are being fetched. Add a test first in openmetadata-integration-tests PolicyResourceIT.java to reproduce the issue first before fixing it</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits February 5, 2026 20:08
@harshach
Fix roles field missing in bulk GET /policies response
9c99065 
The bug was caused by incorrect parameter ordering in findFromBatch() calls
in PolicyRepository.java:

1. fetchAndSetRoles(): Changed from
   findFromBatch(policyIds, HAS, POLICY, ROLE) to
   findFromBatch(policyIds, HAS, ROLE, POLICY)

2. fetchAndSetTeams(): Changed from
   findFromBatch(policyIds, HAS, POLICY, TEAM) to
   findFromBatch(policyIds, HAS, TEAM, POLICY)

The relationships are Role HAS Policy and Team HAS Policy, where Role/Team
are in the "from" position and Policy is in the "to" position. The fix also
corrects how fromId/toId are extracted from the query results.

Added integration test to verify bulk GET /policies?fields=roles returns
the roles field correctly.

Co-authored-by: harshach <38649+harshach@users.noreply.github.com>
@harshach
Improve test cleanup with try-finally block
53a7550 
Address code review feedback: ensure both role and policy are cleaned up
even if assertions fail by using try-finally block.

Co-authored-by: harshach <38649+harshach@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix missing roles field in bulk GET /policies response Fix roles field missing in bulk GET /policies response Feb 5, 2026
Copilot AI requested a review from harshach February 5, 2026 20:12
@gitar-bot
Copy link

gitar-bot bot commented Feb 5, 2026
edited
Loading

Code Review ✅ Approved

Clean bug fix for missing roles field in bulk GET /policies response. The parameter ordering and ID extraction corrections are correct, and the test provides good coverage.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact 
gitar auto-apply:on         

gitar display:verbose

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshach harshach Awaiting requested review from harshach

At least 1 approving review is required to merge this pull request.

Assignees

@harshach harshach

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

'roles' field missing in bulk GET /policies response

2 participants

@harshach