Bug: 401 "Token not present" for entity names containing "version" substring #24718
Description
Affected module
Backend - Java Client (openmetadata-java-client)
Describe the bug
The Java client authentication fails with 401 "Token not present" for any API request where the entity name contains the substring "version" (e.g., "data-conversion-service", "dataset-version-tracker"). This is caused by an overly broad check in OpenMetadataAuthenticationProvider.apply() that skips adding authentication headers for any URL containing "version".
The check at line 62 was intended to allow unauthenticated access to /v1/system/version but incorrectly matches:
- Entity names containing "conversion" (which contains "version" as substring)
- Entity names containing "version", "subversion", "diversion", etc.
To Reproduce
OpenMetadataConnection connection = new OpenMetadataConnection()
.withAuthProvider(AuthProvider.OPENMETADATA)
.withHostPort("https://server.com/api")
.withSecurityConfig(new OpenMetadataJWTClientConfig().withJwtToken("valid-jwt-token"));
OpenMetadata client = new OpenMetadata(connection);
TeamsApi teamsApi = client.buildClient(TeamsApi.class);
// This fails with 401 because "conversion" contains "version"
teamsApi.getTeamByFQN("data-conversion-service", "defaultRoles,email,parents", null);Expected behavior
Authentication header should be added for all API endpoints except the specific /v1/system/version endpoint.
Error message:
feign.FeignException$Unauthorized: [401 Unauthorized] during [GET] to
[https://server.com/api/v1/teams/name/data-conversion-service?fields=...]:
[{"code":401,"message":"Not Authorized! Token not present"}]
Version:
- OpenMetadata version: All versions since 0.10.0 (introduced in commit
1c6046cf8e, PR Fixed#5461: added support for OMD sso #5462, June 2022) - Affected file:
openmetadata-clients/openmetadata-java-client/src/main/java/org/openmetadata/client/security/OpenMetadataAuthenticationProvider.java
Additional context
The problematic code (line 62-64):
if (requestTemplate.url().contains("version")) {
return; // Exits without adding Authorization header
}Should be changed to:
if (url.endsWith("/system/version") || url.contains("/system/version?")) {
return;
}This ensures only the actual version endpoint skips authentication, not every URL containing "version" as a substring.