Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support DB perms #8816

Closed
wants to merge 1 commit into from
Closed

Support DB perms #8816

wants to merge 1 commit into from

Conversation

betodealmeida
Copy link
Member

@betodealmeida betodealmeida commented Dec 12, 2019
edited
Loading

CATEGORY

Choose one

  • Bug Fix
  • Enhancement (new features, refinement)
  • Refactor
  • Add tests
  • Build / Development Environment
  • Documentation

SUMMARY

Currently, if a user has permissions to a given DB, they can't see charts or dashboards built on top of that DB, since SliceFilter and DashboardFilter ignore the DB permissions.

@mistercrunch I tried to fix this in the past (#6933), but I used the wrong permissions and we reverted the PR. This one uses the actual database permissions.

TEST PLAN

Created users that have access to only a specific DB, and verified that the charts and dashboards showed up.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

REVIEWERS

@mistercrunch @dpgaspar

@mistercrunch
Copy link
Member

@bkyryliuk I think you have a fair amount of context here ^^^ :)

@codecov-io
Copy link

Codecov Report

Merging #8816 into master will increase coverage by 0.04%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #8816      +/-   ##
==========================================
+ Coverage   65.84%   65.89%   +0.04%     
==========================================
  Files         483      483              
  Lines       24177    24180       +3     
  Branches     2777     2777              
==========================================
+ Hits        15920    15933      +13     
+ Misses       8079     8069      -10     
  Partials      178      178
Impacted Files Coverage Δ
superset/views/core.py 72.18% <100%> (+0.05%) ⬆️
superset/db_engine_specs/postgres.py 83.33% <0%> (+27.77%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ed54f6e...c9094d8. Read the comment docs.

@mistercrunch
Copy link
Member

Totally a side note and outside the scope of this PR, but I think eventually we might want to not use FAB's permission model for data access information. Instead we'd have a many to many from roles to schemas/tables/database.

I'm not sure whether we'd overload the current Role model in FAB, or create a new Superset-owned DataRole model...

@bkyryliuk
Copy link
Member

@betodealmeida - definitely add unit tests, example is here: https://github.com/apache/incubator-superset/blob/master/tests/security_tests.py#L349

bkyryliuk
bkyryliuk reviewed Dec 12, 2019
View reviewed changes
superset/views/core.py
class SliceFilter(BaseFilter):
def apply(self, query, func): # noqa
if security_manager.all_datasource_access():
return query
perms = security_manager.user_view_menu_names("datasource_access")
database_perms = security_manager.user_view_menu_names("database_access")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about materializing db permissions in the tables and slices?
this would simplify the checks significantly.

@betodealmeida
Copy link
Member Author

@mistercrunch:

Totally a side note and outside the scope of this PR, but I think eventually we might want to not use FAB's permission model for data access information. Instead we'd have a many to many from roles to schemas/tables/database.

Right, we should definitely rethink it. Today at Lyft somebody requested setting the ownership of a dashboard to a team (which would be a role?), not only users.

@dpgaspar
Copy link
Member

@mistercrunch:

Totally a side note and outside the scope of this PR, but I think eventually we might want to not use FAB's permission model for data access information. Instead we'd have a many to many from roles to schemas/tables/database.
I'm not sure whether we'd overload the current Role model in FAB, or create a new Superset-owned DataRole model...

I'm curious on how we would overload Role new fields?, and by creating a new DataRole we would need to overload User

@stale
Copy link

stale bot commented Mar 3, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

@stale stale bot added the inactive Inactive for >= 30 days label Mar 3, 2020
@rumbin
Copy link
Contributor

rumbin commented Mar 3, 2020
edited
Loading

Please don't let the stale bot close this issue...

@stale stale bot removed the inactive Inactive for >= 30 days label Mar 3, 2020
@stale
Copy link

stale bot commented May 2, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

@stale stale bot added the inactive Inactive for >= 30 days label May 2, 2020
@rumbin
Copy link
Contributor

rumbin commented May 2, 2020

Please don't let the stale bot close this issue...

@stale stale bot removed the inactive Inactive for >= 30 days label May 2, 2020
@stale
Copy link

stale bot commented Jul 2, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

@stale stale bot added the inactive Inactive for >= 30 days label Jul 2, 2020
@rumbin
Copy link
Contributor

rumbin commented Jul 2, 2020

Please don't let the stale bot close this issue...

@stale stale bot removed the inactive Inactive for >= 30 days label Jul 2, 2020
@willbarrett willbarrett added the .pinned Draws attention label Aug 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bkyryliuk bkyryliuk bkyryliuk left review comments

Assignees
No one assigned
Labels
.pinned Draws attention preset-io size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@betodealmeida @mistercrunch @codecov-io @bkyryliuk @dpgaspar @rumbin @willbarrett @amitmiran137 @junlincc