Skip to content

Commit

Permalink
feat(queries): security perm simplification (#12072)
Browse files Browse the repository at this point in the history
* feat(queries): security perm simplification

* fix mig

* update alembic down revision
  • Loading branch information
dpgaspar authored Dec 17, 2020
1 parent 790ac5e commit 5d9721e
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 3 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
"""security converge queries
Revision ID: e37912a26567
Revises: 42b4c9e01447
Create Date: 2020-12-16 12:15:28.291777
"""

# revision identifiers, used by Alembic.
revision = "e37912a26567"
down_revision = "42b4c9e01447"

from alembic import op
from sqlalchemy.exc import SQLAlchemyError
from sqlalchemy.orm import Session

from superset.migrations.shared.security_converge import (
add_pvms,
get_reversed_new_pvms,
get_reversed_pvm_map,
migrate_roles,
Pvm,
)

NEW_PVMS = {"Query": ("can_read",)}
PVM_MAP = {
Pvm("QueryView", "can_list"): (Pvm("Query", "can_read"),),
Pvm("QueryView", "can_show"): (Pvm("Query", "can_read"),),
}


def upgrade():
bind = op.get_bind()
session = Session(bind=bind)

# Add the new permissions on the migration itself
add_pvms(session, NEW_PVMS)
migrate_roles(session, PVM_MAP)
try:
session.commit()
except SQLAlchemyError as ex:
print(f"An error occurred while upgrading permissions: {ex}")
session.rollback()


def downgrade():
bind = op.get_bind()
session = Session(bind=bind)

# Add the old permissions on the migration itself
add_pvms(session, get_reversed_new_pvms(PVM_MAP))
migrate_roles(session, get_reversed_pvm_map(PVM_MAP))
try:
session.commit()
except SQLAlchemyError as ex:
print(f"An error occurred while downgrading permissions: {ex}")
session.rollback()
pass
7 changes: 5 additions & 2 deletions superset/queries/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

from flask_appbuilder.models.sqla.interface import SQLAInterface

from superset.constants import RouteMethod
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.databases.filters import DatabaseFilter
from superset.models.sql_lab import Query
from superset.queries.filters import QueryFilter
Expand All @@ -33,6 +33,10 @@ class QueryRestApi(BaseSupersetModelRestApi):
datamodel = SQLAInterface(Query)

resource_name = "query"

class_permission_name = "Query"
method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP

allow_browser_login = True
include_route_methods = {
RouteMethod.GET,
Expand All @@ -41,7 +45,6 @@ class QueryRestApi(BaseSupersetModelRestApi):
RouteMethod.DISTINCT,
}

class_permission_name = "QueryView"
list_columns = [
"id",
"changed_on",
Expand Down
3 changes: 2 additions & 1 deletion tests/security_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Dashboard",
"CssTemplate",
"Chart",
"Query",
"SavedQuery",
)

Expand Down Expand Up @@ -683,7 +684,7 @@ def assert_can_alpha(self, perm_set):
self.assert_can_all("Annotation", perm_set)
self.assert_can_all("CssTemplate", perm_set)
self.assert_can_all("Dataset", perm_set)
self.assert_can_read("QueryView", perm_set)
self.assert_can_read("Query", perm_set)
self.assertIn(("can_import_dashboards", "Superset"), perm_set)
self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)
Expand Down

0 comments on commit 5d9721e

Please sign in to comment.