chore!: remove ROW_LEVEL_SECURITY feature flag (permanently enable) (…

…apache#19230)

* permanently turn on rls feature flag

* unused imports

* docs

* docs

* unused import

RELEASING/release-notes-1-0/README.md

@@ -16,11 +16,9 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
-
 # Release Notes for Superset 1.0.0
 
-Superset 1.0 is a **_huge milestone_** for Apache Superset. This release holds a higher quality standard than any previous version and raises the bar for releases to come. Superset 1.0 improves on usability and delivers a new set of long awaited features focused on five major themes:
-
+Superset 1.0 is a ***huge milestone*** for Apache Superset. This release holds a higher quality standard than any previous version and raises the bar for releases to come. Superset 1.0 improves on usability and delivers a new set of long awaited features focused on five major themes:
 - [**User Experience**](#user-experience)
 - [**Developer Experience**](#developer-experience)
 - [**Performance**](#performance)
@@ -29,7 +27,6 @@ Superset 1.0 is a **_huge milestone_** for Apache Superset. This release holds a
 - [**Stability and Bugfixes**](#stability-and-bugfixes)
 
 # User Experience
-
 We have taken the Superset user experience to the next level with a much simpler, more intuitive UI.
 
 Lists of Charts and Dashboards can be shown in a new format using a **thumbnail grid**. This makes it easier to discover and find Charts and Dashboards, especially when there are a lot of them in your Superset instance.
@@ -47,7 +44,6 @@ The [Superset 1.0 documentation](https://superset.apache.org/docs/intro) has bee
 See related PR highlights [here](#user-experience-1).
 
 # Developer Experience
-
 Superset 1.0 makes it easier for developers to build, deploy, and maintain Superset functionality. This release is a major milestone in an ongoing effort to **modernize**, **consolidate**, and **simplify** the interface elements of Superset. Highly-used components have been visually updated, refactored to modern component libraries, and integrated with React Storybook for immediate visibility with consolidated test/styles. This improves the developer experience and creates a more consistent and modern aesthetic for the user.
 
 The **REST API** continues to see improvement as well, with new endpoints and improvements to existing endpoints. More details [here](https://superset.apache.org/docs/rest-api).
@@ -61,13 +57,11 @@ The Swagger interface can be used to explore and try out these changes.
 See related PR highlights [here](#developer-experience-1).
 
 # Performance
-
 This the most performant Superset release to date, with enhanced scalability and efficiency. In addition to many small tweaks, **Charts** and **SQL Lab** both now support **asynchronous data loading**. Users will **feel** this improvement when loading query results, especially when there are many charts in a Dashboard or when queries are long running.
 
 See related PR highlights [here](#performance-1).
 
 # New Features
-
 Superset 1.0 includes a slew of new features and other enhancements. **New visualization plugin architecture** will make it easier to build, test, style and configure custom visualizations for Superset. **Dynamic viz plugin** imports will allow Superset to load data viz plugins, allowing developers to more easily use or share their custom plugins and **load custom plugins on-demand** from anywhere on the web. Superset has also adopted [**Apache ECharts**](https://echarts.apache.org/en/index.html) as the core library for new visualizations.
 
 <kbd><img alt="timeseries prophet" src="media/echarts_timeseries_prophet.png" width="600"/></kbd>
@@ -96,25 +90,21 @@ See related PR highlights [here](#new-features-1).
 
 Some of the new features in this release are disabled by default. Each has a feature flag in `config.py` and some require configuration of additional backend dependencies (e.g. celery, SMTP server, etc). The following table will help you get started on the list of features and their associated flags & dependencies. Feel free to contribute and expand this list.
 
-| Feature                   | Feature Flag                                                                                                     | Dependencies                                                                                                          | Documentation                                                                                             |
-| ------------------------- | ---------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| Global Async Queries      | `GLOBAL_ASYNC_QUERIES: True`                                                                                     | Redis 5.0+, celery workers configured and running                                                                     | [Extra documentation](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries) |
-| Dashboard Native Filters  | `DASHBOARD_NATIVE_FILTERS: True`                                                                                 |                                                                                                                       |
-| Alerts & Reporting        | `ALERT_REPORTS: True`                                                                                            | [Celery workers configured & celery beat process](https://superset.apache.org/docs/installation/async-queries-celery) |
-| Homescreen Thumbnails     | `THUMBNAILS: TRUE, THUMBNAIL_CACHE_CONFIG: CacheConfig = { "CACHE_TYPE": "null", "CACHE_NO_NULL_WARNING": True}` | selenium, pillow 7, celery                                                                                            |
-| Row Level Security        | `ROW_LEVEL_SECURITY`                                                                                             |                                                                                                                       | [Extra Documentation](https://superset.apache.org/docs/security#row-level-security)                       |
-| Dynamic Viz Plugin Import | `DYNAMIC_PLUGINS: True`                                                                                          |                                                                                                                       |
+| Feature | Feature Flag | Dependencies | Documentation
+| --- | --- | --- | --- |
+| Global Async Queries | `GLOBAL_ASYNC_QUERIES: True` | Redis 5.0+, celery workers configured and running | [Extra documentation](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries )
+| Dashboard Native Filters | `DASHBOARD_NATIVE_FILTERS: True` | |
+| Alerts & Reporting | `ALERT_REPORTS: True` | [Celery workers configured & celery beat process](https://superset.apache.org/docs/installation/async-queries-celery) |
+| Homescreen Thumbnails | `THUMBNAILS: TRUE, THUMBNAIL_CACHE_CONFIG: CacheConfig = { "CACHE_TYPE": "null", "CACHE_NO_NULL_WARNING": True}`| selenium, pillow 7, celery |
+| Dynamic Viz Plugin Import | `DYNAMIC_PLUGINS: True` | |
 
 # Stability and Bugfixes
-
 This release includes **hundreds** of bugfixes and stability enhancements. Future major releases will have a continued emphasis on providing a stable and bug-free experience for the user.
 
 # PR Highlights
-
 Below is a highlight of the PRs included in this update. The full list is much longer, and can be found [here](apache/incubator-superset/CHANGELOG.md).
 
 ## User Experience
-
 - Revert "refactor: Remove usages of reactable from TimeTable (#11046)" (#[11150](https://github.com/apache/incubator-superset/pull/11150))
 - style: Restoring menu highlights (#[12024](https://github.com/apache/incubator-superset/pull/12024))
 - style: eslint curly rule (#[11913](https://github.com/apache/incubator-superset/pull/11913))
@@ -124,7 +114,6 @@ Below is a highlight of the PRs included in this update. The full list is much l
 <!--### Card Layout-->
 
 ### Explore Controls
-
 - feat: Global nav menus open on hover (#[12025](https://github.com/apache/incubator-superset/pull/12025))
 - feat: add hook for dataset health check (#[11970](https://github.com/apache/incubator-superset/pull/11970))
 - feat: add modal to import dashboards (#[11924](https://github.com/apache/incubator-superset/pull/11924))
@@ -141,14 +130,13 @@ Below is a highlight of the PRs included in this update. The full list is much l
 - feat(explore): update the order of datasource dropdown menu (#[11424](https://github.com/apache/incubator-superset/pull/11424))
 
 ### SQL Lab
-
 - feat: initial custom error messages for SQL Lab (#[12080](https://github.com/apache/incubator-superset/pull/12080))
 - feat: show missing parameters in query (#[12049](https://github.com/apache/incubator-superset/pull/12049))
 - feat: Sqllab to Explore UX improvements (#[11755](https://github.com/apache/incubator-superset/pull/11755))
 - feat: add Postgres SQL validator (#[11538](https://github.com/apache/incubator-superset/pull/11538))
 - feat: run BQ queries as single statement (#[11904](https://github.com/apache/incubator-superset/pull/11904))
 - feat: Adding SaveDatasetModal component (#[11861](https://github.com/apache/incubator-superset/pull/11861))
-- feat: list view filters for Query History (#[11702](https://github.com/apache/incubator-superset/pull/11702))
+- feat: list view filters for Query History  (#[11702](https://github.com/apache/incubator-superset/pull/11702))
 - feat: Sqllab to Explore UX improvements api changes (#[11836](https://github.com/apache/incubator-superset/pull/11836))
 - feat: SQL preview modal for Query History (#[11634](https://github.com/apache/incubator-superset/pull/11634))
 - feat: Query History CRUD list view (#[11574](https://github.com/apache/incubator-superset/pull/11574))
@@ -159,7 +147,6 @@ Below is a highlight of the PRs included in this update. The full list is much l
 - feat(welcome): add SQL snippets to saved queries card (#[11678](https://github.com/apache/incubator-superset/pull/11678))
 
 ### Documentation
-
 - docs: restored page on roles in security, executed other touchups, and… (#[11978](https://github.com/apache/incubator-superset/pull/11978))
 - docs: 0.38.0 CHANGELOG and UPDATING (#[11809](https://github.com/apache/incubator-superset/pull/11809))
 - docs: add Xite to users list (#[11775](https://github.com/apache/incubator-superset/pull/11775))
@@ -186,11 +173,9 @@ Below is a highlight of the PRs included in this update. The full list is much l
 - feat: Add new default dashboard (#[12044](https://github.com/apache/incubator-superset/pull/12044))
 
 ## Developer Experience
-
 - feat: add endpoint to export saved queries using new format (#[11447](https://github.com/apache/incubator-superset/pull/11447))
 
 ### Component Library
-
 - build(deps-dev): update cypress to 5.5.0, improvements for running locally (#[11603](https://github.com/apache/incubator-superset/pull/11603))
 - build(deps-dev): bump less from 3.9.0 to 3.12.2 in /superset-frontend (#[11597](https://github.com/apache/incubator-superset/pull/11597))
 - build(deps-dev): bump @storybook/addon-essentials in /superset-frontend (#[11573](https://github.com/apache/incubator-superset/pull/11573))
@@ -203,44 +188,38 @@ Below is a highlight of the PRs included in this update. The full list is much l
 - chore: bump pypi cryptography from 2.4.2 to 3.2.1 (#[11511](https://github.com/apache/incubator-superset/pull/11511))
 
 ## Performance
-
 - perf: cache dashboard bootstrap data (#[11234](https://github.com/apache/incubator-superset/pull/11234))
-- perf: speed up uuid column generation (#[11209](https://github.com/apache/incubator-superset/pull/11209))
+- perf:  speed up uuid column generation (#[11209](https://github.com/apache/incubator-superset/pull/11209))
 - perf(api): improve API info performance (#[11346](https://github.com/apache/incubator-superset/pull/11346))
 
 ### Global Async Query Support
-
 - feat(SIP-39): Async query support for charts (#[11499](https://github.com/apache/incubator-superset/pull/11499))
-  ###New Features
+###New Features
 
 ### Improved Data Visualizations
-
 - feat: add event and interval annotation support to chart data ep (#[11665](https://github.com/apache/incubator-superset/pull/11665))
 - feat: add ECharts BoxPlot chart (#[11199](https://github.com/apache/incubator-superset/pull/11199))
 - feat(sankey-viz): allow sort by metric and bump superset-ui packages (#[11626](https://github.com/apache/incubator-superset/pull/11626))
 
 ### Discovery and Navigation
-
 - chore: Add home link to navbar (#[11851](https://github.com/apache/incubator-superset/pull/11851))
 - chore(home-screen): fixes for loading states, flicker issue, and reduction of api calls (#[11557](https://github.com/apache/incubator-superset/pull/11557))
 - feat: alert/report execution log list view (#[11937](https://github.com/apache/incubator-superset/pull/11937))
-- feat: home screen mvp (#[11206](https://github.com/apache/incubator-superset/pull/11206))
+- feat: home screen mvp  (#[11206](https://github.com/apache/incubator-superset/pull/11206))
 - style: various little tweaks to home screen stylin' (#[11650](https://github.com/apache/incubator-superset/pull/11650))
 
 ### Alerts and Reporting
-
 - feat: update alert/report icons and column order (#[12081](https://github.com/apache/incubator-superset/pull/12081))
 - feat: add cron picker to AlertReportModal (#[12032](https://github.com/apache/incubator-superset/pull/12032))
 - feat: alerts/reports add/edit modal (#[11770](https://github.com/apache/incubator-superset/pull/11770))
-- feat: filters for alerts and reports list view (#[11900](https://github.com/apache/incubator-superset/pull/11900))
+- feat: filters for alerts and reports list view  (#[11900](https://github.com/apache/incubator-superset/pull/11900))
 - feat(alert/report): add 'not null' condition option to modal (#[12077](https://github.com/apache/incubator-superset/pull/12077))
 - feat(alerts/reports): remove SIP_34_UI feature flag (#[12085](https://github.com/apache/incubator-superset/pull/12085))
 - feat(alerts/reports): add refresh action (#[12071](https://github.com/apache/incubator-superset/pull/12071))
 - feat(alerts/reports): delete and bulk delete actions (#[12053](https://github.com/apache/incubator-superset/pull/12053))
 - feat(releasing): support changelog csv export (#[11893](https://github.com/apache/incubator-superset/pull/11893))
 
 ## Complete Changelog
-
 Backwards incompatible changes and can be found [here](../../UPDATING.md).
 
 To see the complete changelog, see [apache/incubator-superset/CHANGELOG.md](https://github.com/apache/superset/blob/master/CHANGELOG.md)

RESOURCES/FEATURE_FLAGS.md

@@ -57,7 +57,6 @@ These features flags are **safe for production** and have been tested.
 - ESCAPE_MARKDOWN_HTML
 - ENABLE_TEMPLATE_PROCESSING
 - LISTVIEWS_DEFAULT_CARD_VIEW
-- ROW_LEVEL_SECURITY
 - SCHEDULED_QUERIES [(docs)](https://superset.apache.org/docs/installation/alerts-reports)
 - SQL_VALIDATORS_BY_ENGINE [(docs)](https://superset.apache.org/docs/installation/sql-templating)
 - SQLLAB_BACKEND_PERSISTENCE

UPDATING.md

@@ -29,6 +29,7 @@ assists people when migrating to a new version.
 
 ### Breaking Changes
 
+- [19230](https://github.com/apache/superset/pull/19230): The `ROW_LEVEL_SECURITY` feature flag has been removed (permanently enabled). Any deployments which had set this flag to false will need to verify that the presence of the Row Level Security feature does not interfere with their use case.
 - [19168](https://github.com/apache/superset/pull/19168): Celery upgrade to 5.X has breaking changes on it's command line invocation.
   Please follow: https://docs.celeryq.dev/en/stable/whatsnew-5.2.html#step-1-adjust-your-command-line-invocation
   Consider migrating you celery config if you haven't already: https://docs.celeryq.dev/en/stable/userguide/configuration.html#conf-old-settings-map

superset/config.py

@@ -396,14 +396,6 @@ def _try_json_readsha(filepath: str, length: int) -> Optional[str]:
     "DASHBOARD_FILTERS_EXPERIMENTAL": False,
     "GLOBAL_ASYNC_QUERIES": False,
     "VERSIONED_EXPORT": True,
-    # Note that: RowLevelSecurityFilter is only given by default to the Admin role
-    # and the Admin Role does have the all_datasources security permission.
-    # But, if users create a specific role with access to RowLevelSecurityFilter MVC
-    # and a custom datasource access, the table dropdown will not be correctly filtered
-    # by that custom datasource access. So we are assuming a default security config,
-    # a custom security config could potentially give access to setting filters on
-    # tables that users do not have access to.
-    "ROW_LEVEL_SECURITY": True,
     "EMBEDDED_SUPERSET": False,
     # Enables Alerts and reports new implementation
     "ALERT_REPORTS": False,

superset/connectors/sqla/models.py

@@ -1394,8 +1394,7 @@ def get_sqla_query(  # pylint: disable=too-many-arguments,too-many-locals,too-ma
                         raise QueryObjectValidationError(
                             _("Invalid filter operation type: %(op)s", op=op)
                         )
-        if is_feature_enabled("ROW_LEVEL_SECURITY"):
-            where_clause_and += self.get_sqla_row_level_filters(template_processor)
+        where_clause_and += self.get_sqla_row_level_filters(template_processor)
         if extras:
             where = extras.get("where")
             if where:
@@ -1811,7 +1810,7 @@ def has_extra_cache_key_calls(self, query_obj: QueryObjectDict) -> bool:
             templatable_statements.append(extras["where"])
         if "having" in extras:
             templatable_statements.append(extras["having"])
-        if is_feature_enabled("ROW_LEVEL_SECURITY") and self.is_rls_supported:
+        if self.is_rls_supported:
             templatable_statements += [
                 f.clause for f in security_manager.get_rls_filters(self)
             ]

superset/connectors/sqla/views.py

@@ -22,15 +22,13 @@
 from flask import current_app, flash, Markup, redirect
 from flask_appbuilder import CompactCRUDMixin, expose
 from flask_appbuilder.fieldwidgets import Select2Widget
-from flask_appbuilder.hooks import before_request
 from flask_appbuilder.models.sqla.interface import SQLAInterface
 from flask_appbuilder.security.decorators import has_access
 from flask_babel import lazy_gettext as _
-from werkzeug.exceptions import NotFound
 from wtforms.ext.sqlalchemy.fields import QuerySelectField
 from wtforms.validators import Regexp
 
-from superset import app, db, is_feature_enabled
+from superset import app, db
 from superset.connectors.base.views import DatasourceModelView
 from superset.connectors.sqla import models
 from superset.constants import MODEL_VIEW_RW_METHOD_PERMISSION_MAP, RouteMethod
@@ -328,15 +326,6 @@ class RowLevelSecurityFiltersModelView(SupersetModelView, DeleteMixin):
         add_form_query_rel_fields = app.config["RLS_FORM_QUERY_REL_FIELDS"]
         edit_form_query_rel_fields = add_form_query_rel_fields
 
-    @staticmethod
-    def is_enabled() -> bool:
-        return is_feature_enabled("ROW_LEVEL_SECURITY")
-
-    @before_request
-    def ensure_enabled(self) -> None:
-        if not self.is_enabled():
-            raise NotFound()
-
 
 class TableModelView(  # pylint: disable=too-many-ancestors
     DatasourceModelView, DeleteMixin, YamlExportMixin

superset/initialization/__init__.py

@@ -277,9 +277,6 @@ def init_views(self) -> None:
             category="Security",
             category_label=__("Security"),
             icon="fa-lock",
-            menu_cond=lambda: feature_flag_manager.is_feature_enabled(
-                "ROW_LEVEL_SECURITY"
-            ),
         )
 
         #