Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make filters use security manager #5567

Merged
merged 2 commits into from
Aug 16, 2018
Merged

make filters use security manager #5567

merged 2 commits into from
Aug 16, 2018

Conversation

timifasubaa
Copy link
Contributor

@timifasubaa timifasubaa commented Aug 5, 2018
edited
Loading

This PR removes the redundant has_all_datasource_access method and uses the security manager's all_datasource_access method. It also makes superset filters configurable via the security manager.

Longer term, it will be nicer to make the whole method configurable so different deployments can decide their own mechanisms to filter the dashboards.

@john-bodley @michellethomas @mistercrunch

@timifasubaa timifasubaa force-pushed the make_filter_use_security_manager branch from 497af61 to 287d156 Compare August 5, 2018 08:12
@timifasubaa timifasubaa changed the title [WIP] make filters use security manager make filters use security manager Aug 5, 2018
@timifasubaa timifasubaa force-pushed the make_filter_use_security_manager branch from 287d156 to a581bc6 Compare August 6, 2018 21:37
@codecov-io
Copy link

codecov-io commented Aug 6, 2018
edited
Loading

Codecov Report

Merging #5567 into master will increase coverage by 0.13%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #5567      +/-   ##
=========================================
+ Coverage   63.36%   63.5%   +0.13%     
=========================================
  Files         351     360       +9     
  Lines       22259   22888     +629     
  Branches     2470    2549      +79     
=========================================
+ Hits        14104   14534     +430     
- Misses       8140    8339     +199     
  Partials       15      15
Impacted Files Coverage Δ
superset/views/core.py 73.99% <ø> (+0.01%) ⬆️
superset/views/base.py 68% <100%> (+1.1%) ⬆️
...explore/components/controls/SelectAsyncControl.jsx 56% <0%> (-14%) ⬇️
...erset/assets/src/explore/actions/exploreActions.js 56.94% <0%> (-12.29%) ⬇️
superset/assets/src/components/Button.jsx 90.9% <0%> (-9.1%) ⬇️
...ets/src/SqlLab/components/ExploreResultsButton.jsx 82.41% <0%> (-4.77%) ⬇️
...rc/explore/components/controls/CheckboxControl.jsx 89.47% <0%> (-3.86%) ⬇️
...re/components/controls/TimeSeriesColumnControl.jsx 88.46% <0%> (-2.65%) ⬇️
.../explore/components/controls/DatasourceControl.jsx 66.17% <0%> (-1.83%) ⬇️
superset/models/core.py 85.09% <0%> (-1.48%) ⬇️
... and 42 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update aa14bac...8be397a. Read the comment docs.

john-bodley
john-bodley reviewed Aug 7, 2018
View reviewed changes
superset/security.py Outdated
@@ -85,6 +85,15 @@ def get_schema_perm(self, database, schema):
if schema:
return '[{}].[{}]'.format(database, schema)

def always_list_all_dashboards(self):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with your comment that we should defer to the security manager to answer said question, however I’m not sure we need these always_ methods.

superset/views/base.py
@@ -248,15 +248,11 @@ def get_view_menus(self, permission_name):
vm.add(vm_name)
return vm

def has_all_datasource_access(self):
return (
self.has_role(['Admin', 'Alpha']) or
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does removing these role checks potentially break things?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are only three usage of the has_all_datasource_access and they are the ones I changed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the link to where all_datasource_access is granted to Alpha.
Note that Admin is granted all the possible priviledges, which includes those contained in Alpha.
Also linked is the line in the security manager that checks the user has all_datasource_access

https://github.com/apache/incubator-superset/blob/4bf69a7260f1d4c8fbfe9d9c0300cae39ca3bf81/superset/security.py#L71

https://github.com/apache/incubator-superset/blob/4bf69a7260f1d4c8fbfe9d9c0300cae39ca3bf81/superset/security.py#L96

@timifasubaa timifasubaa merged commit 4ff5686 into apache:master Aug 16, 2018
wenchma pushed a commit to wenchma/incubator-superset that referenced this pull request Nov 16, 2018
@timifasubaa
make filters use security manager (apache#5567)
b32cb00 
* make filters use security manager

* remove the superset short-circuit
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.28.0 labels Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@john-bodley john-bodley john-bodley approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.28.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@timifasubaa @codecov-io @john-bodley @mistercrunch