From 179085163257e90efdc56a501bc263d22a9a84bd Mon Sep 17 00:00:00 2001
From: Rajdeep Singh <rajdeep.kuswaha@s.amity.edu>
Date: Mon, 6 Apr 2026 18:52:47 +0530
Subject: [PATCH] Add warning logging to 5 silent catch blocks in
 SubjectContext

Replace empty catch blocks in security-critical authorization code
with LOG.warn calls that include exception context and stack traces:

- isTeamAsset(): log team asset ownership lookup failures
- isInTeam(): log team hierarchy traversal failures
- getRolesForTeams(): log role resolution failures
- hasRole(): log role check failures via team chain
- UserPolicyIterator: log resource owner policy load failures

No behavioral changes - fail-closed pattern preserved. Logging
enables diagnosis of intermittent auth failures caused by transient
DB errors or data inconsistencies.
---
 .../policyevaluator/SubjectContext.java       | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java
index 5269145fe948..38bb01a32ed9 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/SubjectContext.java
@@ -169,7 +169,12 @@ public boolean isTeamAsset(String parentTeam, List<EntityReference> owners) {
               Entity.getEntity(Entity.TEAM, owner.getId(), TEAM_FIELDS, Include.NON_DELETED);
           return isInTeam(parentTeam, team.getEntityReference());
         } catch (Exception ex) {
-          // Ignore and return false
+          LOG.warn(
+              "Failed to check team asset ownership for team [{}] with owner [{}]: {}",
+              parentTeam,
+              owner.getId(),
+              ex.getMessage(),
+              ex);
         }
       }
     }
@@ -182,8 +187,8 @@ public static boolean isInTeam(String parentTeam, EntityReference team) {
     Set<UUID> visitedTeams = new HashSet<>();
     stack.push(team); // Start with team and see if the parent matches
     while (!stack.isEmpty()) {
+      EntityReference currentTeamRef = stack.pop();
       try {
-        EntityReference currentTeamRef = stack.pop();
         // Skip if we've already visited this team to prevent circular dependencies
         if (visitedTeams.contains(currentTeamRef.getId())) {
           LOG.warn(
@@ -199,7 +204,12 @@ public static boolean isInTeam(String parentTeam, EntityReference team) {
         listOrEmpty(parent.getParents())
             .forEach(stack::push); // Continue to go up the chain of parents
       } catch (Exception ex) {
-        // Ignore and return false
+        LOG.warn(
+            "Failed to traverse team hierarchy for parent [{}] at team [{}]: {}",
+            parentTeam,
+            currentTeamRef != null ? currentTeamRef.getName() : null,
+            ex.getMessage(),
+            ex);
       }
     }
     return false;
@@ -226,7 +236,8 @@ private static List<EntityReference> getRolesForTeams(
         roles.addAll(team.getDefaultRoles());
         roles.addAll(getRolesForTeams(team.getParents(), visitedTeams));
       } catch (Exception ex) {
-        // Ignore and continue
+        LOG.warn(
+            "Failed to resolve roles for team [{}]: {}", teamRef.getName(), ex.getMessage(), ex);
       }
     }
     return roles.stream().distinct().collect(Collectors.toList());
@@ -280,8 +291,8 @@ public static boolean hasRole(User user, String role) {
     }
     listOrEmpty(user.getTeams()).forEach(stack::push); // Continue to go up the chain of parents
     while (!stack.isEmpty()) {
+      EntityReference currentTeamRef = stack.pop();
       try {
-        EntityReference currentTeamRef = stack.pop();
         // Skip if we've already visited this team to prevent circular dependencies
         if (visitedTeams.contains(currentTeamRef.getId())) {
           LOG.warn(
@@ -298,7 +309,12 @@ public static boolean hasRole(User user, String role) {
         listOrEmpty(parent.getParents())
             .forEach(stack::push); // Continue to go up the chain of parents
       } catch (Exception ex) {
-        // Ignore the exception and return false
+        LOG.warn(
+            "Failed to check role [{}] for team [{}]: {}",
+            role,
+            currentTeamRef != null ? currentTeamRef.getName() : null,
+            ex.getMessage(),
+            ex);
       }
     }
     return false;
@@ -471,7 +487,11 @@ static class UserPolicyIterator implements Iterator<PolicyContext> {
                       Entity.TEAM, resourceOwner.getId(), TEAM_FIELDS, Include.NON_DELETED);
               iterators.add(new TeamPolicyIterator(team.getId(), teamsVisited, true));
             } catch (Exception ex) {
-              // Ignore
+              LOG.warn(
+                  "Failed to load policies for resource owner team [{}]: {}",
+                  resourceOwner.getId(),
+                  ex.getMessage(),
+                  ex);
             }
           }
         }